A new tool to help SME business owners to assess their data protection practices

GDPR2DSM, a co-project of the Office of the Data Protection Ombudsman and TIEKE (Finnish Information Society Development Centre), is developing a freely available tool for small- and medium-sized companies to help them improve their data protection competence, evaluate the present state of their processes, and get further advice on how they can improve their practices. The first version of the tool was published in Finnish on International Data Protection Day, 28 January 2022.  

Appropriate data protection processes increase a company’s reliability in business operations, both in relation to consumers and other companies, and it can improve the business prospects of small- and medium-sized companies in the EU market. Many small- and medium-sized businesses need more information and support in data protection questions, not only in Finland but also across Europe.  

The EU project funding granted to the Office of the Data Protection Ombudsman and TIEKE has resulted in the development of an easy-to-use tool for small- and medium-sized businesses. A specific goal of the events and self-assessment tool of the GDPR2DSM project is to offer help for those micro-, small- and medium-sized companies that find it challenging to follow the General Data Protection Regulation.  

A key goal of the project is creating a tool that companies can use for assessing their data protection measures without expertise in data protection matters. The development project is based on a needs assessment survey that was completed in early 2021. The results of the survey were used in the development of the tool in a collaborative project with companies.  

The invaluable input of the companies has made is possible to create an easy-to-use tool from which businesses genuinely benefit. Feedback suggests that the tool is found useful both in the business-owner’s competence building and employee training.  

The GDPR sets different types of obligations depending on the tasks of the company. An organisation can be either a data controller, processor or joint controller. The user of the tool starts out by selecting a role and answers questions based on the role. If it feels difficult to pick a role, the user can establish their role with the help of additional questions.  

Relevant questions are at the core of the data protection tool. It helps the respondent to assess how the company has acknowledged the key elements of the General Data Protection Regulation. To conclude the assessment, the respondent receives a report that includes recommendations for measures to be taken and where to find more information.  

The first English version of the tool will be published in September and the development work with the tool will continue into the autumn of 2022. Feedback concerning both the functions and contents of the tool is welcome for further development.  

The data protection self-assessment tool is published on a website that will include, in addition to the tool, other materials intended for the use of small- and medium-sized companies. The tool will also be translated into Swedish and English, which means that it can be used in other EU Member States, too. The English version will be published in September of 2022. The website and tool will be finished and available in their entirety for small- and medium-sized companies by the end of October 2022.  

The tool will be completed on a solution based on open-source software, which will make its further free development possible even after the project is completed.  If you have suggestions for the tool or are interested to know more, contact our project with the details below!

The English version will be published in September of 2022.

_{The content of this page represents the views of the author only and is his/her sole responsibility. The European Commission does not accept any responsibility for use that may be made of the information it contains.}