We’ve heard from a lot of companies recently that were surprised to learn that the EU General Data Protection Regulation (GDPR) applies to them. The Regulation, which takes effect in May next year, is huge in scope, unifying data protection laws across the EU. Its scale has led to many companies presuming that it only applies to companies that process large volumes of personal data. However, depending on a handful of factors, no matter what size a company is, it may be subject to the Regulation’s requirements. Here are a handful of questions to determine whether you need to pay attention to the GDPR:
Do you process EU residents’ personal data?
If you do, then the GDPR probably applies to you.
It doesn’t matter whether you are based in an EU state or not – if your company processes, stores or transmits personal data belonging to EU residents, then you will almost certainly be required to comply with it.
Are you engaged in economic activity?
The one caveat to that that the GDPR does not apply to people processing personal data in the course of exclusively personal or household activity. This means you wouldn’t be subject to the Regulation if you keep personal contacts’ information on your computer or you have CCTV cameras on your house to deter intruders.
To fall within the remit of the GDPR, the processing has to be part of an “enterprise”. Article 4(18) of the Regulation defines this as any legal entity that’s engaged in economic activity. You must be careful not to mistake business conducted from home for household activity.
Does your organisation have fewer than 250 employees?
The GDPR broadly expects all small and medium-sized enterprises (SMEs) to comply in full with the Regulation, but it makes some exceptions for organisations that have fewer than 250 employees.
The Regulation acknowledges that many SMEs pose a smaller risk to the privacy of data subjects than larger organisations. For example, Article 30 of the Regulation states that organisations with fewer than 250 employees are not required to maintain a record of processing activities under its responsibility, unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data […] or personal data relating to criminal convictions and offences”.
For more information on the GDPR and how it applies to your organisations, download our free green paper EU General Data Protection Regulation – A Compliance Guide.
- What the GDPR is;
- The key changes introduced; and
- The scope and impact of the GDPR