The General Data Protection Regulation applies to all organisations that process the personal data of EU citizens, whether the organisation is based in the UK, Romania or even Australia. It applies to all sizes of organisation from sole traders, microbusinesses and other small and medium enterprises (SMEs) to large multinationals. Basically, if you collect, record, store, use or disclose data for your own business purposes or that of another organisation, GDPR applies to you.
Are there ways in which GDPR is different for small businesses?
There’s one main difference in what is required for small and medium enterprises (SMEs) – Records of Processing Activities (Article 30 of the GDPR Regulations). This set of records is a detailed list of what you do with data, how you control it and who’s responsible for managing compliance in your company.
If you’re a small business, GDPR states that you don’t need to keep these records of how you process people’s data unless (and this is where the problem lies…):
Your processing is likely to result in a risk to the rights and freedoms of “data subjects” (the people whose data you’re processing);
Your processing is not occasional;
Your processing includes “special category” data such as trade union membership, race, ethnic, health, biometric data, beliefs, sex life or sexuality,
Your processing includes information on criminal convictions and offenses.
Unfortunately, we feel this list cancels out many exemptions that Article 30 might offer small businesses! Firstly, there’s not much clear information for small businesses on how much people’s ‘rights and freedoms’ can be affected before it’s considered serious. Secondly, ‘occasional’ means that data is only processed rarely or once which wouldn’t cover the day-to-day operations of any normal business, however small. Thirdly, small companies might need to use ‘special category’ information - particularly health-related information - to safeguard employees’ welfare at work. Finally, we think it’s pretty hard to work out how to properly protect the personal data you use and meet the wider requirements of GDPR without writing a few things down!
GDPR is not just about customer or client data - employees’ personal data and details of suppliers and other contacts are also covered by the legislation. Given the wide scope of GDPR it is unlikely that any organisation operating in the EU or selling products or services to EU citizens is able to say that GDPR doesn’t apply to them.
Help is at hand though. Developed with small businesses in mind, our secure online platform shows you what you need to do, and gives you the tools and information you need - all broken down into practical, manageable steps, to remove the fear factor of GDPR. Find out about our services.
Protect your business - become and remain GDPR compliant with Astrid