ICON completes nationwide GDPR platform for SME’s

A recent survey conducted by the Information and Data Protection Commissioner (IDPC) amongst 259 SMEs found that knowledge about GDPR-related issues was found to be medium to high amongst the majority of SMEs.

The survey, conducted together with the Malta Chamber of SMEs, and the Malta Employers Association, was commissioned by the IDPC as part of a wider project to increase GDPR awareness amongst the general public and the business community, particularly SMEs.

This project, co-financed by the EU’s Rights, Equality and Citizenship Fund 2014 to 2020, saw the creation of a secure online self-assessment compliance tool made available online on https://idpc.org.mt/for-organisations/self-assessment-compliance-tool/ designed in a way that guides SMEs through a set of self-assessment risk levels, recommendations and templates to help them measure the compliance of their processing operations with GDPR requirements and obligations.

Ian Castillo, Owner and Director of ICON who designed the IDPC’s online self-assessment tool said that “this latest project for the IDPC has allowed us to implement our capabilities to a nationwide project that will help SMEs determine how compliant they are to the stringent requirements of GDPR.”

“Users who take this online self-assessment will be guided through 48 brief questions that cover the most important provisions under the GDPR. At the end of the questionnaire, the tool generates a report based on the answers provided immediately helping the business identify whether its risk level is high, medium, or low. In addition to the report, the tool can measure compliance gaps, providing useful feedback and recommendations and offers valuable documentation and templates of policies that any SME can adapt and implement within its own organisations,” added Ian Castillo.

“This initiative is in line with our office’s tasks to increase awareness on data protection among the Maltese business community. Essentially, this compliance tool assists businesses that are not yet fully familiarised with data protection to assess and identify their current risks of non-compliance to be able to mitigate them,” said Ian Deguara, Information and Data Protection Commissioner.

“The online platform has been designed and implemented in a manner that, after the SME completes a questionnaire, it identifies levels of risk, measures compliance gaps and provides feedback. More importantly, we want SMEs to understand that this platform is only a risk algorithm tool developed to deliver an immediate result in the form of a report, including templates of policies, which the controller may consider implementing internally,” added Pierre Minuti, the IDPC’s Senior Technical Executive.

Recent research conducted by the IDPC also found that the majority of businesses are aware of the obligation which requires controllers to legitimise activities involving the processing of personal data on the basis of a valid legal ground. Although SMEs generally inform data subjects about the processing of their personal data mostly through their websites and manual forms, the application of other data protection principles together with the implementation of organisational and technical security measures are areas of the law which should be given more attention.