A helping hand for microenterprises grappling with the GDPR
Dealing with the constraints brought by the GDPR is already difficult enough for SMEs, but what of their smallest-sized members, microenterprises? For these actors responsible respectively for 30 % and 21 % of employment and value added in the EU, getting in line can easily seem insurmountable. Lack of expertise and limited resources make them particularly vulnerable to the consequences of non-compliance, which is precisely what the SMOOTH (GDPR Compliance Cloud Platform for Micro Enterprises) project set out to help them avoid. Rosa Araujo, project manager at Eurecat and SMOOTH coordinator, depicts a bleak picture for the sector. “The fact that the GDPR applies to all types of companies, regardless of their size, is particularly problematic for microenterprises. Despite all their value and potential, they are often unaware of how the GDPR affects their business and can hardly afford professional guidance.” Araujo knows this for a fact. A survey conducted with 100 microenterprises at the beginning of the project showed that only 18 % of respondents made use of informed consent forms when collecting personal data. As many as 76 % of them do not know whether they collect the so-called ‘special categories’ of data – which encompass the likes of race and ethnic origin, political opinions, health data and philosophical beliefs. Even more alarming is the fact that only 35 % of companies could attest to the fact that they applied basic security measures. The real problem is, most local hairdressers, florists and mechanics have no digital background or legal knowledge related to the GDPR. So how do we solve that problem? “We have devised the SMOOTH platform to help those businesses,” Araujo says. “It’s an easy-to-use and inexpensive GDPR compliance assessment platform that provides guidance and recommendations to any sector of activity.”
Continuous improvements
The SMOOTH solution consists of three tools based on state-of-the art research and technologies. SMOOTEXT analyses text documents related to the protection of personal data (cookie and privacy policy, informed consent form, etc.). SMOODATA automatically analyses businesses’ databases to identify the presence of personal data, the nature of this data and its compliance with the data minimisation principle. Finally, SMONLINE monitors data collection from cookies by third parties in websites and mobile apps, as well as detects the evidence of ad targeting. All results are collected in a compliance report and delivered to the user in a PDF document. “Our ambition is to create an ecosystem that will become the reference solution in Europe in helping microenterprises comply with the GDPR. As it evolves, the platform may incorporate other modules created by SMOOTH partners or third parties that expand its functionalities. These could include, for example, country-specific requirements, modules for larger companies or specific industries, or additional legal frameworks. The ecosystem created would move towards an overall solution covering all aspects of GDPR compliance,” Araujo explains. The SMOOTH platform is useful for National Data Protection Authorities, too. By using it, they can help their SMEs and other businesses to become GDPR-compliant, get statistical data about which type of enterprises are less compliant, and focus their efforts to help these types of companies. Beyond the platform, SMOOTH also developed a handbook and is actively promoting standardisation through a CEN Workshop Agreement (CWA). While the GDPR handbook provides guidance, examples, videos and links to external resources, the CWA will provide guidelines on key GDPR elements and principles to be taken into account, legal requirements, technical and organisational measures, and exemptions for low-risk processing. Due for completion in January 2021, SMOOTH is now focusing on completing its second pilot of real-life scenarios with 60 companies providing feedback on the platform. This feedback will enable further improvements which Araujo hopes will help attract 500 microenterprises by the end of the year.
Keywords
SMOOTH, GDPR, compliance, microenterprises