Expert interview
Interview with PymeLegal on Data Protection in SMEs
05 Jun 2023. 15:14
Tiempo lectura
5 min. of reading
Published by
Imagen colaborador
Logo Acelera pyme
Acelera pyme

Términos de uso

You can use the resource for personal or informative use with attribution to the entity following our terms of use.


  • SME maturity
    1. Ciberseguridad
    Scope to digitize
    1. Cybersecurity

Compartir entrevista


Pymelegal is a consulting firm specialized in Data Protection and Intellectual Property. Don't miss this interview!

Imagen o video destacado
  1. Why do you think it is essential to have a Data Protection policy in any business?

All companies and self-employed are obliged to comply with a series of legal, technical, and organizational obligations established by the regulations. The regulations would be the RGPD, the European Regulation that came into force in May 2018, the LOPD-GDD that repealed the old LOPD, the Organic Law on Data Protection, and the LSSI, which regulates the legal notices for the website.

So here the importance, obviously, is to avoid high sanctions that can be established by the Data Protection Agency, ranging from serious, very serious, which can reach 1, 10, 20 million euros or a percentage of the company's turnover.

And then smaller ones. People think that the penalties are high, that most of them go to telecommunications companies, financial companies, etc. But we are also dealing with clients that were sanctioned, for example, for sending an email without a hidden copy for €9,000, a penalty notice. Or €6,000 for sending a newsletter without consent, or €3,000 for not having correctly implemented a cookies policy on their website.

It is important to note that there are complaints in this regard and the penalties can be high. Then there are other factors such as building trust with the customer, differentiating ourselves from competitors to protect our assets, personal data and enhance our brand.


  1. ¿Do you have the feeling that SMEs and self-employed have a lot of ignorance about this issue?

The truth is that yes, there is more and more awareness of the issue. People are reading more and more about sanctions and, as you know, there are a lot of attacks, phishing, ransomware, security breaches, etc., which implies the management of protocols about personal data.

I think that in the end, SMEs are overwhelmed at the level of bureaucracy with other requirements, other regulations, and sometimes they are unaware of it, but I think there is more and more awareness of the issue.


  1. What do you consider essential for any SME or self-employed to take into account in the field of Data Protection?

An SME, or above all, a self-employed person, for example, when they are starting their activity, does not want problems. So here I would take into account, depending on the business or activity: What type of data I deal with in my business, as the truth is that most businesses manage personal data, even if it is of clients, to issue an invoice, etc.  From here, apply the necessary protocols.

Steps to be followed by an SME or a self-employed person to comply with the regulations:

  • Have the records of processing activities. These are the old files that used to be notified to the Data Protection Agency; now it is simply a matter of documenting and safeguarding them.
  • Manage the duty of information and consent through clauses, for example, guaranteeing the rights of those affected.
  • Regulate by contract the provision of services by third parties, the so-called data processors.
  • Have a protocol with employees, very important, a confidentiality commitment with each of our employees.
  • Have a security policy, where we document a little of the scenario of the treatment of our data, such as portable devices, how copies are made, passwords, etc. This is always linked to a risk analysis as well.
  • We must have a breach protocol for what I was talking about, possible security breaches, how to carry out the protocol, if such an incident occurs.
  • There are requirements that only depend on the activity of the business, such as having a data protection officer. It is only compulsory in certain cases, or they carry out, for example, an impact assessment (a PIA).
  • Finally, having the legal notices on our website. Be it the legal notice, privacy policy, cookies policy, etc. And if it is an e-commerce, the general terms and conditions.


  1. Are there resources available on the market that are easily accessible for SMEs and self-employed?

Yes, there are. Here the Data Protection Agency, which is in fact the body that enforces compliance with the regulations, has the power to impose sanctions. It is doing more and more informative work in this regard. On their website there are a lot of resources, such as guides, etc., for SMEs, for compliance, and in fact they also have a tool. It is called Facilita RGPD, which also allows you, based on a series of questionnaires, to obtain some basic template models, for clauses, confidentiality commitments, etc.

Then there are platforms like ours that, through dynamic questionnaires based on the client's activity, generate all the documentation and protocols, and we also accompany the client. There are several platforms like ours. This is a possibility.

For me, the most reliable source is the Data Protection Agency, whose portal allows you to access this type of tool and a whole series of documentation and guides that are very practical and useful.


  1. What advice would you give to SMEs and the self-employed in this area related to digitisation?

Here I would tell the entrepreneur to take the issue of regulations very much into account, that it is not just a matter of complying with the protocol and obtaining the documentation and I store this folder until next year when I must carry out the review or other management.

Let's be clear that data assets are very important. If something happens at the level of a security breach and we lose the information in the database of our customers, we also find almost every week some customer who has had an attack and did not have a backup copy. These are important problems, as it is not only the part of protocols, clauses, the legal part, but also the practical part of having a good IT protocol in security and backup systems.

For example: there are portals where you can self-manage this service, but I always recommend the advisory part. Find a consultancy firm that accompanies you, that makes use of the current resources you have, that is involved in your day-to-day work, that knows the data you manage and that can help you create a customized project that does not involve excessive work, but that is included in your daily protocols. I think it is very important to hire companies of this type to accompany you.

Some do this by means of a subsidy through the Fundae. In other words, this comes at zero cost, you do not have to pay, and they give you all the documentation. This is illegal and is prosecuted, not only by the tax authorities but also by the Data Protection Agency. In the end, sometimes cheap things become expensive, so I recommend hiring a professional to manage the project so that you can have peace of mind in this matter.

¿Te ha resultado útil esta publicación?

¿Te ha gustado este contenido?
No votes have been submitted yet.