SME’s struggle the most with data privacy regulations — Palqee Technologies

Written by Sabrina Palme, CEO at Palqee Technologies

How well are SME’s positioned to comply with privacy regulations such as the GDPR and LGPD?

SME’s struggle the most applying the GDPR

Small- and medium-sized enterprises (SME’s) are the backbone of the European economy. They make up 99% of all enterprises (up to 250 employees) and they contribute on average an added value of 56% to the European economy every year.

When the EU General Data Protection Regulation (GDPR) took effect in May 2018, it was largely expected that the regulation would be toughest on large tech companies but about two and a half years in, it’s the SME’s that are the most vulnerable to non-compliance.

In mid-2020 the Commission published a report to the European Parliament with an analysis on the impact of the GDPR two years after it took effect. While the report highlights an overall success, it also recognises a few areas that need attention by the authorities. Among other challenges the Commission admits that for businesses it has proven to be difficult to apply the GDPR, especially small and medium-sized companies who were particularly affected by the costs of compliance with the data privacy regulation.

Several Data protection authorities (DPA’s) have provided practical tools and templates on their platforms to support and facilitate implementing requirements of the GDPR. However, this does not really solve the problem. This approach somehow pre-sets the expectation that businesses know what the GDPR is, where to look for answers and support and how to apply it.

Only 10% of UK SME’s are fully compliant with the GDPR

A survey conducted at the end of 2019 by the UK Data & Marketing Association (DMA) with UK SME’s found that while three-quarters (74 percent) of the respondents rated their colleagues’ collective knowledge about the GDPR as high, only 10 percent are fully compliant with the GDPR and 25 percent are in the early stages.

The gap between knowing about the regulation and knowing how it actually applies to a business is concerning and proves the effectiveness of the templates and support offered by the authorities for SME’s has its limitations.

On European level the numbers look a bit better according to a study conducted by GDPR.eu in May 2019 to analyse GDPR compliance among SME’s. The result showed that around half of small businesses believe to be fully compliant with the GDPR, still not great but a much better result than on UK level. Yet, GDPR.eu asks for caution about the data stating in their research that “when asked specific compliance questions, they (SME’s) weren’t quite so confident”. Further, the data is also already 1.5 years old at the time of writing this article.

Either way, considering there are about 23M SME’s in the EU and the UK, that would still mean a staggering 11.5M businesses aren’t compliant with the GDPR yet and it’s unlikely that the number has massively changed over the past year, especially with the report from the Commission confirming the challenges faced by SME’s.

Some of the main reasons for non-compliance among SME’s are:

Knowledge: Most businesses have heard about the GDPR but don’t know what to do with it.

Complexity: Businesses don’t understand the GDPR to its full extend and what requirements they have to fulfil in order to become compliant. They want easy-to-use tools and checklists.

Expertise: Access to professional expertise and tools are expensive.

Relevance: A lot of businesses are betting on the fact that they’ll go unnoticed as authorities are still mainly targeting the big guys. While enforcement continuously grows, the total number of fines issued across the EU and UK is still very small.

Perception: 67 percent of businesses don’t think that spending on GDPR compliance slows them down, they also don’t see it as an opportunity to grow their business and gain a competitive advantage through privacy preserving business processes.

The need to democratise Privacy Tech

The GDPR has come to stay and with developments such as the Schrems II ruling in 2020, authorities made an example that its application and the expectation on businesses to respect data privacy will only get tougher.

The EU authorities continuously make a point that the purpose of the GDPR is not to limit innovation and to put an unnecessary burden onto businesses, but to protect people’s privacy and through that foster privacy preserving innovation. The GDPR is extremely important to protect people’s rights in the digital age, but at this point of time the regulation is for most businesses still burdensome.

Why? Because the infrastructure to manage data privacy efficiently and effectively is missing.

With the introduction of the GDPR the EU essentially created a whole new industry — the data privacy management and services industry — and with that new professions such as the role of the Data Protection Officer (DPO). While the data privacy market is growing rapidly, it was the fastest growing industry in 2019 with 60.29 percent growth, it is still a niche market that will need several years to mature.

A sub-category that emerged out of this new industry is the Data Privacy Management Software market also often dubbed as “Privacy Tech”. Vendors of privacy tech are helping to fill the gap of the missing infrastructure that businesses and privacy professionals need to efficiently manage Privacy Operations on an ongoing basis just like we do at Palqee.

The privacy tech market is experiencing high demand but is still very small. In 2018 the global privacy tech software management market was valued at just $521.3M according to a research by the Insight Partners.

What usually happens when you have an immature market with scarce services available and high demand? It becomes expensive and only accessible to those who can afford it.

We’re currently experiencing this in the data privacy services industry and it reflects the compliance challenges of SME’s earlier described. SME’s have been a largely overlooked sector by the privacy tech industry to support them with end-to-end GDPR implementation solutions. Existing privacy tech products are largely targeted at companies with big budgets and programs designed for experts that require a good amount of training to use — creating several barriers for smaller businesses to follow suit.

In order for SME’s to manage privacy regulations, data privacy management software tools need to be democratised by making them affordable and easy-to-use. While privacy tech can’t replace the role of privacy professionals, it can help massively to understand what needs to be done, streamline admin intensive work streams, organise workflows and to keep everything required for compliance in one place and in check. It can also keep users updated on any changes in the regulations’ compliance requirements.

Companies that use privacy management software to integrate privacy persevering practices into their operations are likely to benefit on a broader level too. Starting from more efficient data management to building a more trusted relationship with their customers (In another article I wrote about the benefits of investing into data privacy as a company. Read the article here.).

Developments that are shaping privacy tech

The trend for data privacy is growing. As the commission comments on their report from June 2020:

Gartner predicts that by 2023, 65 percent of the worlds’ population will have its personal data protected under modern privacy regulations, up from 10 percent in 2020. For companies this won’t be simply a matter of complying with the regulation within the country they’re based in. Existing regulations already have international reach. With digitisation continuing to pave its path and an ever more connected world through technologies such as 5G, it will become the norm for even small enterprises to serve international clients.

Privacy Tech that can help businesses of all sizes to manage various privacy regulations at once is only going to push demand and it’s not a question of if, but of when.

We’re already experiencing this with the LGPD in Brazil. Quite similar in its application to the GDPR, businesses and privacy professionals are trying to find tools that can help with their privacy operations. But for small- and medium-sized enterprises this is a similar challenge to the ones in Europe. International tested tools are often too expensive due to high exchange rates and heavy taxation on international goods and services. Local privacy tech providers may not have the desired experience yet, comparing to those from abroad that have gone through the implementation of the GDPR already. While the economic power of Brazilian SME’s is lower than their European cousin, standing at 27 percent of Brazil’s GDP, they make up 99 percent of businesses in Brazil just like in Europe. They just as much form a large and important part of the overall economy. Large corporates often already have tools in place due to their international work and are in a much better position to comply with the LGDP and to get professional advice.

The consultants and privacy professionals in Brazil that look after smaller- and medium-sized businesses are the ones who need to balance how to apply the LGPD with limited budget and resources. Unless there is an infrastructure or software available to streamline Privacy Operations at large, it seems likely that the country will follow a similar as path as the EU with SME’s largely not being compliant with the regulation until a proper infrastructure is in place.

Even the Commission recognised in the report that it will still take a few more years to see the full impact of the GDPR.