SMEs and GDPR Enforcement: What lies ahead?

We aren’t economists, but it seems inevitable the SME sector will continue to feel the financial impact of COVID-19 long after the immediate crisis has passed. For many, this will mean taking radical action to manage their businesses differently and more efficiently, possibly at the expense of critical areas like data protection compliance.

This is a risky strategy, as we firmly believe there is an increased likelihood of Data Protection Authorities (DPAs) hitting the sector hard. Coupled with a need for DPAs to start demonstrating the GDPR is being enforced, we conclude this is not the time for SMEs to drop their guard.

DPA funding means SMEs will be targeted

It is no secret that DPAs are poorly funded. Whilst the EU DPAs received a total of €265m between them in budget allocations, €85m was allocated within Germany, with the top five funded DPAs receiving nearly 60% of the total. Even before COVID-19, the annual budget increases had slowed, and the leaders of DPAs were expressing concern.

If predictions are accurate, national government revenues will be critically hit by the economic aftermath of COVID-19. At the same time, the demands on their resources will be even greater. A return to austerity will not be an option, and investment in a new future must be novel and dramatic. Ultimately, we believe this means DPAs aren’t likely to receive any meaningful increases in their funding anytime soon.

The outcome of this under-investment will be a growing disparity between enforcement of the GDPR aqainst smaller enterprises, and those that have the resources to aggressively oppose investigations and defend decisions – like Big Tech. In short, DPAs might increasingly be tempted to go for easy wins.

This will put SMEs in a two-tier enforcement regime where they are disproportionately subject to investigation, and hardest hit when it comes to penalties – a concern we have expressed many times before.

SMEs are already in focus

In the two years to April 2020, the UK’s ICO (the best funded DPA in the EU by far) published details of 52 enforcement actions. Of these, less than 10 could be classified as against large, international enterprises, and only three against Big Tech. In the same period, details of 23 enforcement notices were published, but none were against large enterprises.

At the other end of the scale, with a budget of just €1.3m, the Romanian DPA has since July 2019 published the details of 14 GDPR related fines. Just four were levied against larger enterprises.

There are more than 25million SMEs in Europe, so we should not be surprised if SMEs are more prominent in enforcement statistics. However, the data processing activities of large, international enterprises and Big Tech are arguably more significant and impactful, and it is these very activities the GDPR was designed to control. As of yet, we have not seen any meaningful, concerted action against this cohort and the privacy practices they adopt.

DPAs’ future plans

Whilst the UK is no longer in the EU, the ICO is perhaps one of the more sophisticated DPAs and might be regarded as an indicator of future enforcement activity.

In April, it confirmed an adjusted regulatory approach with a focus on “the greatest threats”. This was followed in May by a statement setting out six new priorities, designed to protect the public interest and support economic growth and innovation.

More worrying is the ICO’s contrary position on investigations. On the one hand, it has confirmed statutory functions will be maintained, including dealing with complaints and data breaches. On the other, big ticket items like the investigation into Adtech (which has been lingering for some time) have paused: “It is not our intention to put undue pressure on any industry at this time…” So already, a step-back from focusing on the activities of Big Tech is evident.

The French regulator (CNIL) has taken a different tack, and recently announced the integration of climate and environmental issues into its priorities. This reflects commitments made in the Paris agreement, and, as CNIL put it “the application of the GDPR, by limiting the massive consumption of data…produces positive [outcomes] for the environment.” CNIL will be exploring links between the protection of individual freedoms and environmental transition, and also plans to measure the energy impact of the transmission of personal data. We believe there is a risk this may disproportionately impact SMEs, whose resources and capabilities for change are much more limited.

Then there is the Irish Data Protection Commissioner, who is in the unenviable position of being the lead DPA for many of the world’s Big Tech and Big Data businesses.

Previously she has expressed disappointment about the funding her authority receives and has defended her own assessment of output performance (C-plus/B-minus) by referencing how her office has been overwhelmed with complaints. However, she has so far not formally announced how the priorities of her authority are going to change. Under pressure from her EU counterparts to demonstrate that the Data Protection Commission is a serious regulator, we are concerned quick wins may again come from the SME sector.

What lies ahead?

GDPR will be enforced, and the DPAs will be keen to ensure enforcement activity accelerates to demonstrate the GDPR is not a lame duck. This will mean more investigations and larger fines. However, with resources that do not match the challenge ahead, it seems inevitable that DPAs will look to where they can make most progress.

This puts SMEs at significant risk, so this sector must continue to address data protection as a very serious, existential, threat and if necessary consider alternative ways in which it can be more effectively and efficiently managed.