Greetings from Brussels!

Small- and medium-sized enterprises are — and have always been — the backbone of Europe's economy. They represent about 98 percent of all private-sector businesses in the EU. In the past five years, they have created around 85 percent of all new jobs and provided two-thirds of the total private-sector employment in the EU. Suffice to say, it is an important sector of the economy and key to Europe’s ability to remain relevant, competitive and innovative across industries. All support afforded the sector concerning EU legislative changes affecting their operations is to be welcomed.

This week, the ICO launched a U.K. phone service 1 Nov. aimed at providing General Data Protection Regulation advice to small businesses and charities, to better prepare for the regulation entering into force next May. There are, of course, existing resources on the ICO website to help organizations employing fewer than 250 people prepare for the GDPR. The new phone line will offer additional personal advice to smaller organizations that still have questions. The advice will also cover questions about current data protection rules and other legislation regulated by the ICO, including electronic marketing and Freedom of Information requests.

Information Commissioner Elizabeth Denham said, "There are 5.4 million businesses in the U.K. that employ fewer than 250 people. When it comes to data protection, surveys show they tend to be less well prepared." Firms have only months left to prepare for the implementation of the GDPR and surveys continue to reveal that a large number of U.K. (and EU) SME businesses remain in the dark about the new law. Some surveys have as many as 60 percent of businesses still yet to form a plan to make sure that all staff and functions who handle data are aware of GDPR. Helping SMEs comply with privacy and data protection laws to protect the personal data of their customers and employees has become increasingly a focus for lawmakers and regulators around the world. And with just cause; the smaller companies and organizations have limited financial resources and often lack the technical sophistication and infrastructure to effectively protect data from the outset. Unlike larger firms who have "deeper pockets," SMEs are far less likely to have compliance or data protection functions in house or the luxury of access to legal experts. 

On the other side of the pond, in a similar initiative, the U.S. Small Business Administration and Congress have also made it a priority to provide cybersecurity assistance for small businesses. The SBA estimates that there are more than 28 million small businesses — companies that employ fewer than 500 people — in the U.S. and that they employ about 50 percent of the U.S. workforce. The agency has recently been reaching out to local chambers of commerce, technology vendors and banks that serve small businesses to raise awareness of the benefits of cybersecurity threat sharing.

It is easy to overlook the needs of the SME as their holdings pale in comparison to the amounts of data being held and processed by large and multinational companies. Nevertheless, collectively they process significant amounts of personal data and often figure as components of larger service supply chains and data flows. The GDPR does not have a general exemption for SMEs; with that in mind and knowing how meaningful changes in legislation across the board can impact the sector, this new ICO initiative is very timely and relevant. The attribution of resources to supporting the SME ecosystems in Europe continues to be a challenge in a fast-moving and increasingly digitalized economy.