The GDPR is now effective and legally binding for all EU member states. And anyone who processes or requests personal data is going to have to deal with it. The GDPR does not differentiate according to size of company or type of operation, so the regulation applies to large and mid-sized companies, SMEs and self-employed sole traders. Nevertheless, there are several aspects of the regulation that do make allowances for SMEs. For example, they may be exempt from the requirement to maintain records of the processing methods they use.
Many SMEs have felt overwhelmed by the GDPR, for example in relation to the necessity of having a data protection officer. Whereas previously, the need to appoint a data protection officer in the non-public sector depended on several factors, it is now always prescribed, to put it simply, if the processing of personal data is necessary for business operations, i.e. it is part of the company's core activity e.g. in online retail. If on the other hand, personal data is only generated in payroll processes then there is probably no need to appoint a data protection officer. To meet the new requirements, smaller companies in particular are turning to external service providers to perform the role of the data protection officer. According to a survey by Bitkom, the Federal Association for Information Technology, around half of all companies in Germany were getting outside help with implementing the GDPR.
The requirements that a data protection officer has to satisfy have also changed: As well as expertise in the field of data protection law, they also need to have appropriate knowledge of data protection practices. The legislators therefore consider that both legal and technical knowledge is necessary.
However, companies that were late in dealing with the regulation often had hardly any chance of finding a data protection officer with free capacity, as these specialists have literally been booked out for months. As a result, some SMEs have had to deal with the GDPR more intensively than they would have liked.
However, they do not have to work it all out by themselves: The GDPR appeals to associations and federations to elaborate rules of conduct for SMEs. And some have already done so. Digital association Bitkom, for example, offers Guidelines on data protection-compliant data processing on its website, as does the German Confederation of Skilled Crafts (Zentralverband des Handwerks). Assistance can also come from chambers of industry and commerce, such as the IHK Stuttgart which has provided a Guide for small businesses and entrepreneurs.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.