Over 350 SMEs surveyed – awareness of GDPR requirements still patchy

The General Data Protection Regulation came into force three years ago and seems to be a recognizable thing for businesses. The knowledge and challenges companies face were investigated in March in an online survey by the Office of the Data Protection Ombudsman and TIEKE. Approximately 350 respondents filled the online survey. The majority of the respondents were companies in the commercial sector with less than five employees.

Companies of different sizes had different perceptions of requirements for data protection. The larger the company, the better the awareness of the requirements of the General Data Protection Regulation. Large companies had done the most work to meet the requirements. Correspondingly, awareness of the requirements was poorer in smaller companies, and less work had been done to meet them as well.

In larger companies with more than 20 employees, data protection challenges are broader, or at least perceived as such. Almost 70% of larger companies had sought external assistance. Smaller companies seemed to be more reserved with regard to external assistance, as only 30% had obtained outside help on issues related to the application of the General Data Protection Regulation. This may be due to, for example, the high cost of the assistance from law firms or consultants, which small businesses are not willing to pay.

Indeed, the smallest companies had most often been assisted in data protection matters by an online service provider or other IT service partner. Businesses were mostly satisfied with their own or external expertise: 70% of large companies said that they have been able to apply the General Data Protection Regulation in practice well or very well in their business. 60% of small companies were satisfied with the level of application.

Surprisingly, however, more than 80% of the representatives of large companies felt that the General Data Protection Regulation continues to pose challenges. For small companies, the corresponding figure was over 60%. Could it be that last winter’s news reports of data breaches have led companies to question the integrity of their own data protection? This may have alerted companies to the fact that there are areas of the General Data Protection Regulation that have received less attention in the company. Is it also the case that larger companies have a wider range of activities, and thus more things to consider?

Based on the responses, the most challenging areas were considered to be accountability and security of processing, i.e. requirements related to information security. Data protection impact assessments, informing data subjects and the rights of data subjects were also areas in which companies are hoping for assistance. 

We also investigated what kind of practical help would be most beneficial for companies. Presumably, the teleworking learned during the coronavirus period was reflected in the responses: the most popular options were various checklists, written instructions, and webinars. In contrast, only one in four was interested in training sessions.

The survey on the data protection expertise of SMEs was carried out as part of the GDPR2DSM cooperation project between the Office of the Data Protection Ombudsman and TIEKE (GDPR opening doors to the digital single market: SME centric online tools and support for leveraging the opportunity). The aim of the project is to help Finnish companies improve their data protection expertise and thereby facilitate access to the EU single market. The project is funded by the European Union’s Rights, Equality and Citizenship Programme.

Small companies = less than 5 people. 197 responses
Medium-size companies = 5–19 people. 64 responses
Large companies = more than 20 people. 80 responses
The respondents had classified themselves as follows: Industry 35, Commerce 35, Construction 32, Services 204, Other 64. The respondents were able to classify themselves into more than one category.