Comments seem to appreciate the GDPR: consulting companies think of the huge amount of services that top enterprises will require; tech vendors follow. Here is the point: large banks, top insurances, international B2C operators, Telcos, large internet players, these are the ones that are expected to comply. Or to have to comply.
But this is just a small piece of the market. And the rest? What about micro, small and medium companies?
One could say: in the past SME have not been not affected so much, so the picture will probably remain the same, no problem there. Maybe, but todaly the situation is completely different, compared with ten or fifteen years ago: no FB then, no I-phone, big data, cloud. The digital revolution was just beginning. A static internet website was the most relevant impact of internet on the SME budget.
Today data protection is a key issue for the survival of the digital market itself. Product and sevices are designed, manufactured and delivered through a very tightly connected value chain based on cloud, mobility, digital networks and information sharing. The whole organization of the society depends on digital: also the American elections may be dramatically impactd by a hacker’s attack.
SME are part of this picture, completely and deeply. That’s why nobody can desregard the issue of how they will comply to the GDPR.
The GDPR makes the Controller accountable of reaching the GDPR’s goal of protecting righs and freedom of the intersted person anf of beeing able to demonstrate it. A complex organiztion is required to comply, not just money. But quite often PMI are payed for being not complex: fast, reactive, without bureaucracy. So, it seems an impossible task.
Fortunately, it seems that the legislators were aware of this contradiction. Article 40 and 41 introduce and regulate the codes of conducts as a mean to allow an easier and simpler way to ensure the SME compliance.
Many “whereas” and many article suggest that if the Controller or the Processor adhere to a code of conduct they may be considered compliant to the Regulation itself, their liability is reduced and so on.
What is a code of conduct? It is, somehow, a specialised and semplified representation of the GDPR for a specific set of controllers that have the same profile towards the processing of personal data. It is the sharing economy in the comliance market. The sharing compliance: less costs, less complexity, quality results. Potentially.
Who is in charge to develop these Codes of Conduct?
“Associations and other bodies representing categories of controllers or processors may prepare codes of conduct…” that is the process of developing such codes is in private hands, under the interested parties control or influence.
I don’t want to go more in depth here: an event on this matter, organised by Clusit and Europrivacy.info, was held in Rome last week with the partecipation of the Authority (ask info if interested) . Just remark that the GDPR has identified the SME issue in the connected digtal world and has suggested a possible solution that may work. It is now to associations and other bodies to play the game. In the interest of all of us. It is also in the interst of consulting houses, tech vendors and PMIs: that’s why it may work.