“GDPR compliance doesn’t apply to organisations of less than 250 people.”
Over the last few years, we have heard this statement so many times! But it is simply not true. A misreading of Article 30 has led to this rumour starting to spread.
There is an exception for individuals using data for purely personal or household activities. But that exception would never apply to someone using data in a business.
There are other exceptions in GDPR Article 2.2 (in essence for Government and law enforcement), but none of them completely exempt small businesses.
GDPR does apply to small businesses
Even a ‘one-man’ or ‘one-woman’ business has data protection obligations under GDPR.
GDPR applies to every organisation “processing personal data”.
It is most unlikely you can trade even a one-person business without collecting this sort of data. If you don’t know and record your customer’s name or email address, how could this work?
‘Personal data’ and ‘processing’ are defined terms, but together they mean: “doing anything with any information about an identifiable living person”.
That means manual records, and emails and lots of things, not just creating databases.
Exemption on record keeping
Article 30 requires people processing personal data to keep records of their processing activities and categories, and to make those records available to the supervisory authority on request.
If you are an organisation employing fewer than 250 people, you do not have to create these records except:
- if there could be a risk to the rights and freedoms of data subjects, or
- you are processing any ‘special categories of data (like health, sexual orientation and so on) or about criminal convictions.
This applies equally to data controllers and data processors, so if you are viewing or handling special category or high-risk data such as financial data, you are not exempt however small your business is.
Data subject access requests
There is no small business exemption to all the rest of the data protection rules, and no exemption to the need to respond to ‘data subject access requests’.
You might want to keep records anyway even if you are not specifically obliged to. You have a choice if you are a small business –
- keep the records as you go along (and you don’t have to worry that you are creating a problem for later) OR
- search through mounds of material – if you can – when you get a data subject access request.
Here is a link to a scary sample of a data subject access request under GDPR. How would you answer this if you were not keeping records?
The good news is a lot of mainstream software now enables you to respond to data subject access requests (and requests to remove). Check what your systems can do automatically and then decide if you need to do more than that. Not all systems are equally useful.
Sometimes it is easier to create a way of complying and just keep using it – rather than reverse engineer information when the need arises.
It all depends on your appetite for risk, your ability to respond quickly and create data, and how easily you can integrate this sort of thing into your business day-to-day.
GDPR compliance isn’t everything
You can view GDPR as a ‘tick the box’ compliance issue. Or take this opportunity to improve the way you communicate with people and make your business feel more trustworthy.
GDPR is progressively bringing the best of business etiquette into law.
We have been training micropreneurs on how to handle GDPR compliance for several years now.
Our accessible and practical online programmes help you learn and comply at the same time and are all come with group support and simple documents to help you on your way.
You can find our low-cost accessible programme. Find out more here.
This Post Has 13 Comments
Dear Christopher
I have been scouring the web looking for advice on GDPR. Having read your blog “Is there a small business exception for GDPR?” I was relieved to find it easy to understand and not full of legal jargon that seemingly swamps every other site I have looked at so far. We have only 3 directors in our company and we are the only employees. However, the threat of large fines for non compliance has given me a lot of worry. I look forward to further updates which I have just signed up for.
Kind regards and thank you for being user friendly.
Helen
Glad you are finding our work helpful. We are writing a weekly column for estate and letting agents in Estate Agents Weekly. With all that tenant related data it can be a lot to take on board.
Will this apply after we leave the EEC?
I am a solo trader with an address list of European clients.
Regards
Bob Lee
Good question.
GDPR applies worldwide to anyone collecting or using data about EU citizens. So our membership or departure from the EU is not an issue in terms of applicability. What remains to be seen as a result of the final deal is whether the EU regard the UK as a safe destination for EU data or whether like the USA they will require some additional safeguards such as the data privacy scheme. Seems unlikely but you never can tell. If we decide to go backwards from GDPR this may trigger such a step.
Hope this answers your question.
I was wondering if you could clarify people’s right to be forgotten.
If a customer has a sales record on your eCommerce site, how long can you keep that record before having to legally delete it.
Your data retention period is something you have to assess on the basis of your business model, the information you are collecting and why and what ‘lawful processing’ category you are collecting it for. We did a one hour webinar for this for our GDPR groups, so a short reply is not a detailed one!>
If you are retaining information in order to make proper records of the financial transaction, you need to keep them as long as HMRC require you to. Your purpose here would be to comply with a legal obligation on you to keep those records.
If you are retaining more than financial information (ie what you sold) to support your product liability or insurance you need to check with your insurers to see what period they require. If you are not carrying insurance of any kind (I do hope you are) you will want to look at the limits for personal-injury and/or professional negligence. I don’t know what you do so I can’t get further with that one. If that is your stated purpose upon collection you will need to keep sufficient information to support that.
Neither of these necessarily mean keeping a complete record (I don’t know what you collect in your e-commerce site or what you sell).
If a customer says I want to be forgotten, you obviously need to remove them from your email marketing lists, but you can’t remove all evidence that you ever invoiced them or sold them anyway. To that extent, the right to be forgotten is always going to be tempered by your legal obligation to keep records and your legitimate interest in protecting your business from later claims. You may be able to partially forget them and then later on completely forget them, but not all at once.
It is legitimate to have more than one data retention period and this is a piece of work you need to do to decide what your purpose for collecting particular item(s) of data is and how long you really need to keep them for. I can’t give you a universal tariff.
Hope that helps. If you’d like to know more about our KoffeeKlatch GDPR groups check https://www.koffeeklatch.co.uk/gdpr-support/.
I am not sure how the GDPR Legislation could effect us.
We are taking back the management of the freehold for some 30 flats. Of these flats 28 of the leaseholders are also freeholders (under guarantee), therefore part of the company. We have their, names, addresses and contact details kept electronically, and we are going to be billing and receiving payments from them for the services charge. We also keep and emergency register of email address for any tenants they have. What do we need to do to be compliant ?. Thank you Claire
The leaseholders’ names and addresses and contact details are personal data within the meaning of GDPR and the DPA (Data Protection Act). You need a legitimate reason to keep it (you have one the performance of your contractual obligations with the leaseholders, so you don’t need to rely on consent. You need to keep the information securely, for no longer than you need and you should not share it with people who are not your employees. You should have a data security policy and you should make sure everyone knows what it is and make sure you and your team comply with it. I assume you are not keeping any of this information outside the UK but your accounts package and crm may do so, so you should check. If the information is held outside the EU you need to let people know.
Hi Annabel & Team,
I hope you can help because this GDPR is so confusing for the small business owner!
I own a small car repair garage 3 employees and my question is can i send out real letters (MOT reminder) via royal mail to previous customers home address ?
We even sent out real Xmas cards in the post years ago, can you still do that under GDPR regulations?
Thanks in advance for your advice 🙂
Yes, of course, you can send reminders to previous customers and you don’t need consent to do this. But you do need to give them some way to ask you to stop. As long as you do that (and honour their requests to stop) you will be fine. I rely on my local garage to remind me!
If you are sending Christmas cards out to customers then, of course, it is not a problem.
The whole thing has got a bit over-complicated by people trying to make it more complicated than it is. Where you need consent is when you are putting prospective customers onto a mailling list (such as mailchimp etc).
Hope this helps. Sorry, it took a while to respond. Let me know how you are diong.
Yes you can send out MOT reminders to customers and ex-customers. Just stop if one individual asks you to stop. Similarly with Christmas cards.
If you are sending stuff to prospective customers who have never traded with you by mailchimp or something similar you will need their consent.
Can you help I run a small vegetable delivery business I have 20 customers and hold their names addresses, national insurance numbers and telephone numbers. I don’t have a website, and only share their details with my accountant I send out invoices on a daily basis. Do I need to get consent from my customers to hold their information on my computer?
There are 6 lawful bases for collecting on holding information on individuals. I do not advise you to use consent for customer data. If you go with consent, then if consent is withdrawn you have to remove the data. That would be awkward if you had invoiced them and they had not paid.
Depending on exactly which bits of information about the customer you are talking about you could be holding it for:
a) legal reason – you are legally obliged to. (the tax man makes you for example)
b) contract reasons – you need this to create or fulfil a contract which in yhour world is a sale or delivery
c) legitimate interest (with an appropriate impact assessment).
I can see no reason however why you should be collecting national insurance numbers for customers as they are not your employees and none of the reasons above means you need to. Advise you to do do a simple and quick data audit and mark up each item of information you collect and see what you need it for under a) to c) above.
Chances are, unless you run an email marketing list, you will not be going on the basis of consent. Only pre-sales would be on this basis. You need consent to add them to a mailing list such as mailchimp.
The other lawful basis are:
d) Consent – freely given and with transparency (usually for marketing and sales stages only)
e) Vital interests – eg to save their life – not likely for you
f) Public interest – not relevant unless you are a public body or a journalist.
I hope this helps. If you need support with your GDPR we offer group support (and a data privacy policy) if you want to take this further. https://www.koffeeklatch.co.uk/gdpr-support/ Don’t get yourself all turned around and complicated. It is not that bad unless there is something unusual about your business.