The General Data Protection Regulation will simplify and harmonise the privacy regulations in the EU. These regulations are currently different among the EU countries, which causes issues with functioning of the internal market. The EU internal market is based on the free movement of services, goods and labour, and that isn’t possible if these essential regulations differ so much.
The penalties under the GDPR are much higher, but the single set of rules means it’s easier for a company to understand its obligations. Along with that, people enjoy more rights and a safer handling of their data, which benefits everyone.
Why Do SMEs need Help?
Large businesses often have it easier when it comes to legal issues. They can afford to hire expensive legal teams and even have their own legal departments. Small companies do not have this luxury and are often hard-pressed to keep up with changes in the legislation.
SMEs (small and medium enterprises) are companies that employ less than 250 people and earn less than 50 million Euros per year. Since compliance with the GDPR and other regulations can take a lot of work, their investment in this regard could seriously affect their normal day-to-day functioning.
This would in turn give multinational corporations an edge since they are not as affected by the ever-changing regulations. The lawmakers noticed that and decided to enact some provisions that aim to help protect the smaller businesses.
What Do SMEs Get?
SMEs do not have to perform certain operations that require a lot of time and labour expense. Note that even SMEs must fully comply with the GDPR. That part is simply non-negotiable: Every business establishment in the EU that processes personal data is bound by the GDPR.
SMEs do not have to appoint a data protection officer (DPO) if they process personal data only rarely. It is a must, though, if they process sensitive data like health, criminal, or bank records. Even so, a DPO can be outsourced and employed on a part-time basis.
The most important help that SMEs received concerns record-keeping. SMEs do not have to keep detailed records of their routine data processing. The only exception is if they are processing either sensitive data or data whose processing could risk causing harm to the individuals. Sensitive data includes genetic and biometric data, financial data, political leanings, data about sexual life and sex orientation, person’s racial or ethnic origin and health data.
These relaxed rules notwithstanding, never forget that the GDPR still applies to small companies. They still have to ensure the data is safe and protect it from breaches. This includes a set of measures including encryption, anonymization and privacy enhancing technologies. SMEs should not discount investing into data protection educational courses, especially since there are few experts that can independently provide advice.
And finally, it is always a good idea to hire a DPO, who will be able to identify and triage the most glaring issues that need to be solved first, and proceed from that point onwards.
For more great tips and quality advice to help you prepare for the GDPR, visit us at GDPR Informer.