“GDPR compliance doesn’t apply to organisations of less than 250 people.”
Over the last few years, we have heard this statement so many times! But it is simply not true. A misreading of Article 30 has led to this rumour starting to spread.
There is an exception for individuals using data for purely personal or household activities. But that exception would never apply to someone using data in a business.
There are other exceptions in GDPR Article 2.2 (in essence for Government and law enforcement), but none of them completely exempt small businesses.
GDPR does apply to small businesses
Even a ‘one-man’ or ‘one-woman’ business has data protection obligations under GDPR.
GDPR applies to every organisation “processing personal data”.
It is most unlikely you can trade even a one-person business without collecting this sort of data. If you don’t know and record your customer’s name or email address, how could this work?
‘Personal data’ and ‘processing’ are defined terms, but together they mean: “doing anything with any information about an identifiable living person”.
That means manual records, and emails and lots of things, not just creating databases.
Exemption on record keeping
Article 30 requires people processing personal data to keep records of their processing activities and categories, and to make those records available to the supervisory authority on request.
If you are an organisation employing fewer than 250 people, you do not have to create these records except:
- if there could be a risk to the rights and freedoms of data subjects, or
- you are processing any ‘special categories of data (like health, sexual orientation and so on) or about criminal convictions.
This applies equally to data controllers and data processors, so if you are viewing or handling special category or high-risk data such as financial data, you are not exempt however small your business is.
Data subject access requests
There is no small business exemption to all the rest of the data protection rules, and no exemption to the need to respond to ‘data subject access requests’.
You might want to keep records anyway even if you are not specifically obliged to. You have a choice if you are a small business –
- keep the records as you go along (and you don’t have to worry that you are creating a problem for later) OR
- search through mounds of material – if you can – when you get a data subject access request.
Here is a link to a scary sample of a data subject access request under GDPR. How would you answer this if you were not keeping records?
The good news is a lot of mainstream software now enables you to respond to data subject access requests (and requests to remove). Check what your systems can do automatically and then decide if you need to do more than that. Not all systems are equally useful.
Sometimes it is easier to create a way of complying and just keep using it – rather than reverse engineer information when the need arises.
It all depends on your appetite for risk, your ability to respond quickly and create data, and how easily you can integrate this sort of thing into your business day-to-day.
GDPR compliance isn’t everything
You can view GDPR as a ‘tick the box’ compliance issue. Or take this opportunity to improve the way you communicate with people and make your business feel more trustworthy.
GDPR is progressively bringing the best of business etiquette into law.
We have been training micropreneurs on how to handle GDPR compliance for several years now.
Our accessible and practical online programmes help you learn and comply at the same time and are all come with group support and simple documents to help you on your way.
You can find our low-cost accessible programme. Find out more here.