We’ve heard from a lot of companies recently that were surprised to learn that the EU General Data Protection Regulation (GDPR) applies to them. The Regulation, which takes effect in May next year, is huge in scope, unifying data protection laws across the EU. Its scale has led to many companies presuming that it only applies to companies that process large volumes of personal data. However, depending on a handful of factors, no matter what size a company is, it may be subject to the Regulation’s requirements. Here are a handful of questions to determine whether you need to pay attention to the GDPR:
Do you process EU residents’ personal data?
If you do, then the GDPR probably applies to you.
It doesn’t matter whether you are based in an EU state or not – if your company processes, stores or transmits personal data belonging to EU residents, then you will almost certainly be required to comply with it.
Are you engaged in economic activity?
The one caveat to that that the GDPR does not apply to people processing personal data in the course of exclusively personal or household activity. This means you wouldn’t be subject to the Regulation if you keep personal contacts’ information on your computer or you have CCTV cameras on your house to deter intruders.
To fall within the remit of the GDPR, the processing has to be part of an “enterprise”. Article 4(18) of the Regulation defines this as any legal entity that’s engaged in economic activity. You must be careful not to mistake business conducted from home for household activity.
Discover more about the GDPR in our free green paper, EU General Data Protection Regulation – A Compliance Guide
Does your organisation have fewer than 250 employees?
The GDPR broadly expects all small and medium-sized enterprises (SMEs) to comply in full with the Regulation, but it makes some exceptions for organisations that have fewer than 250 employees.
The Regulation acknowledges that many SMEs pose a smaller risk to the privacy of data subjects than larger organisations. For example, Article 30 of the Regulation states that organisations with fewer than 250 employees are not required to maintain a record of processing activities under its responsibility, unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data […] or personal data relating to criminal convictions and offences”.
So, does the GDPR apply to you?
If you’ve now realised that the GDPR applies to your organisation, you should find out what your obligations are and how you can achieve compliance.
Our Certified EU General Data Protection Regulation Foundation (GDPR) Training Course provides a comprehensive introduction to the GDPR and helps you understand the implications and legal requirements for organisations of all sizes.
The course is delivered by an experienced data protection practitioner, and is ideal for both managers who are already involved in data protection and individuals who want to get started in the field.