Guidelines for SMEs on the security of personal data processing

Small and Medium Enterprises (SMEs) are currently dominating the international business landscape and constitute the backbone of the EU economy, promoting competiveness and investments of the Digital Single Market (DSM).

Over the last decade several security risk assessment methodologies and frameworks have been proposed by different bodies, aiming at supporting organizations in evaluating security risks associated with their business operations. More recently, a few specific privacy risk assessment frameworks have also been presented, focusing particularly on the evaluation of risks to personal data and adoption of relevant security measures. While big companies have the possibility to respond to and appropriately implement these frameworks, SMEs do not always have the necessary expertise and resources to do so. Indeed, it is in many cases difficult for SMEs to comprehend the specificities of the risks associated with personal data processing, as well as to assess and manage these risks following a formal methodology. This can put on harm’s way the personal data processed by SMEs, hindering at the same time compliance of SMEs with the GDPR legal obligations.

On this basis, ENISA decided to provide further guidance to SMEs on how to adopt security measures for the protection of personal data, following a risk-based approach. In particular, the objectives of the study were to facilitate SMEs in understanding the context of the personal data processing operation and subsequently assess the associated security risks. Based on that the study also proposes possible organizational and technical security measures for the protection of personal data, which are appropriate to the risk presented. These measures can be adopted by SMEs in order to achieve compliance with GDPR.

Download "Guidelines for SMEs on the security of personal data processing"