Guidelines for SMEs on the security of personal data processing

Back to all publications

Publication date:January 27, 2017

ENISA undertook a study to support SME’s on how to adopt security measures for the protection of personal data, following a risk-based approach. In particular, the objectives of the study were to facilitate SMEs in understanding the context of the personal data processing operation and subsequently assess the associated security risks.

In May 2015 the European Commission (EC) published its ‘Digital Single Market Strategy for Europe’ , outlining 16 legislative and non-legislative initiatives designed to create a single market in digital goods and services across the European Union. As part of this Strategy, the Commission drew attention to facilitate access to online markets, strengthen digital networks and boost the digital transformation of Small- and medium-sized enterprises (SMEs) which represent 99% of all businesses in the EU .  In order to also support the Single Market dimension of data protection, the EC proposed in 2012 a uniform set of rules to ensure a high level of data protection for individuals and promote legal certainty and consistency to all businesses across EU.

The General Data Protection Regulation (EU) 679/2016 (‘GDPR’) will be, as of 25 May 2018, the main data protection legal framework in EU directly applicable to all Member States, repealing the current Data Protection Directive 95/46/EC. Currently, businesses in the EU have to deal with 28 different data protection laws. This fragmentation is a costly administrative burden that makes it harder for many companies, particularly SMEs, to access new markets. The new rules are expected to bring benefits of an estimated €2.3 billion per year, at a European Level.

One of the core obligations for all businesses, including SMEs, acting either as data controllers or data processors, in GDPR is that of the security of personal data. In particular, according to GDPR security equally covers confidentiality, integrity and availability and should be considered following a risk-based approach: the higher the risk, the more rigorous the measures that the controller or the processor needs to take (in order to manage the risk). Even if this risk-based approach is not a new concept only a few specific privacy risk assessment frameworks have been presented, focusing principally on the evaluation of risks to personal data and adoption of relevant security measures. While big companies have the possibility to respond to and appropriately implement these frameworks, SMEs do not always have the necessary expertise and resources to do so.  Indeed, it is in many cases difficult for SMEs to comprehend the specificities of the risks associated with personal data processing, as well as to assess and manage these risks following a formal methodology . This can put on harm’s way the personal data processed by SMEs, hindering at the same time compliance of SMEs with the GDPR legal obligations.