First the good news, if you are a small business in the UK. The ICO have set up a new GDPR hotline, which is a telephone advice service for businesses with less than 250 people to help them with the new data protection laws. It goes live on the 1st November and will be based around the ICO’s existing helpline. The ICO has also announced plans to simplify its “12 steps to take now” to prepare for the GDPR, for small and micro businesses. The ICO says that the guide is currently the most popular document on the ICO website.
Recently I have seen a number of claims that GDPR doesn’t apply to companies under 250 people. This may come from one of two possible misunderstandings. Drafts of the GDPR limited the mandatory appointment of a data protection officer to organisations with more than 250 employees, however the final regulations do not. GDPR does make specific mention of SMEs (and link to the European Commission’s definitions of them):
To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC.
A “derogation” means an exemption or relaxation of the regulations. There is a very specific ‘exclusion’ defined elsewhere in the GDPR articles:
The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
The “Paragraphs 1 and 2” in Article 30 mentioned relate to keeping records of processing activities, so this isn’t really of an exception, more a reduced record keeping requirement. Also, the exception doesn’t apply if the data you are handling might pose a risk to the rights of the people it concerns, if you are processing data more than occasionally, or if it is a special category of data. As a reminder, special category data is anything relating to race, ethnicity, political opinion, religion, sexual orientation, (philosophical) beliefs, trade union membership, genetic data, biometric data. This covers what is often referred to as “diversity data” and this usually has to be collected, even for SMEs.
There has been move to add a clause into the draft of the UK’s Data Protection Bill that would mean the act would not apply to any organisation employing five or fewer people. We will see if that ends up in the final legislation. If it does, I suspect that it will raise eyebrows in other EU countries, and that any overseas customers would ask for full compliance with the regulations, so that they can meet their own obligations.
So, in short, it is unlikely that your business is exempt from GDPR even if it is under 250 people. The ICO does have a number of resources available, starting with their self assessment toolkit, as well as the new help line. We have made a Compliance Milestone Plan available in the free edition of Milestone Planner, to help with your planning. If you would like access to this, do get in touch and we will add it to your plans list.