Businesses are starting to panic as they try to comply with the General Data Protection Regulation (GDPR) before the May 2018 deadline. Many even believe that the GDPR won’t apply to them because they have fewer than 250 employees. Our small business guide to the GDPR should help clarify some of the key factors affecting SMEs.
Does it apply to me?
Any organisation, regardless of size, that regularly processes EU residents’ personal data must comply with the Regulation. However, SMEs may be exempt from the more rigorous steps.
Article 30, for example, states that the Article (which relates to the documentation controllers and processors must keep regarding data processing) “will not apply to small businesses except if the processing results in a risk to the rights and freedoms or data subjects, processing is not occasional, or the processing includes special categories of data as referred to in article 9, or personal data relating to criminal convictions and offences.”
This means you might not need the extensive documentation that larger organisations are required to keep. Nevertheless, you may find that your suppliers or customers will require you to have such documentation within their new GDPR-compliant contracts, so having it may give you a competitive advantage.
Data protection officers
The GDPR stipulates that certain organisations must appoint a data protection officer (DPO). There isn’t an exception for small businesses, so if you fall into the following categories, you’ll need a DPO:
- You are a public authority (except for courts acting in their judicial capacity).
- You carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking).
- You carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.
The good news is, you aren’t obliged to hire a full-time employee for this role. You can have someone who performs this alongside other duties (if they aren’t processing data and don’t have a conflict of interest), you can share a DPO with other organisations, or you can outsource the role entirely. It may seem a daunting and expensive prospect, but there are cost-effective options out there for SMEs.
For more information about the GDPR and basic steps on how achieve compliance, visit our website.
March’s book of the month, EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide, is a perfect companion for those managing a GDPR compliance project, providing clear and comprehensive guidance and practical advice on implementing a compliance framework.
This bestselling guide provides a detailed commentary on the GDPR, explains the changes you need to make to your data protection and information security regimes, and tells you exactly what you need to do to avoid severe financial penalties.