On October 28, 2024, project partners of the ARC II (Awareness Raising Campaign for Small and Medium-sized Enterprises) project held a hybrid wrap-up meeting in Florence, Italy. The event was graciously hosted by the University of Florence.
The ARC II project, co-funded under the European Union’s Citizenship, Equality, Rights and Values (CERV) Programme, has been a collaborative effort spanning two years. The project partners include:
- Croatian Personal Data Protection Agency (project coordinator)
- Italian Data Protection Authority (Garante per la protezione dei dati personali)
- Faculty of Organization and Informatics, University of Zagreb
- Vrije Universiteit Brussel
- University of Florence
The primary goal of ARCII was to support Small and Medium-sized Enterprises (SMEs) in their efforts to comply with the General Data Protection Regulation (GDPR) while reducing their administrative burden.
In his keynote speech Mr Zdravko Vukić, director of the Croatian DPA, vice president of the European Data Protection Board and member of the Steering Committee emphasized:
“Why have we dedicated so much time and resources to SMEs? First in ARCI project that we have been implementing with Irish data protection authority, then in ARCII project, for more than 4 years we have been investing a lot of efforts and time to help SMEs to understand and comply with their obligations arising from the GDPR. This is not without a reason.
More than 99% of all enterprises in EU are SMEs. Small and medium-sized enterprises play a key role in the European economy, and of course in the Croatian economy. These enterprises are often described as the backbone of the economy as they constitute the majority of businesses in Europe. Even after more than 6 years of full implementation of the GDPR, a large number of them consider GDPR as a huge administrative and financial burden.
Thanks to the activities we’ve implemented, small and medium-sized enterprises have not only gained access to valuable information and achieved a higher level of GDPR compliance, but they have also been able to realize significant financial savings”.
The goal of the wrap up meeting was to present main outcome of the ARC2 project- web tool Olivia to stakeholders, take stock of project results, determine actions that need to be taken for the successful completion of the project as well as to exchange experiences and insights regarding GDPR implementation in SMEs with stakeholders.
The meeting attracted a diverse group of attendees, including representatives from the European Commission, the European Data Protection Board (EDPB), various data protection authorities, small and medium-sized enterprises (SMEs), and legal practitioners.
A highlight of the event was the presentation of the Olivia web tool, developed as part of the ARC II project. Olivia will be permanently available, free of charge to all interested stakeholders: https://olivia-gdpr-arc.eu/hr
Additionally, Ms Marianna Colonna from the EDPB showcased a practical tool specifically designed for SMEs (EDPB guide for SMEs). This resource, available in 17 languages, can be accessed at https://www.edpb.europa.eu/sme-data-protection-guide/home_en.
Participants also benefited from a presentation by Ms Pavlina Peneva from the European Commission, who detailed the opportunities offered by the Citizenship, Equality, Rights and Values (CERV) programme.
The CERV-2021-Data Call focuses on two main priorities:
- Facilitating the implementation of General Data Protection Regulation (GDPR) obligations by SMEs.
- Raising awareness about the GDPR among the general public.
Thanks to the funding provided under the CERV programme, data protection authorities across the European Union will have the opportunity to implement activities targeting SMEs and the general public. These initiatives aim to enhance awareness and knowledge of data protection principles and practices.
This collaborative approach, combining resources from EU institutions, national authorities, and academic partners, demonstrates a concerted effort to strengthen data protection practices across Europe, particularly focusing on the needs of SMEs and increasing public understanding of data protection rights and responsibilities.
Ms Pavlina also highlighted some recommendations from the second report on the GDPR:
- Further support businesses’ compliance efforts, especially SMEs
- Clear and actionable guidance from data protection authorities
- Data protection authorities to actively engage with organisations, especially SMEs
- Uptake the use of GDPR codes of conduct and certifications.
In line with the GDPR’s risk-based approach, SMEs carrying out low-risk processing activities do not bear a substantial compliance burden. SMEs carrying out low-risk processing may comply by maintaining simplified records based on templates provided by data protection authorities. Furthermore, such records should be seen as a useful tool for SMEs to take stock of their processing activities.
Olivia is innovative platform has been specifically designed to facilitate GDPR compliance for small and medium-sized enterprises in Croatia and Italy. Olivia is currently available in Croatian, Italian, and English, tailored to the needs of Croatian and Italian SMEs.
Olivia is developed in an open-source code, and it allows all data protection authorities to customize it to their national legislation and language. New languages and modules can be easily integrated, meaning Olivia can be useful to SMEs and data controllers across the EU.
What sets Olivia apart is its comprehensive coverage of not only GDPR but also Croatian and Italian data protection legal frameworks, making it particularly valuable for our SMEs.
Olivia is an e-learning platform comprising 15 learning modules that address all GDPR obligations. Each module includes theoretical and practical components:
- Theoretical Part: SMEs can learn about GDPR basics, data protection impact assessment, lawful basis, data protection principles, technical and organizational measures, privacy policies, and more. Users can watch webinars, take tests, and upon achieving an 80% or higher score, receive a certificate of successful completion.
- Practical Part: SMEs can create essential documents to demonstrate compliance, including privacy policies, records of processing activities, legitimate interest assessments, data protection impact assessments, video surveillance rulebooks, personal data protection rulebooks, and information security guidelines.