SME Development

GDPR – An european brain-teaser for small enterprises ?

Posted on

 We are all concerned by General Data Protection Regulation (GDPR) !

The real question is whether we have taken stock of the implications of this new regulatory framework … and how to implement it.


SCS and  KPMG and Bignon Lebray have striven to find a simple and effective answer to enable digital startups and SMEs to fully understand the GDPR and guide them in their compliance.

  • What is the GDPR for :  what is personal data ? 

The General Data Protection Regulation entered into force on May 25, 2018. This regulation “sanctifies” the protection of personal data.
It harmonises the practices and the obligations between the different Member States and especially establishes rules for all including outside the European Union.Therefore, it is a real protection for European citizens about the use made by companies and especially the major players in digital and social networks, large data concentrators.

But what is personal data in the context of an enterprise ?
Is considered as a personal data, any information directly or indirectly related to a natural person identified as for example (non exhaustive list) : a last name, an identification number, a location data, an online identifier, a specific element on a physical, physiological, genetic, psychic, economic, financial, cultural or social identity.

Any company, big or small, is in possession of personal data even if it is only in its files customers and prospects or in relation to its employees whose names it, social security numbers or other information obligatory to establish a contract of job.
The GDPR applies to everyone !


  • What are the points of complexity to be well understood ?

To fully understand the obligations of the Regulation, it is necessary to address in particular the notions of “treatment”, “controller”, “subcontractor” ..
A precise definition of the terms is made in Article 4 of the Regulation, which you can consult HERE

Thus, regarding the processing register, it must be clearly kept up-to-date and must document all the processing of personal data.
In case of violation of the personal data, it is obligatory to notify this violation to the supervisory authority, the CNIL for France, and to the persons concerned within 72 hours after the incident.

Another fundamental point of vigilance is that data protection must be thought since the company product or service conception, which is called “Privacy by Design”. This applies directly to software, platform or mobile software publishers . In addition, if you use subcontractors, it is necessary to ensure the respect of the GDPR by all of them and to guarantee at each level the obligation to secure the personal data .
Indeed, the client is now held responsible for the compliance of his subcontractors.

Finally, for any company, whose main activity is to carry out regular and systematic monitoring of people on a large scale, or to treat large-scale data called “sensitive”, is subject to the designation of a DPO (Data Protection Officer) . He is the guarantor of the respect of the obligations in the time and acts as main contact regarding the CNIL. No compliance with the GDPR is not an option.

No-compliance may have significant impacts. Not only financial since the administrative fine can go up to 4% of turnover or 20M € but also image impacts, bad publicity besides the possible civil or criminal prosecution by people filing a complaint against a company for non protection and respect of his personal data.

All concerned, that why we need  for a tailor-made professional support for digital enterprises

Numerous SCS Cluster members work with personal data.
To gain a clear understanding of the regulation, there are multiple awareness, training or support packages available in the regional ecosystem. However, personalized diagnosis work regarding technical and legal aspects can only be done with customized accompaniment.

This is why the SCS Cluster support offer aims at establishing a precise list of the observed discrepancies and the risks associated with the definition of the action plan which makes it possible to reach the conformity while addressing the organizational implications accordingly.

SCS Cluster chose KPMG for this assignment. It has high-level experts who master both the technical aspects and the legal coverage.
In association with the law firm Bignon Lebray, specialized on this subject.


More informations about this program HERE

Retour aux actus