What do Belgian SMEs know about the GDPR and what can help them?

The Belgian data protection authority has conducted an investigation into this matter. This blog post will be part of a series. This first blog will discuss the results of the research. Subsequent posts will focus on a subject that Belgian SMEs have indicated they have problems with.

A large number of the companies surveyed believe they have sufficient theoretical knowledge of what personal data is and how it can be processed according to the GDPR.

However, the results of the research are further apart with regard to the three specific central themes of the research:

• the concepts of ‘controller’ and ‘processor’.
• The principle of transparency;
• the data protection impact assessment (‘DPIA’).

Knowledge and understanding of ‘controller’ and ‘processor’

The first central theme of the research project is the knowledge and understanding of the concepts of ‘controller’ and ‘processor’. Knowledge about these concepts is tested among SMEs, as well as how the roles are applied in practice.

The conclusion after the survey is that theoretical and practical knowledge of the concepts of ‘controller’ and ‘processor’ is sufficient for only just over half of the surveyed SMEs. Correct estimation of the roles and responsibilities of both in concrete situations is a stumbling block for a considerable number of the SMEs.

The transparency of SMEs in the context of the GDPR

The second central research theme was transparency. In order to be transparent, companies must inform data subjects about the processing of personal data.

Clear and simple language must be used. Privacy statements play a crucial role in this.

Belgian SMEs were asked in the study what information should be included in a privacy statement. Of the 142 SMEs that participated in the research, only 33 answered the question completely correct.

49% Of those questioned answered partly correctly and the rest answered incorrectly.

Clearly, Belgian SMEs can still use some help in drawing up a correct privacy statement. In the next blog we will discuss what such a statement should contain.

Knowledge and understanding of data protection impact assessment (DPIA)

The third and final central theme of the research project is the data protection impact assessment (DPIA). According to the GDPR, companies should carry out a DPIA where the processing of personal data may lead to risks to individuals. Do SMEs have sufficient knowledge and understanding of this?

A large number of the SMEs surveyed do not have sufficient knowledge of the situations in which a DPIA must be carried out.

It is striking that a large number of SMEs indicate that they do not have sufficient knowledge on how to execute a DPIA correctly, or even have no idea what a DPIA is. Furthermore, there is a large group that says they know how to perform a DPIA, but have never performed one before. The question that arises here is whether these SMEs also know when they should execute one?

Other complex themes of the GDPR for SMEs

In addition, the results show that SMEs mainly experience difficulties with the following themes:

• retention periods of personal data;
• the personal data inventory ;
• data processing agreements with third parties and
• the principle of “privacy by design and default”.

All in all, Belgian SMEs are still experiencing many difficulties with the implementation of the GDPR. Subsequent posts will focus each time on a subject that Belgian SMEs have indicated they have problems with, to give more explanation and practical tips on these specific themes.

Would you like more information on how Toreon can help you with a GDPR implementation within your SME? Feel free to contact us!