GDPR: What's new for European SMEs?

The Internet landscape has significantly changed over the last few years impacting on how we communicate with each other and on our everyday lives. With more and more personal shared online and high-profile cyber security scandals hitting the headlines, companies and individuals need better guidelines on how to deal with cyber attacks which threaten data security. The General Data Protection Regulation (GDPR) looks to do address this need.

The GDPR is the new privacy legislation, mutually approved by EU Parliament and Council in April 2016 and to be implemented throughout the whole EU and EEA region, starting from April 2018. Its main goal is to better regulate the way companies safeguard and deal with EU citizens’ personal data. It will provide EU citizens a stronger control and protection of their personal data.

The great purpose of GDPR is to ensure a seamless data security law for all EU members in order to avoid each country having its own specific law. Most importantly, any company involved in the EU marketplace, regardless of the country, must abide by the regulation. This way GDPR will impact positively on data protection requirements across Europe.

The GDPR’s impact on SMEs

The GDPR will affect all types of businesses dealing with data of European citizens. SMEs need to be fully prepared and already taking steps to ensure they are GDPR compliant:

Consent. This has to be crystal-clear. Each individual must have the choice to opt-in anytime data is collected. Privacy notices should be concise, understandable and transparent. Moreover, anyone should be allowed to withdraw consent at any stage.

Right to erasure. Each individual will have the so-called “right to be forgotten”. It means that all their data can be deleted once and for all and they have the right to hand their data to another company.

Data portability. The possibility to move personal data across different providers. SMEs will be obliged to provide this data on-demand, in a usable form and free of charge.

Security breach. In the GDPR framework, every organization is asked to report a security breach within 72 hours, whenever is probable to “result in a risk to the rights and freedoms of individuals”.

Data protection officer. Organizations and SMEs must appoint a data protection officer, process special categories of data (such as data related to criminal offences or with legal validity) or carry out massive monitoring of individuals (as online behavioral tracking).

Privacy Impact Assessment. Whenever data processing may be hazardous for individuals, PIAs will be mandatory.

How is helping SMEs understanding the GDPR is delivering a set of user-friendly guides and workshops to help SMEs understand how they need to prepare for the GDPR. Led by ICT Legal Consulting, an international law firm specialized in ICT, we’ll help organisations to understand the GDPR, in order to clarify their intricacies, to solve potential conflicts of interpretation.

• Monitoring of the regulatory framework

• Understanding the legal complexity of the regulatory framework

• Drafting a list of policy issues to be solved at EU and/or national level 

• Supporting R&I teams and proactively proposing areas of research and policy solutions

Positive implications of GDPR’s adoption

Not only will SMEs and businesses that act early to be compliant with the GDPR avoid both huge fines and damaging their reputation, but they will also be able to provide more trustworthy services with safe data handling, information security and compliance processes. More accurate and up-to-the-minute data will allow more effective marketing efforts for these businesses.


Pilots for the European Cybersecurity Competence Networks: how can your SME benefit? - 6th Webinar -

The four pilot projects involved in the development of the European Cybersecurity Competence Network will present their plans and upcoming tools and services for SMEs in the webinar on the 2nd of April, 10:00 AM CEST



Future Events

Cyber Insurance and its Contribution to Cyber Risk Mitigation - Leiden March 25-29
25/03/2019 to 29/03/2019

The rise in both the scale and severity of recent cyberattacks demands new thinking about cybersecurity risk and the mitigation and transfer of that risk. Cyber insurance is one potential way to manage risk by transferring damage liability, but the cyber insurance market is immature and the understanding and actuarial knowledge of cyber-risk is currently underdeveloped.

e-SIDES workshop 2019

e-SIDES workshop: Towards Value-Centric Big Data: Connect People, Processes and Technology


2 April 2019

10am to 4pm


e-SIDES is a research project funded by European Commission H2020 Programme that deals with the ethical, legal, social and economic implications of privacy-preserving technologies in different big data context.