GDPR for Small Businesses Under 250 Employees
Despite the breadth of the EU General Data Protection Regulation (GDPR), there is no small business exemption. Companies still need to comply with most of the GDPR even if they have less than 250 employees.
Since the calendar has just turned to May and the enforcement date is right around the corner, many small and medium size enterprises (SMEs) that sell to EU citizens or collect data on individuals in Europe will now be facing the problem of GDPR compliance. We thought that we would take a quick look at how the obligations apply or don’t apply to small businesses.
Article 30 – Recordkeeping
This is the one area where GDPR is different for businesses under 250 employees. There is an explicit exemption in Article 30(5) for an enterprise or an organization with fewer than 250 persons. However, businesses with fewer than 250 employees that are engaged in high risk processing (“likely to result in a risk to the rights and freedoms”), regular processing (“processing is not occasional”), or the processing involves data from Article 9(1) or Article 10.
If you have fewer than 250 employees, GDPR means you must hold internal records of your processing activities, where the data being processed could risk somebody’s rights and freedoms, where that data relates to criminal convictions and the special categories of data mentioned in Article 9, as well as where the organization is engaged in regular rather than occasional processing.
Article 37 – Data Protection Officer
Businesses that are not engaged in processing of the personal data listed in Article 9 or Article 10 do not need to appoint a data protection officer (DPO or DPO as a Service) unless they are engaged in regular and systematic monitoring of data subjects on a “large scale”.
An early draft limited the DPO requirement to companies with more than 250 employees or the processing of more than 5,000 personal data records. However, the final version contained no such restriction and applies to all businesses engaged in large scale monitoring as a core activity. Nevertheless, many businesses may be expecting a small business exemption to be imported back in through the precise language chosen.
So what is “large scale” processing? The Article 29 Working Party has noted that the GDPR does not define what constitutes large scale processing. Instead, it recommends considering multiple factors around the processing, including the number of data subjects, the number of records (volume of data), the duration of the processing and the georgraphical extent of the processing. If a small business can conclude that it is not engaged in large scale processing, then it does not need to appoint a DPO for its organization.
Article 25 – Privacy by Design
Although the GDPR privacy by design requirement does not have a small business exemption, it does entitle the organization to take into account the cost of implmentation as part of assessing the technical and organizational measures which are put in place to offer data protection by design.
Article 32 – Security of Processing
The data protection section on security is similar to the Privacy by Design requirement. It includes as factors in the controller and processor obligations the “costs of implementation” as well as the “scope” of processing. As a result, small businesses may be able to adult sufficient protections with lower standards and costs than large organizations.
Article 35 – Data Protection Impact Assessments
GDPR Article 35 on data protection impact assessment (DPIA) identifies the “scope” and the “context” of processing as areas to consider when determining whether a DPIA is required. As a result of this language, the size of the processing could be one factor in determining whether there is likely a high risk to the rights and freedoms of natural persons. Nevertheless, despite the size of the business, organizations which have any doubt as to whether a DPIA is required should engage in the impact assessment.
Since the GDPR does not have a small business exemption or carve-out, organizations with less than 250 employees will still need to comply with the majority of the law’s requirements. They will need to find a lawful basis for processing; obtain informed consent from users where no other lawful basis is available; provide transparency to users about their data collection, usage and sharing (often through layered privacy notices with just in time notice; and fulfill data subject access requests. For many of the GDPR articles identified where there may be a difference in the obligations of large and small businesses, SMEs will still need to improve their data privacy and protection efforts.
Discover the Benefits of Privacy Management Software with Clarip
The Clarip data privacy software and team are available to help improve privacy and trust at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, try our modular GDPR software. Start with our automated GDPR data mapping software, enhance your privacy program with DPIA software, and meet ePrivacy requirements with the cookie consent manager.
If California Consumer Privacy Act compliance in 2020 is on your radar, ask us about our CCPA software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
More Blog Posts on GDPR:
No Further Grace Period for GDPR Enforcement
The 10 Key Requirements of the GDPR
Germany Demands More From Facebook on GDPR
GDPR Article 30: It’s all about the documentation
Security Requirements Under GDPR: More Than Meets the Eye