How does GDPR affect small companies?

Robert Mohns, UX Researcher
Posted on Feb 1, 2019

A colleague recently asked me how to implement “some kind of GDPR strategy.” Cheekily I replied, “Technically, doing nothing is a strategy.” But would you believe that’s actually true? Maybe only in certain circumstances, but if you’re a small company, you may be in luck.

The European Union’s General Data Protection Regulation (GDPR) may not apply to you if all the following are true:

  1. Your business has 250 employees or fewer, and
  2. You do not handle sensitive data, such as religious affiliation, and
  3. Your data processing does not affect the rights and freedoms of individuals.

If any of these do apply then you must comply fully with GDPR. Let’s dig into each of these.

1. Does your business employ fewer than 250 people?

If your organization has more than 250 employees, you have to comply with GDPR and appoint a Data Protection Officer (DPO). If it employs fewer than 250 people, your small business is (probably) in the clear.

Pro Tip: IT and Marketing people are not suitable DPOs. GDPR states the DPO must be free from conflict of interest. If you both govern data protection and define data processes, that is considered a conflict. So, no, your CTO can’t be your DPO. Sorry.

2. Do you handle sensitive data? Check this list.

If your data includes any of these, GDPR applies to you:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data used to identify someone
  • Health information
  • A person’s sexual orientation or sexual activity

There are a few exceptions carved out, such as for certain non-profits, public health, customer service, or personal data “manifestly made public by the data subject” (think public tweets or public statements). This is where I refer you to your legal counsel.

3. Can you affect your users’ rights and freedoms, even by accident?

“Rights and freedoms” appears over and over throughout GDPR, starting with Article 1:

“This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”

You may safely assume this is important, and that the EU considers individuals’ rights and freedoms to be more important than your business’s convenience.

Article 21 does include an exception, but it’s pretty narrow. You must show “compelling legitimate grounds… which override the interests, rights and freedoms of the data subject.”

In other words, you can try to persuade the enforcing agency or court. And every EU state has designated one or more authorities to monitor and enforce GDPR, any of which may investigate you. (See Chapter VI, Section 1.) Good luck with that.

There is no “Get Out of Jail Free” card

So, you are a small organization, handle no sensitive data, and what data you do use can’t affect anyone’s rights and freedoms. Great. You’re still not out of the woods.

Processing data is only legally allowed when specific conditions are met. This means anything else is illegal.

Acceptable reasons for data processing:

  1. The subject has consented, or
  2. To fulfill a contract or to enter into a contract, or
  3. To comply with a legal obligation related to the subject, or
  4. To protect the “vital interests” of a person, or
  5. To perform a task in the public interest, or
  6. It’s necessary by the “legitimate interests” of the controller (definitely talk to your attorney about this one)

Any other reason? Not okay.

By now you’re probably wondering if you can get out of GDPR by simply not doing business in the EU. That’s a little more complex. If you have no customers in the EU, do not market to EU citizens, and do not transmit data to or from the EU, then you may not have to worry. Once again, I refer you to your legal counsel.

The usual disclaimers apply: I’m not a lawyer and you should talk to your attorney. (If you need to talk to one, I can recommend several experienced firms.)

Further Reading