Data-protection authorities have been urged to be “instructive, rather than punitive”, towards SMEs, following the introduction of the EU’s general data-protection regulaion (GDPR) this week.
Chief executive of Isme, Neil McDonnell, said many small firms were still getting to grips with the requirements of GDPR. A survey from the Data Protection Commissioner’s (DPC) office showed a large number of firms still have gaps in their preparation.
The DPC survey, last month, showed SME awareness of GDPR was 90%, doubling the rate of last year. A similar number realised it would be implemented this Friday, May 25.
However, fewer than a third of leaders are able to name three changes in the data-protection law, compared to only 6% in 2017.
Just 44% know if their business will be required to appoint a data-protection officer within the organisation, even though two-thirds know the penalties associated with the GDPR.
With 4 days to go, we have a countdown of organisation’s top obligations under #GDPR. Make sure your organisation provides transparent info to individuals using plain and clear language #dataprotection #EUdataP pic.twitter.com/97LoMWgFYu— Data Protection Commission Ireland (@DPCIreland) May 21, 2018
Some 45% have carried out an assessment of all the personal data held in the organisation.
The GDPR was ratified in 2016, following four years of negotiation, replacing the existing directive on data protection.
Unlike an EU directive, which can be implemented over a certain time, the regulation is made law once it begins this Friday, meaning penalties can be imposed from day one.
The regulation is designed to harmonise data-privacy laws across Europe and to protect citizens’ data privacy. It not only applies to organisations within the EU, but also to firms that do business inside member states.
If companies fail to comply with the regulation, they can be fined up to 4% of annual global turnover, or €20m.
Mr McDonnell called for a bedding-in period for SMEs.
He said for most SMEs, implementing what was required for the GDPR should not be difficult, but needed to be taken seriously.
“It can be done at minimal cost, with simple measures taken. But it does need time and effort, implementing processes,” he said.