The European Commission has launched a new data protection website aimed at educating the public and helping businesses and other organizations comply with their new obligations under the General Data Protection Regulation. The Commission’s website contains some infographics to help readers get to grips with the key points of the GDPR. It also contains Q&A and examples that may be helpful in assessing when the GDPR’s various obligations are triggered in different situations.
While the infographics approach to explaining companies’ GDPR obligations have the virtue of simplicity, the Commission’s explanation of what smaller companies must do is far from exhaustive and might mislead readers into thinking they are in compliance when they are not. For example, the explanation of the record keeping requirements mentions three criteria that trigger the requirements for companies with under 250 employees (SMEs), but omits a critical “or” between the infographic’s second (risky processing of any personal data) and third criteria (processing of sensitive data or criminal records). Small companies could easily be misled into thinking that only processing that meets all three criteria requires record-keeping.
Larger companies that are subject to the GDPR will likely find the Commission’s SME-focused infographics useful, but should approach with a bit of caution. Their data processing activities will require record-keeping and, since larger companies are typically more complex, it may require deeper analysis to get to grips with their GDPR obligations.
That said, companies looking for a digestible, visually engaging explanation of their responsibilities under the GDPR will find this a useful addition to their GDPR preparation toolkit.