SUMMARY

26 February 2021

Making the General Data Protection Regulation simple for Small and Medium-sized enterprises

Summary prepared by Lina Jasmontaite-Zaniewicz (VUB-LSTS) and Alessandra Calvi (VUB-LSTS)

On 3 September 2020, the STAR II consortium – composed of the Hungarian National Authority for Data Protection and Freedom of Information (NAIH), Trilateral Research (TRI) and the Vrije Universiteit Brussel (VUB) –, in collaboration with the Brussels Privacy Hub, held a workshop titled "Making the General Data Protection Regulation (GDPR) simple for Small and Medium-sized Enterprises (SMEs)".

The workshop was designed to obtain feedback on two documents prepared by the STAR II consortium: 1) the (draft) Guidance for Data Protection Authorities (DPAs) on good practices to run hotlines for SMEs and 2) the (draft) Handbook on European data protection law for SMEs.

Hielke Hijmans (Belgian DPA) opened the event with a keynote emphasising the importance of the cooperation between academics and practitioners for a better understanding of EU data protection law. In contradiction with the title of the workshop, he noted that the General Data Protection Regulation 2016/679 (GDPR) is not simple at all and that SMEs (such as butcheries, bakeries, start-ups, etc.) still face difficulties to understand legal obligations they have to abide by under the GDPR. He pointed out that the global pandemic further intensified the need for SMEs to handle personal data on daily basis (e.g. to keep records of customers as prescribed by law), and therefore, now it is more important than ever that they understand legal requirements.

Then, Renáta Nagy (NAIH) presented the Guidance for DPAs. She recommended that DPAs planning an awareness-raising campaign first of all need to identify their target audience and define the objective of each awareness raising campaign. Following the presentation, DPA representatives Jelena Burnik (Slovenian DPA) and Basile Guley (French DPA) shared some comments on the document. It was noted that the Guidance, which builds on NAIHs experience, is well structured, consistent and with an accessible language that renders it suitable to quickly train new DPAs employees. It was suggested that knowledge bases, including questions and answers raised in hotlines, are made publicly available and accessible to SMEs. Luc Hendrickx (SMEUnited) further emphasised the need for DPAs to focus on awareness raising rather enforcement.

During the second session Alessandra Calvi (VUB, LSTS) presented the draft Handbook. She explained that the choice of the topics covered in the Handbook was based on the feedback gathered by the STAR II consortium in the interviews with representatives of DPAs, SMEs associations and SMEs, as well as from the queries received by the NAIH’s hotline dedicated to SMEs. Following the presentation Annika Linck (European DIGITAL SME Alliance), Jasmina Trajkovski (TP Consulting) and Pavlina Peneva (Belgian DPA, BOOST project) shared their comments. The panelists overall expressed their appreciation of the Handbook and considered it to be a useful tool for SMEs willing to better understand their obligations under the GDPR. A more detailed account of the comments and feedback is available in the workshop report.

Prof. Paul De Hert (VUB, LSTS) closed the event by noting that while enforcement actions could push companies to be more proactive in their GDPR compliance efforts, DPAs need to strike a good balance between their advisory and enforcement roles.

After the event, the STAR II consortium finalized two documents. They are available for download:

The GDPR made simple(r) for SMEs (Handbook) and

Guidance for Data Protection Authorities (DPAs) on good practices to run hotlines for SMEs.