Our article “GDPR in the SME – Set risk-oriented priorities!” In Die Presse – Recht Spezial Datenschutzgrundverordnung

Read here our article:

Article GDPR in the SME


DSGVO in the SME – set risk-oriented priorities!

Dr. Markus Frank, an expert on data protection law, warns: “Compliance with the basic EU data protection regulation (DSGVO) is not a one-off feat of strength, but a sustainable process.


  1. “While large companies are actively preparing for the application of the new rules, many SMEs are not yet fully informed about future data protection rules.

    According to the EU Commission in the previous year. I don’t think that’s changed much since then: After all, many organizations have taken care of classical data security – but not of security for those affected. Most of them have used some standard patterns (processing directory, data protection declaration, processing contract etc.), but without adapting them sufficiently to their own IT circumstances and DS risks. Compliance with the DSGVO is time-consuming and costly. It requires data protection legal, technical and organizational know-how. Municipalities etc. also face similar problems.

  2. Supervisors in the EU have imposed the first substantial DS fines. Start the first potentially threatening lawsuits for damages.

    The highest fines against SMEs in EU states including Austria were between 50,000 and 460,000 euros. A large company has already received a fine of 50 million euros in France, and even higher fines have been announced.
    Reasons for these penalties included the lack of TOMs to comply with data protection principles (e.g. data minimization) and data security including documentation, data protection information, data breach reporting, deletion, non-transparent processing of employee data. The reviews were prompted by complaints, data breach reports and ex-officio controls.
    The courts reject compensation for minor infringements. The Austrian Post is threatened with high damages for the assessment and sale of (sensitive) “party affinities”. There are said to be over two million people affected. A first court decision has awarded a plaintiff here 800 euros idealistic damage – times two million…
    The EU data protectors recently received back cover from the USA. Five billion dollars (nine percent of annual sales!) Facebook has to pay according to US law to the Cambridge Analytics case. In the future, Facebook board members will even be held personally liable under criminal law for false declarations regarding data protection.

  3. What must SMEs do now to protect themselves from liability?

    The DSGVO demands a great deal: Processing drawing, data protection coordinator/contractor, proof of legal conformity, operating agreements, transparent information, information, correction, data minimisation, certification concept, DSFAs, security/data protection directive, training, processing contracts, deletion rules, data break procedures, checks, documentation… All this cannot be done at once. Data protection is not a one-off feat of strength, but a sustainable process.

  4. Required tasks and implementation priorities for your operational data protection?

    From DSGVO, DS laws and hundreds of selected fine notices, official orders and recommendations as well as judgements in the EU exact tendencies can be recognized. Just to name a few: Which data and processes have been checked by the authorities and how often?
    Which defects were very often complained about (e.g. Legal conformity!)? What were the fines for? Recommendations for achieving compliance?

  5. Data protection audit

    Within the scope of a DS audit, the above-mentioned know-how can be used to identify the DS measures required in your organisation and comprehensible criteria for priorities in your implementation. Depending on the complexity and risks, the audit team consists of an (external) jury (and an IT expert to an interdisciplinary team). The lawyer’s obligation to secrecy also guarantees confidentiality vis-à-vis the authorities. On the basis of the audit report, the implementation of the measures can be continued in a structured and efficient manner.

  6. The International Privacy Management Standard ISO/IEC 27701 was published in August 2019.

    After our experience with ISO 29151, ISO 27701 seems to me to be much more practice- and DSGVO-compliant. If a DS representative had been involved in an ISO 27701 system at an early stage, Swiss Post would probably not have been able to identify the “party affinities”. In order to support your organization, Frank Law is also at your disposal with its interdisciplinary Network.

With comprehensive advice and a DS audit by experts, prominent cases could have been avoided, emphasises Dr. Markus Frank.

Dr. Markus Frank