As a small business, do I need to comply with GDPR?

The following article addresses a number of key questions around how GDPR applies to smaller organisations.

As a small business, do I need to comply with GDPR?

You do. There’s some unofficial guidance floating about online suggesting you don’t, but they’re wrong. Both the EU’s legislation and the Information Commissioner’s Office (the UK’s data watchdog responsible for enforcing GDPR) clarify that the new data protection measures apply to everybody.

The bit these guides seem to get confused about is Article 30, which in the final draft of the legislation states that there’s a difference between the types of records SMBs and larger firms must keep.

If you have fewer than 250 employees, GDPR means you must hold internal records of your processing activities, where the data being processed could risk somebody’s rights and freedoms, or where that data relates to criminal convictions and offences.

Those with more than 250 employees must keep more detailed records, specifically: the name and details of your organisation, your data protection officer, why you’re processing the data, a description of the types of individual and categories of their perosnal data, as well as categories of recipients of this data, details of any foreign transfers of that data outside the EU including documentation proving that data will be safeguarded abroad, retention schedules, and a description of your technical and organisational security measures.

You might still need to record all of those extra facets above if you’re an SMB. In fact, you’re only exempt from these extra record keeping duties if you only process personal data of EU residents occasionally.

The regulation states that these extra record keeping duties will apply to an SMB if “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data … or personal data relating to criminal convictions and offences referred to in Article 10.”

Do I need a data protection officer?

Yes, you might. While an earlier draft of GDPR limited the appointment of a data protection officer to organisations with more than 250 employees, there’s no such bar now.

Instead, the factors behind whether or not you need such an officer are based on what data you collect. If your central purpose requires “regular and systematic monitoring of data subjects on a large scale” then you must appoint a data protection officer.

You must also appoint one if you collect records of criminal convictions, or ethnicity, religious or philosophical beliefs, political opinions, trade union membership details, health, sex life, or sexual orientation data on a large scale.

The EU does state that “a group” may employ one data protection officer between them, as long as the officer is readily available to each organisation.

The data protection officer is there to “inform and advise” on data collection practices and monitor compliance, as well as acting as the point of contact with the data protection authority, which in the UK is the Information Commissioner’s Office.

What fines must I pay for getting it wrong?

The fines that can be levied under GDPR are potentially huge. Currently the ICO can only fine a firm up to £500,000 for a breach, and the highest it’s actually gone is £400,000 which was levied upon TalkTalk following a major data breach. When the new data protection rules apply, organisations face fines of up to 2% of their annual turnover or €10 million, whichever is higher, for infringing GDPR’s code of practice. For actual breaches of people’s personal data, that rises to 4% of turnover or €20 million, whichever is higher.

The “whichever is higher” is the key phrase for SMBs, who could be financially ruined by a data breach, meaning the risks are just as big – if not bigger – than for a multinational enterprise that could absorb the penalty in its next financial quarter without too much of an impact on its stock price.