Data protection and DSGVO – 5 stumbling blocks for SMEs

What problems can SMEs encounter with the GDPR requirements?

By DIGITAL BREAKFAST

For small and medium-sized enterprises (SMEs), it is often difficult to meet the data protection requirements according to the GDPR.
Even with few resources for this topic, the data protection requirements apply to SMEs just as they do to larger companies, and so SMEs are not spared from audits by the data protection supervisory authorities. However, the need to act in a data protection-compliant manner should not only be seen in connection with possible fines and loss of reputation, but should also be used as a competitive advantage in view of the growing importance of data protection for end customers as well as in B2B business.

For small and medium-sized enterprises (SMEs), it is often difficult to meet the data protection requirements according to the GDPR. Even with few resources for this topic, the data protection requirements apply to SMEs just as they do to larger companies, and so SMEs are not spared from audits by the data protection supervisory authorities. However, the need to act in a data protection-compliant manner should not only be seen in connection with possible fines and loss of reputation, but should also be used as a competitive advantage in view of the growing importance of data protection for end customers as well as in B2B business.

So what exactly are the data protection pitfalls for SMEs?

  • First and foremost, the website including the privacy policy of the company, which unfortunately often offers considerable potential for warning letters.
  • However, the documentation obligations of the companies, which exist according to the GDPR, should not be disregarded.
  • If the processing of personal data is transferred to other companies or if a company itself acts as a processor, attention must be paid to the conclusion of order processing agreements that comply with data protection law.
  • An important topic is also documented data protection training for managers and employees.
  • Furthermore, the appointment of a data protection officer is often mandatory for companies.

Website and webshop

The website is the flagship of a company and unfortunately also holds a lot of potential for warnings under data protection law, be it due to missing or non-compliant cookie notices, non-existent consents of website users before the start of consent-relevant processing activities, a non-compliant integration of social media plug-ins or a faulty or incomplete data protection statement. Last summer, for example, a study by the Association of German Website Operators showed that serious data protection deficiencies exist on 40% of the websites of small and medium-sized enterprises.

Caution is advised with sample templates for data protection declarations! Standards, such as the description of data subjects’ rights, can usually be safely incorporated into one’s own data protection statement; however, information on the individual processing activities that exist in connection with the use and operation of the website and in which personal data are processed must be individually designed. The complexity of this information results from the requirements according to Art. 5 GDPR. For each processing activity, information is therefore required on the description and scope of the data processing, the legal basis, the purpose, the duration of storage and the possibilities for objection and removal.

In view of the fact that the respective processing activities of the website operators are often different and, in particular, deletion periods and the associated processes are regulated individually in the company, the use of blanket formulated templates is rather questionable from a data protection perspective. Examples include the use of various tracking and analysis tools, the integration of social media plug-ins, connections to Google Maps, Google reCAPTCHA, YouTube, etc., the existence of an online job application tool, the sending of newsletters or the operation of a webshop.

Particularly with regard to the details of a web store, a number of things must be taken into account in terms of data protection law. For example, information on order processing, the user/customer account, payment transactions and, if applicable, creditworthiness checks must be provided.

Documentation requirements

Companies often ask themselves whether they are obliged to keep a register of processing activities. One quickly gets to Art. 30 (5) GDPR and reads that companies with less than 250 employees are to be excluded from this. But this is only “half the truth”, because the article goes on to say that the exclusion only applies to companies with fewer than 250 employees that only occasionally process personal data. However, “only occasional” processing is already excluded in the case of regular wage or salary payments, for example, and thus almost every company is required to maintain a processing directory.

The contents of this directory are – in addition to the information describing the processing activity – the purpose, the legal basis of the data processing, the categories of the personal data concerned as well as the data subjects, the recipient of the data as well as information on the transfer of the data to third parties, deletion periods and technical organizational measures.

These contents of the list of processing activities thus result in further documentation obligations for companies, such as a deletion concept for personal data and the documentation of technical and organizational measures.

The documentation of data protection-compliant processes and workflows is also part of a company’s obligations to provide evidence. Among other things, it is necessary to ensure and document the protection of data subjects’ rights in terms of processes and, in this context, also to comply with the obligation to provide evidence of data subjects’ consent.

It is also important to have documents on role and authorization concepts, IT emergency plans, and obligations of employees to maintain data privacy confidentiality.

Order processing agreements

If service providers are commissioned with the processing of personal data or if a company takes over the processing of personal data of another company on instruction, it is mandatory – according to Art. 28 (3) GDPR – to conclude a contract processing agreement between the parties.

In this context, it must be ensured, among other things, that:

  • the Contractor is bound by the instructions of the Customer,
    the use of subcontractors on the part of the principal
    is subject to approval,
  • the Contractor shall be liable in the event of data protection violations by its subcontractor,
  • the client is nevertheless still responsible for the processing of the personal data, and
  • is still responsible for the processing of the personal data, and
  • the customer has the obligation to ensure that the contractor’s processing of the data complies with data
    processing of the data by the contractor in compliance with data protection law.

Training of employees in data protection law

According to Art. 32 of the GDPR, the obligation to provide data protection training arises because the “appropriate technical and organizational measures” defined there would be difficult – or impossible – to implement without appropriate employee training and thus without the knowledge imparted.

Data Protection Officer

Under data protection law, a data protection officer must be appointed if the company generally has at least 20 employees processing personal data. Regardless of this number of employees, however, a data protection officer is also required as soon as a data protection impact assessment – pursuant to Art. 35 DSGVO – is unavoidable.

Furthermore, a data protection officer must be appointed in the company if personal data are processed for the purpose of (anonymized) transmission, personal data are processed for market and opinion research, the core activity of the company consists of carrying out processing operations which require the monitoring of data subjects, or the core activity of the company consists of processing special categories of data (e.g. on health, religion).

Even though the data protection requirements are extensive, a study by bitkom from September 2020 shows that more than half of all companies surveyed have already fully or largely implemented the GDPR. On the other hand, if the growing importance of data protection is considered from the point of view of consumers as well as in B2B business, data protection-compliant action in the company is increasingly turning out to be a competitive advantage that should not be neglected in view of the current rapid increase in digitalization,

Author: Angela Clemenz, Managing Director, DACO Leipzig GmbH – Data Protection & Compliance

DIGITAL BREAKFAST
WAS IST DAS DIGITAL BREAKFAST? „Deine digitale Wissensdusche - egal wo Du bist!" #LIVE-STREAM Die seit 28. Oktober 2015 stattfindenden Offline-Veranstaltungen wurden im März 2020 in Online-Veranstaltungen umgewandelt. Die Online-Veranstaltungen finden dienstags & freitags von 9:00 Uhr bis 10:00 Uhr an 62 Lokationen statt und beinhalten einen 25-minütigen Impulsvortrag zu einem digitalen Thema mit Diskussion und Austausch im Anschluss. #PODCAST Der DIGITAL BREAKFAST PODCAST widmet sich jeden Montag authentisch aktuellen Themen rund um die Digitalisierung. Für Menschen, die etwas zu sagen haben oder erfahren wollen. Befähigung, Inspiration, Networking - dafür stehen wir!
You might also like More from author

Comments are closed.

More Stories

EU Data Act explained – GDPR 2.0, even more effort or…

E-commerce growth hacks: strategies for increasing sales and…

Using Large Language Models (LLMs) securely in the…

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More