A new era for data protection
The General Data Protection Regulation (GDPR) marked a new era for the digital economy and the protection of personal data in the EU. The data privacy overhaul sought to respond to the privacy concerns presented by the digital age. What emerged was a robust regulation imposing extensive responsibilities on companies processing personal data – any information that relates to an identified or identifiable individual, including the collection of non-digital data- emerged out of it.
Its adoption was followed by a two-year transition period to give time to companies to prepare for the new rules. Yet, that deadline was not sufficient for many businesses. Companies were still unaware of their obligation on the enforcement date, the 25th May 2018. It is particularly worrisome as companies that fail to comply with the law, can be ordered to pay up to 20 million euros or 4% of their annual income, whichever is higher. Hence, some Data Protection Authorities, such as the French one, announced that it will apply a grace period before enforcing the law.
94% of micro enterprises admit not to have “fully implemented the GDPR”
Efforts to comply with the GDPR go beyond the 25 May, as many businesses, especially micro businesses are still, 6 months later, struggling to be compliant despite their attempt to follow the rules. A questionnaire conducted by the SMOOTH consortium in October show that only 6% of questioned micro enterprises mentioned to have “fully implemented the GDPR”. Yet, these same businesses requested help with and reassurance on their compliance.
Micro companies are the backbone of the EU’s economy and societal well-being, counting for 93% of the European enterprises in the non-financial sector. Yet, when it comes to matters of data privacy, the smallest businesses are particularly vulnerable and risk to involuntary fail to comply with the GDPR. Contrary to public entities and larger private organisations, micro companies often have limited resources (time, finances and people) as well as data protection expertise, which makes their compliance efforts more arduous.
The owner is usually managing everything himself/herself
It is important to note that in most cases, micro enterprises are very eager to comply with the rules and regulations that govern their market. When a small business is non-compliant, it often due to lack of awareness and resources. In a small company, the owner is usually managing everything himself/herself. This is especially true for early-stage companies which do not have the resources yet to outsource work to hire staff to take care of the specific task, in this case: GDPR.
A micro company is often built on a dream or idea the owner had. He/she focuses on executing it to the best of his/her abilities. They often work far more than a regular work-week, as they deal with so many aspects of the business. In this light, these business owners often do not have the time to keep up to date with all rules and regulations.
Moreover, it is not always clear to them what they need to comply with. The law is often open for interpretation and written for an informed audience which leave the small companies confused about their obligations. Alongside access to resources, knowledge and time, administrative burden is the number one obstacle for micro companies. Arguably, small companies are often overwhelmed with the piles of paperwork, they are told to deliver. It is an enormous challenge for them to comply with the rules related to the GDPR, whilst ensuring they do not get buried under paperwork, forms and privacy policies.
The market is flooded by self-acclaimed GDPR consultants
All of the above issues could be managed by hiring third-party service providers to guide businesses in compliance. However, apart from the lack of financial resources to hire these external consultants, small business owners are currently being flooded by service offers of newly self-acclaimed GDPR consultants, which do not necessarily have the right qualifications or track record.
The fact that a law is implemented, does not automatically mean that small business owners are aware of it nor understand it. The problem for the micro businesses seems not one piece of legislation, but the cumulative effect of a plethora of rules that seem to change on a very regular basis. European micro enterprises need trustworthy and affordable people and tools to guide them through this tedious GDPR compliance processes!