We tried to understand why many companies have not yet implemented the necessary measures to comply with the provisions of the new European regulation on data protection, enforceable from next May 25. The idea we got, based on the answers received from some of our interlocutors, is that apparently small companies -present in a large number in our territory- feel “exempt” from compliance by virtue of their reduced activity. However, this conception is wrong: even small and very small companies that process personal data are involved. What’s more, and even more disconcerting for these “small holders,” the GDPR does not provide mere bureaucratic requirements to be met, but substance to be implemented. In other occasions we have indeed explained how adapting to GDPR can involve a sort of change in the business mentality in a long-term perspective.

Let’s be even clearer: this whole being compliant thing shouldn’t scare off small business owners who will have to implement a proportionally smaller set of measures than a large company (thank goodness!). So it makes sense for small business owners to follow the Know-Intervene-Maintain-Try rule.

  • Know: means they should be clear about the principles of the GDPR and where their company (and their processing) stands with respect to GDPR requirements.
  • Intervene: means to implement the necessary actions, in relation to their own situation. A first and basic activity to be done will be to adjust the privacy policy according to the principles of the new regulation and, not least, to do a minimum of training to their employees on the rules of the GDPR and the company procedures to be compliant.
  • Maintain: as mentioned earlier, the GDPR requires more than just fulfilling bureaucratic burdens (drafting new documents, etc.), it requires protecting the data being processed. So in addition to “preaching well,” it will be necessary to “rocket just as well”: owners will need to ensure that procedures are followed and that any new business developments are designed from the outset in compliance with the GDPR. A simple example: our small business hires a new employee; whatever his or her job description he or she will need to be made aware of the rules to be followed and the tools to do so right away.
  • Prove: it means that the owner (including the small one) at any time it is necessary will have to be able to document that he/she has followed the above rules and that he/she is processing other people’s personal data in compliance with the new regulation.

Sara Avanzi