My personal thoughts after listening to C-level executives at the CxO Roundtable Series sponsored by Intel, IBM, HyTrust & ReedSmith. For an invite, please reach out to me.
There’s a prevailing idea amongst small and medium sized organization with fewer than 250 employees (SME’s) that certain parts of the GDPR may not apply to them, specifically, Article 30 of the regulation which focuses on organizations larger than 250 employees. While it’s true that SME’s pose a smaller privacy risk to personal data, the GDPR still aims to secure the collection, storage and usage of personal data regardless of organization size. The good news for SME’s is that Article 30 does reduce the obligations if you have fewer than 250 employees.
With regards to SME’s, the reduction in these obligations applies to documenting your data processing activities. According to Article 30, “The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organization employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.” The paragraphs which are referred to as “paragraphs 1 and 2” refer to the obligations of the Data Controller and Data Processor. The broad wording of Article 30 lends itself to broad interpretation.
However, the good news for SME’s is that the GDPR includes an exemption to documenting. This maybe be the reason why there is a prevailing misconception that the GDPR doesn’t apply to SME’s. However, SME’s have to comply with the GDPR under certain circumstances. For example, where the processing includes data relating to criminal convictions or includes special categories of data such as racial or ethnic origin (refer to my post on Sensitive Personal Data). The records held by businesses must be kept in writing, including electronically, and be made available to a supervisory authority on request (in the UK the supervisory authority is the Information Commissioner’s Office).
The GDPR still has a bit of vagueness to it but it’s meant to put organizations on notice that the privacy of EU personal data should be taken seriously. Simply because your company is an SME doesn’t mean you’re in the clear. The GDPR comes with harsh penalties and individuals can sue you for compensation to recover both material damage and non-material damage, like distress, so be on alert!