Among the speeches at the GDPR conference held at Politecnico University in Milan on 17/1 (see HERE for full report), particularly enlightening i found the one by Sergio Fumagalli (Coordinator of Europrivacy), dedicated to the impact of GDPR on SMEs. The reasoning was prompted by the need to contextualize the application of regulations to the “real country”, which in Italy is made up of more than 4 million businesses, of which 90% have less than 9 employees and only 1% has more than 50 employees. Thinking of a Data Protection only suited to large enterprises would therefore, at least in Italy, leave out almost all of the manufacturing base. And if anyone thinks that this could not be a problem (after all it has always been like that, and it is the same for other areas of compliance…) you must bear in mind that data security is not an issue that can be treated in watertight compartments but instead works according to the communicating vessels model. The presented case history (violation of the great american retailer Target data, which took place through the attack to one of his small regional suppliers) shows that the issue of data security is not in charge to individual companies but concerns the whole system and cannot be approached individually by single companies, thinking you can ignore the interrelations with the context.
The vulnerability of SMEs makes threats so pervasive, through the complexity of supply chains and the use of cloud services having as a consequence that corporate data are everywhere). Businesses are then between the hammer (protecting data is complex and very expensive) and the anvil (not protecting data is very risky, both for the possibility of data breach and for the impending sanctions). The adoption of sophisticated tools such as DPIA involves the pre-requisite of a corporate organizational culture, which is often absent and more difficult to obtain than it is to find the necessary funding to cover the cost of compliance.
In order to be applicable, Data Protection must then offer to the market “effective and sustainable” solutions. For this purpose Fumagalli identified in GDPR two tools that could be suitable: Codes of Conduct and the use of a Shared DPO.
The adoption scheme for CODES OF CONDUCT sees steps in charge to the Businesses Associations (drawing up the codes), the DPA (approving them) and companies / organizations (which will subscribe them and comply with). The role of Certification Bodies will be to verify the application. Very important in the initial phase will be the role of Associations, historically significant in the extremely fragmented italian economic scenario, but which are experiencing a representation crisis in this era characterized by disintermediation. Being able to offer their members simplification through the Codes of Conduct could be for them an opportunity to take center stage back again.
It ‘s likely that the Codes of Conduct will be mainly “vertical”, i.e. specifically linked to a market, as expected by GDPR itself in art. 40 (establishing the Codes), “taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises”. Possible examples are insurance agencies throughout the territory, showing consistency in the kinds of data processing and in relationship with the parent company, or the small banks agencies. [Editor’s note: I would not feel, however, to exclude the validity and effectiveness of “horizontal” Codes, like the one on the Privacy clauses to be included in Cloud contracts, which could emerge from the work being undertaken within the CSA and whiche could aspire to be recognized at EU level].
What will it be inside the perimeter of the Codes of Conduct? “Practically EVERYTHING”. They will be concrete documents that contain targeted instruction and will also be an opportunity to receive the DPA attention on instances otherwise pulverized. The interest of the Data Controller will stand in the cost (to be shared), the benefit in terms of quality (that the individual SME would not be able to express) and the Sanctions risk reduction.
After reducing the complexity of compliance requirements through the adoption of Codes of Conduct, a fundamental role comes into play in the Codes application: the SHARED DPO between SMEs. Paragraph 4 of GDPR Art. 37 provides that, in cases where it is not obligatory to appoint a DPO, a Data Controller or “associations and other bodies representing categories of controllers or processors may […] designate a data protection officer”, who will “act for such associations and other bodies representing controllers or processors”: in short, a shift from burden to chance.
In this step as well a key role will have to be played by Business Associations, possibly the same ones that have promoted the Codes of Conduct and that will encourage their members to adhere to the codes and share appointment of a DPO, in order to make effective their application.
As a conclusion: the adoption of these best practices could pave the Data Protection a market size amounting to 1 million businesses and alleviate the problem of lack of security generated by forced inertia of small subjects. [Editor’s note: similar reasoning could be extended to the PA with regard to small municipalities, which, however, are subject to the obligation of appointing a DPO]. The speaker himself acknowledged that in all probability the legislator did not have exactly in mind the combined use of these two tools for enabling SME to approach an otherwise distant world. However, the efforts of the legislator (came to a conclusion after a long and arduous process) must be followed by the commitment of civil society bodies, in order to give substance to the provision of the law. This is the direction where this proposal moves: we hope it will be spread over the next few months and generate a debate that leads to a feedback from interested parties.