Get FREE 12-month access to the AI-Powered Knowledge Base worth $450
with your ISO 27001 toolkit purchase
Limited-time offer – ends June 27, 2024

GDPR challenges for small companies

Since the GDPR has become effective, compliance with its requirements has become a part of the daily routine for companies. To be sure, implementing the GDPR has been difficult for small businesses. At first, they adopted the GDPR as a set of rules to abide by. In this article, learn which GDPR challenges are considered to have more influence on small and medium-sized enterprises (SMEs). Also, read about the positive consequences that the GDPR brings to these businesses – primarily to learn about how to be compliant with the requirements that affect every company, even the smallest one, and secondly, for the purposes of business and reputation of the companies involved.

What SMEs are

First of all, we need to clarify what we mean when we talk about SMEs, in other words, companies that maintain turnover or number of employees below a certain level. According to the European Commission’s definition, these two parameters are represented by less than EUR 50 million in revenue and fewer than 250 employees hired.

Which kinds of data are SMEs usually responsible for?

The GDPR requires organisations, including SMEs, to be aware of what kinds of data they hold and record. The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’)”. Therefore, this would include information such as name, identification number, location data, and so on.

First of all, we should consider SMEs’ data subjects, clearly identifiable primarily with employees, but also including suppliers, customers, and clients. Considering these data subjects, we could gather data regarding all of them, including:

  • Name, surname, address
  • Email(s) and phone number(s)
  • Bank account(s)

Things change if we consider other kinds of data, for example those concerning health or personal life (sex, components of family), possibly regarding only employees. Moreover, if we think about IP addresses, location data, sometimes device IDs, too, we could understand that this data concerns customers and clients subscribing to the company’s newsletter or visiting the company’s site in order for a good or a service to be purchased.

As we can see, SMEs handle many types of data, even the smaller-sized ones; this consideration implies challenges specifically directed to these organisations.

GDPR challenges for small companies - Advisera

A challenge for privacy

Being aware of data handled is just the first step for SMEs, which are then required to put great attention on the legal basis of the processing of all personal data. Where relying on consent, small and medium-sized companies first need to know as quickly as possible when this consent is obtained, even for existing customers.

Moreover, SMEs are required to guarantee to their data subjects the basic rights listed in the GDPR from article 15 to article 22; from a certain point of view, this implies that SMEs have to be sure that there are systems and processes implemented in order for these rights to be met within the lawful time set (one month).

In this context, it’s useful to remember what article 25 of the GDPR requires. According to it, data protection has to be considered implemented in systems, and processes implemented inside a company, just before the beginning of processing.

A challenge for security

Data must be kept safe, but there are various kinds of data, each with a different level of associated risk. Once they have identified the kind of data handled, even SMEs are required by the GDPR to evaluate which types of data processing could result in a high risk for individuals.

Even though they are not considered the ideal target for hackers, SMEs are actually part of a bigger supply chain, most of the time representing a way to get in touch with the “big players” acting at the top, to whom SMEs act as suppliers.

Learn more about the connection between the GDPR and security in the article Can the GDPR trigger better security in a company?

A challenge for governance

Especially for organisations like SMEs, dealing with data implies a new way to review internal and external management systems.

Implementing a system for the management of personal data, including what the company is expected to do in case of a data breach, means that there should be a policy shared by all staff informing them about procedures, data retention periods set by the company, and purposes of the data processing in place.

At the same time, governance is also a matter of nurturing the company’s relationships with third parties – suppliers in the first place: this could happen with IT services, where the customer (the company) is a controller and the IT service provider acts as a processor. The same kind of relationship could be the basis of the contract with a supplier in charge of the employee payroll. In both of these situations, the company is expected to require a contract where technical and organisational measures or standards are implemented to manage and keep data safe.

Learn more about the principles of corporate governance in this free white paper: Integration of Information Security, IT and Corporate Governance.

GDPR for small businesses: The most common challenges


Helpful GDPR elements for SMEs

Even though some elements of the GDPR are not mandatory for SMEs, they still provide useful goals for what these companies could achieve:

Records of processing activities. Even though this requirement is not mandatory for companies employing fewer than 250 persons (unless in circumstances in which data processing could result in a high risk), records of processing activities could represent the first step for SMEs to set and review the processing in place, to allocate responsibilities and to establish policies shared by all employees.

Appointing a Data Protection Officer (if necessary). It could happen that some SMEs’ core activities involve processing operations on a large scale or sensitive personal data. In this case, the GDPR suggests appointing a DPO, a figure independent of management and the team undertaking the processing (even if he or she could be a member of the company’s staff).

Data protection impact assessment. This is surely one of the most important tools that the GDPR suggests to organisations, no matter how big they are. The DPIA asks organisations to analyse every process, assess the necessity and proportionality of every process, and manage risks resulting from the processing of data.

GDPR for SMEs – more than a mere set of rules

Therefore, we could affirm that the GDPR is more than a set of rules that every organisation, even the smallest one, has to be compliant with. It is just more. It is a regulation that – along with setting requirements – also helps and recommends. Everything is in the aim of personal data to be protected.

To learn about all the steps in an EU GDPR implementation project, download this free Project checklist for EU GDPR implementation.

Advisera Francesca Lucarini

Francesca Lucarini

Francesca Lucarini is a cybersecurity advisor, ISO 27001 qualified auditor, and expert in communicating GDPR and information security themes, as well as the suggestion of tools to help people and companies increase their awareness of the risks that can occur with the use of technology.
Read more articles by Francesca Lucarini