Artificial intelligence is beginning to make its way into companies and its effects on the world of work are growing and growing. Scholars and institutions have, for some time, been giving deep thought to the influence of new technologies in the world of work. The use of management algorithms, machine learning, and even the metaverse. Reality will be changed and become mostly virtual. In this process, we need to reflect on the role that SMEs will play on new technology. In this plan, data is and will be of increasing importance. This is why it becomes necessary to investigate data strategy and data protection in SMEs. Artificial intelligence feeds on data, so in this discourse it is also necessary to analyse the data protection regulation from this perspective.

The European Commission’s Recommendation 2003/361 defines small and medium-sized enterprises (SMEs) as companies whose workforce and economic weight are below certain limits[1]. There are over 23 million SMEs in the European Union (EU), accounting for 99 % of all enterprises and two out of every three jobs in the private sector. For these reasons, they are defined as a key driver of the economy[2].

However, despite their great importance, SMEs differ from large companies in terms of organisation and resources, both human and economic. This has always led institutions and authorities to reserve simplification measures for SMEs.

In the draft regulation on artificial intelligence, the European Commission includes its commitment to simplification measures. The European Data Protection Regulation also provides for an obligation for member states to make simplifications for SMEs.

Recital 13 of the GDPR provides a derogation for organisations with fewer than 250 employees with regards to record-keeping.

Such measures have already been considered by the Data Protection Authorities. For instance, the Italian one has already issued simplification measures for SMEs.

However, these considerations must be taken with the effects of AI in mind. The impacts of artificial intelligence will affect everyone, including SMEs. Currently, there are two main regulations against the risks of artificial intelligence. The first is still in the form of a proposal, the Artificial Intelligence Regulation. The second, the GDPR, has been intended to dictate legislation adaptable to new technologies since its entry into force (see for example art. 25). The intelligent machines only interact through data, so an empowering measure for successful protections will start with data protection.

Based on this belief, the importance of IT security must be included. In fact, intelligent systems work by connecting to the Internet, consequently the centrality of cybersecurity as an additional enabling measure for successful data protection.

With regards to the protection of personal data, the GDPR provides several rules applicable to automated decision-making systems. Artificial intelligence is a good example of automated decision-making system as it is able to make decisions without human intervention.

Article 22 and other articles of the GDPR provided for the data subject must be exercised in the context of small and medium-sized enterprises, which as we have seen, are recipients of simplification measures. Moreover, trade union representatives are not always present in SMEs. As a result, those responsible for protection cannot support the employee in exercising his or her rights.

So the first question that arises is about simplifications for SMEs and the effects of artificial intelligence. If it is true that the problems of artificial intelligence will affect everyone in the market (and therefore also every employee), how can simplifications be achieved?

Trade associations of entrepreneurs and trade union representatives will play a key role in this perspective.

The structural difference of SMEs in terms of both organisation and resources require that we look at the real implications of AI in the context of small and medium-sized enterprises. The set of measures required by the GDPR presupposes a virtuous compliance system that cannot be recognised in and with simplification measures.

It will be appropriate to reconsider business classification systems starting from a fundamental element: digitalisation brings together economic operators in terms of problems and protection needs. The European legislator has already started this process with regards to the issue of cyber security with the NIS 2 Directive[3], which extended cyber security obligations also to medium-sized companies, which were excluded from the NIS 1 Directive. The GDPR itself provides for security measures without specifically stating which measures are to be applied. Excluding encryption and pseudonymisation expressly referred to in Article 32 of the GDPR. However, further measures by Article 32 of the GDPR indicate the objectives to be achieved, but not the method of achieving this. This approach is typical of the accountability principle in Article 5 of the GDPR which clashes with the need for simplification of the SMEs themselves, that need precise indications.

Further, the ENISA report shows how one of the main causes of cyber incidents is related to the lack of technological preparedness of workers. In addition, the sector that suffers most is the SME category where skills and resources are lacking.

The above gives rise to several reflections regarding the future of AI in SMEs, or rather, the future of SMEs due to AI. It is necessary to think about the current differentiation of requirements for SMEs from the point of view of the common effects of Ai in the labour market. It will be crucial to investigate the effectiveness of the current classification given the technological challenges. But before that, it will be necessary to provide qualified support to small and medium-sized enterprises in terms of specific training. This will be necessary, both to ensure the exercise of employees’ rights. As well as to ensure the business continuity of SMEs to enable them to access the market with new technologies. In this process, training will play a central role. Training will have to concern employees as well as trade union representatives and employers’ representatives. In my opinion, the development will only continue if there is a dialogue between these parties for the creation of a mutual value of protection for employees and growth for the company.

Courtesy of: Chiara Ciccia Romito, Phd Candidate LSI, University of Modena and Reggio Emilia, Marco Biagi Foundation


[1] A medium-sized enterprise has up to 250 employees, a turnover of up to EUR 50 million and a balance sheet total of up to EUR 43 million; a small enterprise has up to 50 employees and a turnover or balance sheet total of up to EUR 10 million; a micro enterprise has up to 10 employees and a turnover or balance sheet total of up to EUR 2 million.

[2] https://eur-lex.europa.eu/IT/legal-content/glossary/small-and-medium-sized-enterprises.html.

[3] The review of the NIS 1 has shown that it has served as a catalyst for the institutional and regulatory approach to cybersecurity in the Union, paving the way for a significant change in mind-set. That Directive has ensured the completion of national frameworks on the security of network and information systems by establishing national strategies on security of network and information systems and establishing national capabilities and by implementing regulatory measures covering essential infrastructures and entities identified by each Member State. Directive (EU) 2016/1148 has also contributed to cooperation at Union level through the establishment of the Cooperation Group and the network of national computer security incident response teams. Notwithstanding those achievements, the review of Directive (EU) 2016/1148 has revealed inherent shortcomings that prevent it from addressing effectively current and emerging cybersecurity challenges. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022L2555