European citizens can feel more protected thanks to the new GDPR which comes into force today. They can have more control over their online personal data. At least this is the feeling from all the emails we are receiving these days.
But for small entrepreneurs, adapting to the GDPR is hard.
Kelly Claessens runs "Fabrika", a family-run furniture shop in the center of Brussels that also delivers online items. She needs to collect personal data such as email and postal addresses, but also VAT and telephone numbers. Now she has to ask her subscribers consent to keep using stored data.
"A really small percenbtage of people actually confirm their subscriptions, so if we have to do this pretty much all our subscribers will be lost," says Kelly.
The main chore is keeping a record of data processing activities such as maintaining documentation, and conducting a data protection impact assessment of the risk.
"It is really hard because we don't have the budget to hire somebody to be responsible for this so we have to do it by ourselves," continues Kelly.
Not complying with rules could mean penalties up to 4% of turnover or 20 million EUR, whatever is highest. However this legal expert tells us small and medium-sized companies have some leeway.
"A normal SME will be less targeted, hopefully. In any case if there were any complaint or if the national authority started an investigation, it would be crucial as an SME, that you can at least show that you try to comply," says legal advisor at UNIZO, Frank Socquet.
Most SMEs want to comply but it remains very technical legislation. It seems that hiring a GDPR expert is crucial
"Currently on the market there are both real experts on GDPR, but a lot also of self-declared experts who actually benefit from the fear that exists now among SMEs but in many cases is not necessary," concludes Socquet.