While many regulations are highly prescriptive in telling regulated entities what to do and how to do it, the General Data Protection Regulation – GDPR – only sets up data protection principles (GDPR, Art. 5) that must be respected to ensure compliance. This compliance regime implies a liability shift between regulator and regulated entities, the latter becoming “responsible for, and be able to demonstrate compliance with, [data protection principles] (‘accountability’)” (GDPR, Art. 5.2). It is then up to the regulated entities as SMEs to demonstrate they have implemented effective and “appropriate technical and organisational measures to ensure […] that processing is performed in accordance with [GDPR]” (GDPR, Art. 24.1).
Complying with GDPR implies for companies handling personal data (i.e. controller or processor) to demonstrate appropriateness and effectiveness of organisational and technical measures implemented to meet data protection requirements.