The SMEDATA Project published two reports summarising the finding from the conducted surveys on GDPR compliance by SMEs. The first report (Project Deliverable 2.2) provides an extensive assessment of the training and awareness raising needs of both project target groups, SMEs and legal professionals, whereas the second report (Project Deliverable 3.1) elaborates on the received feedback in connection with the planned development of a self-assessment and awareness tool.
Project Deliverable 2.2 sets the framework and common starting point for the rest of the capacity-building activities within Work Package 2, especially the training content.
The feedback from the survey, which preceded the Survey Report, was evaluated through the identification of gaps in the knowledge and skills of SMEs and their associations as well as through mapping of their needs for data privacy oriented training events.
The survey was conducted in the period March 2019 – April 2019. The questionnaire identified the needs regarding the comprehension and application of GDPR among the target groups.
In total, the answers given are 622 being summarized as follows:
- 32 respondents filled in the English version of the questionnaire;
- 311 respondents filled in the Bulgarian version of the questionnaire;
- 279 respondents filled in the Italian version of the questionnaire.
The Consortium reviewed in detail the findings from the Survey to consider the creation of tailor-made trainings that reflect the needs of the target groups. It was taken into consideration to what extent the representatives of the target groups are informed and aware of the new GDPR requirements and the way they impact them. The partners took into account the identification of specific areas of the GDPR and the new personal data protection framework that are of a particular interest. The Consortium conducted analysis of the results in order to identify key gaps and needs. With the aim to create an efficient and beneficial training, a Training methodology was elaborated with four Training modules: Awareness raising for SMEs, Training of trainers for SMEs and their associations, Awareness raising for legal professionals working with SMEs, Training of trainers for legal professionals working with SMEs and their organizations. The Training Modules are comprised of the following 10 Training sections:
- The concept of “personal data”
- Provision of information to the data subjects
- Legal grounds for personal data processing
- Processing of personal data in the employment context
- Rights of the data subjects
- The concepts of “controller” and “processor”
- Transfer of personal data to third countries or international organizations
- Data Protection Officers
- Ensuring Security of Personal Data
- Questions and Answers and Practical Cases.
Project Deliverable 3.1 represents the main findings of the conducted survey based on elaboration and dissemination of specially tailored questionnaires among more than 100 stakeholders in Bulgaria, Italy and other EU Member States. Along with the survey, interviews were organized and conducted with representatives of SMEs and their associations in Bulgaria, Italy and other EU member states.
Based on the survey results it was concluded that the most common issues and challenges met by SMEs in the application of the GDPR include the following:
- Assessing the data protection risks and choosing appropriate security measures for the protection of personal data;
- Provision of sufficient budget and human resources to implement GDPR;
- Performing data mapping and gap analysis and continuous monitoring of compliance.
The survey provided a clear picture of the most important and comprehensive awareness raising mechanism applicable to different economic sectors:
- Publication of GDPR guides and instructions for SMEs;
- Development of software tools and ready-made templates;
- Conducting specialized trainings for SMEs. Raising awareness events (conferences, seminars, etc.) are also among the mechanisms of importance to SMEs.
Finally, the survey results confirmed the working hypothesis related to the structure and content of the proposed self-assessment and awareness tool, namely SMEs would have a greater use of a self-assessment tool that:
- is online based;
- has easy to use Q&A format;
- is tailored for legal and data protection professionals.