GDPR and SME: Why size really doesn’t matter

“We’ve updated our privacy policy.” You too! You swear to the stars, and to the GDPR.

Arguably one of most ambitious data privacy laws due to its implications, geographical scope and sanctions, the GDPR (General Data Protection Regulation), made businesses shake from the Davids to the Goliaths in the months leading up to its enforcement. Volumes were written before D-Day (or GDPR-Day) May 25, 2018,  about the impact of the data protection law, including some titles that inferred the apocalypse was on its way.

Although we might be wrong dear reader, it’s doubtful you are the CEO of one of the tech giants that currently dominate the world, but to the now omnipresent GDPR, size really doesn’t matter! If you’re handling data that belongs to people living and working in Europe, you must comply with the GDPR, even if your business is small or based outside the old continent.

In simple words, the law stresses how organisations capture, process, store and protect data. See, this doesn’t really depend on business size. It might be the case that a small company processes larger data volume than a large company.

In the United Kingdom, Ireland, France and Luxembourg, Data Protection Regulators (DPAs) responsible for enforcing the law have seen an increase in personal data-related complaints. These bodies however, have proved to be benevolent during the first months and haven’t issued massive fines so far, but their vigilante and enforcer roles are yet to be deployed. In Luxembourg, the Commission nationale pour la protection des données (CNPD) monitors proper GDPR enforcement but, at the same time, wants to facilitate organisations’ paths towards full compliance.

Size doesn’t really matter when it comes to the GDPR but challenges to comply with the law differ if the business is large or small. While the former may need a cross-departmental team fully dedicated to GDPR compliance, the latter are time and resources-limited so the need to figure out efficient ways to comply. We’ve prepared this article precisely to address GDPR compliance in Luxembourg small and medium enterprises (SMEs).  You’ll also find key definitions the data protection law includes, and a 5-step frame for your compliance journey.

A quick review of what SMEs can do to comply with the GDPR

Organisations fancy GDPR, either because they see the benefit and the positive side of it rather than the regulatory burden, or because they are simply obliged to. In the UK, for instance, a survey that a well-known insurance company carried out among its brokers revealed that brokers’ SME clients ask about GDPR on a regular basis, and Brexit-related queries are less frequent and are losing ground.

Let’s have a look at the inescapable: the fines. They can go up to €20 million or 4% of an organisation’s annual global turnover, whichever is the highest. While a tech giant may be able to afford this fine, even though it’s a considerable bite to its revenues, some SMEs can be hit to extinction. We need to take into account that GDPR-related penalties aren’t all or nothing, though. DPAs will look at several factors before issuing the exact and adjusted fines.

A first factor to consider when determining fines is how committed any organisation is to complying with the GDPR. The adoption level of privacy by design, measures for data management put into place, awareness and education programmes carried out, and the non-compliance gravity play an important role. In addition, factors such as the severity of data breaches linked to how effective mechanisms to prevent personal data breaches are, responsiveness level when data subjects (users) exert data subjects rights (for example the right to be forgotten or the right to data portability), are also taken in to account.

Do I control or process data according to the GDPR?

To the GDPR, control isn’t only about possessing users’ data but determining what the data needs to be processed for (the purposes) and how (the means). If you’re a retailer or you run an e-commerce business, for example, you’re a data controller. A data processor, in contrast, processes personal data on behalf of the data controller. If you provide cloud, payroll, accounting or IT services, or you process payments, you are a data processor. There are cases when an organisation plays both roles.

To understand how controllers and processor are linked, let’s think of a case of consent withdrawal. if a user (or “data subject”) wishes to revoke consent to use her personal data, he or she will first contact the data controller who, in turn, must proceed  to request the data processor the removal of data from their servers.

A five-stop journey to GDPR compliance for SMEs

We’ve put together a simple and actionable model for you to track your SME’s GDPR compliance journey. You’ve likely started it or you may have already finished it, but it’s always useful to revisit the followed path. The room for improvement is endless!

GDPR 5-Step Model


  1. Conduct a readiness assessment

Start by mapping personal data your SME uses. Gather information about how you collect data, what information you ask for and, very importantly, where you store it. Think of the reasons for which you need the data, and how it’s protected from unauthorised use. As a result, you’ll assess your business’s current GDPR compliance maturity, and understand the critical risks.

  1. Find remediation gaps

Identify existing privacy capabilities and the work to do to bring your SME into GDPR compliance. With this, jump into the development of a plan to address each of the risks you identified during the mapping exercise. The more people from different departments are involved, the richer and more thorough the exercise is.

  1. Establish oversight

Determine GDPR governance – who does what and how decisions are made – and define a data management model so you can coordinate and implement your remediation activities and keep compliant in the future as well. No matter the size of your SME, GDPR governance is fundamental to be compliant and to remain on track.

  1. Implement your plan

Get your GDPR program off the ground: it’s time for remediating gaps and establishing a privacy and cybersecurity programme. Start, for instance, by cleansing the personal data you hold on your systems that aren’t relevant. In this case, think not only of your clients, but of your current and former employees too. Do you really have to keep former employees’ data? On the other hand, your privacy actions must take seriously the implementation of adequate security systems for personal data protection. A survey run some months before the GDPR enforcement revealed that 90.6% of businesses, mostly European, use software for malware detection and protection (90.6%) in their cybersecurity programmes. They also rely on browser protection software (87.8%), firewall (83.6%), access-restricting software (83.7%) and password-protected Wi-Fi networks (81.9%).

  1. Conduct operation & monitoring

Once your data management model and privacy and cybersecurity programmes are in place, conduct ongoing compliance to drive continued accountability.

GDPR and Luxembourg’s SME: Why size really doesn’t matter

Client-facing actions, marketing and advertising, digital communication, geolocation, profiling, global operations, etc., are business areas that SMEs want to pay particular attention to comply with the GDPR because they gather users’ personal data. Let’s face it, there isn’t any exception: one way or another all organisations, no matter their sizes, control or process personal data.

This week, we reached out to Frédéric Vonner, our GDPR Leader, wondering how Luxembourg SMEs were doing with the GDPR. Fréderic suggested to us to invite Guy Brandenbourger, partner working with SME, to answer some questions.

The result is this video we share with you. We trust you will enjoy it! (in French, with English subtitles.)

Learn more about the GDPR here.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top