Since the GDPR came into force in May 2018, organisations of all sizes have been grappling with the principle-based regulation. Some larger organisations, benefiting from greater resources, were able to apply their legal and technological capabilities to prepare for the go-live date from when the legislation was first published in May 2016. Initially, the Supervisory Authorities believed that the lead-in time of 24 months would be sufficient for organisations to prepare for the new compliance regime, but in reality, this was somewhat optimistic. Even those organisations for which resources were not an issue struggled to get to grips with interpreting the requirements and translating principles into new or revised processes and procedures. In many cases, legacy systems were simply unable to adapt.
The STAR II project aims to tackle the lack of awareness by creating several awareness-raising tools and campaigns targeting SMEs throughout Europe and overseas. Within this context, Trilateral has looked into the experiences of small and medium enterprises (SMEs) with the GDPR and the results of this study have been outlined in a public report and are summarised in this article.
Challenges for SMEs
For SMEs the challenges were greater still. A change of culture and values emerged as an initial challenge for many. SMEs that had previously existed outside any meaningful compliance regime other than tax and finance now faced a new level of accountability to the public and to national Supervisory Authorities under the GDPR.
Where before there may have been a nod in the direction of data protection, primarily in terms of IT security, now there existed significant potential fines which could be imposed on organisations and individuals. Organisations have had to change the way they viewed the personal data that was often taken for granted. No longer was it something they owned but rather curated on behalf of the real owners, the data subjects. It became necessary not only to be compliant during the whole life cycle of processing but also to be able to demonstrate that compliance is an important matter of course.
For those embracing the challenges posed by the new legislation, there was a matter of gaining access to practical expertise. Service providers offered advice and guidance but often with a very defined focus (e.g., legal, technological or business consultancy). However, effective data protection compliance measures require a broader cross-discipline approach. Even where SMEs decided to try to hire in these skills, there was, and remains, a significant shortage of trained and experienced individuals. For individuals who fit that profile, the demand for their skills has created a competitive market-place where salaries have soared.
Recruitment has been made more difficult by the lack of a licensing mechanism for suitably qualified individuals. This would enable employers to take a degree of comfort with regards to the suitability of a candidate’s education and experience as assessed by those working within the emerging specialist field.
When organisations have decided to up-skill existing staff, choosing appropriate training has also been a challenge. Supervisory Authorities have been slow to formally accredit any training programmes, and as a result, training providers offer courses ranging from online ones that last a few days to face-to-face postgraduate degrees. Choosing the appropriate course remains the third challenge.
Standardisation of approach
All these challenges exist in a context where GDPR and the various national laws and derogations are still slowly embedding. Interpretations from different jurisdictions continue to be formalised and, in some cases challenged by the national courts, including opinions from Supervisory Authorities themselves. Despite structures such as the European Data Protection Board charged with harmonising these national rulings, often it is the European Court of Justice that is required to have the final say. This mechanism, though highly valued, is often slow and in some cases overturns established wisdom. In other words, in many practical real-world scenarios practitioners are still experimenting and contributing to knowledge development.
In this slow-moving space, the judicial branch needs to wait for cases to be brought before them to agree on the “correct” implementation of the principles. This can lead to frustration among those accountable for protecting personal data.
In such an evolving compliance regime, the role of the Supervisory Authorities and their approach to promoting the rights of data subjects remain key in providing direction and some degree of certainty, especially to SMEs.
The Supervisory Authorities face similar challenges to all organisations. They are also looking for staff from the same limited talent pool. While politically independent, they operate within national regimes which have developed priorities and sensitivities that have emerged through their countries’ socio-political histories. In some cases, funding is also a real issue. While some Supervisory Authorities levy a registration charge, such as the ICO in the UK, others, for example, the Irish DPC, are wholly reliant on central government funds. As one commentator pointed out, the DPC’s annual budget is about the same as the National Greyhound Board which both received approximately 16 million Euros.
Reasons to be optimistic?
However, despite all these challenges, concerted efforts are underway to better serve the SME communities. The Maltese Supervisory Authority’s participation in the STAR II programme with their commitment to concisely answering questions has been a warmly welcomed.
The clarity provided by the CNIL in France on topics such as biometrics has provided both instructions on how the Regulations should be interpreted and legislation and registration processes for organisations established in France.
The 2019 ISO 27701 addendum to the widely adopted data security standard is the first credible standard against which organisations can begin to certify themselves and demonstrate their commitment to data protection. In Ireland, the reiterated commitment to information and support networks to be launched for Data Protection Officers is also to be warmly welcomed. The resources and thought leadership of the ICO in the UK has been invaluable and will be sorely missed if the UK finally extricates itself from the EU regulatory system.
In reality, it is still early days in terms of understanding the evolving implications of the GDPR regulatory environment. All organisations have work to do, none can claim full compliance as decisions in this space are still emerging. Supervisory Authorities will need to recognise that SMEs are more susceptible to the challenges faced by all organisations and have to do more with less. More timely and ready access to advice is undoubtedly needed, be that through voluntary audits, workshops, networks, bespoke query answering services or whatever creative solutions can be developed. Without such reliable supports, SMEs will be thrown back onto an immature and unregulated market place of commercial advisors, themselves struggling to keep abreast of the many developments in data protection.
Please do not hesitate to contact our team for more information on this research area.