Is there a small business exception for GDPR?

“GDPR doesn't apply to organisations  of less than 250 people.”

A misreading of Article 30 has led to this rumour starting to spread. There is an exception for individuals using data for purely personal or household activities.

There are other exceptions in GDPR Article 2.2 (in essence for Government and law enforcement), but the ‘household’ exception is the one that we are all likely to need!

GDPR does apply to small businesses

Even a one-person operation has data protection obligations.
GDPR applies to everyone who is “processing personal data”.

It is most unlikely you can trade even a one-person business without collecting this sort of data.  If you don't know and record your customer's name or email address, how could this work?

'Personal data' and 'processing' are defined terms, but together they basically mean: "doing anything with any information about any identifiable living person". 

​Limited exemption on record keeping for small business

The idea of "not applying to organisations of fewer than 250 people" comes from a misreading of Article 30 GDPR. Article 30 requires people processing personal data to keep records of their processing activities and categories, and to make those records available to the supervisory authority on request.

If you are an organisation employing fewer than 250 people, you do not have to create these records except if there could be a risk to the rights and freedoms of data subjects, or you are processing any ‘special categories’ of data (like health, sexual orientation and so on) or about criminal convictions.

​Watch out for data subject access requests

There is no small business exemption to all the rest of the data protection rules, and no exemption to the need to respond to 'data subject access requests'.

You have a choice if you are a small business - keep the records as you go along (and you don't have to worry that you are creating a problem for later) OR search through mounds of material - if you can - when you get a data subject access request.

Here is a link to a scary sample of a data subject access request under GDPR.  How would you answer this if you were not keeping records?

Sometimes it is easier to create a way of complying and just keep using it - rather than reverse engineer information when the need arises.

It all depends on your appetite for risk, your ability to respond quickly and create data, and how easily you can integrate this sort of thing into you business day to day.

GDPR risks/compliance aren't the whole story

It's always a nuisance when something changes.   We tend to like the way things are now - particularly if it involves effort and expenditure to change and it wasn't our idea.

You can view GDPR as a 'tick the box' compliance issue.  Or take this opportunity to improve the way you communicate with people and make your business feel more trustworthy.

GDPR is bringing the best of business etiquette into law.   For some that is not going to be a big change.  For others it is going to be a lot of work.  

If you'd like to know more about GDPR and hear about our new GDPR support groups as they form - sign up for our GDPR updates at the top of the page.



Christopher Head

Christopher has spent his life helping business owners manage and contract the people they pay, and deal with legal risk. His focus is on creating contracts and relationships that work for your business, and giving you a full set of tools for tackling problems swiftly and economically. Christopher qualified as a barrister before co-founding Irenicon (a specialist HR and employment law practise) in 1980. He has also worked as company secretary and legal counsel in an international public company.

Click Here to Leave a Comment Below

Leave a Comment: