What does the GDPR mean for SME’s?
As the General Data Protection Regulation (GDPR) is set to change the foundations of many organisations as they apply the necessary changes to bring themselves in line requisite with the new regulation.
The impact on small businesses.
If you are an SME, or sole trader working from home, the moment you undertake commercial activities you are likely to come under the auspices of the GDPR and in fact the new law contains a definition of an enterprise as, any ‘legal entity engaged in economic activity’.
The GDPR expects SMEs to comply in full with the new law and there is an expectation that they manage their data and data processes in much the same way that larger, better-resourced businesses do. SMEs will be expected to reflect on the risks that their practices affect the privacy of their subscribers and to embrace practices which do not include unnecessary risks to privacy. SMEs are also expected to square their interests with the rights of clients or subscribers (data subjects) and provide evidence that they have made taken these into account in any decision-making process.
The GDPR however, does contain some exemptions for SMEs and contains certain other references specific to SMEs which seem to make acknowledgements toward the smaller risk that SMEs may pose to the privacy of UK and EU citizens in comparison to larger organisations.
Does my SME need a DPO?
If you are a public body you are required to have a Data Protection Officer (DPO) but unless your SME core activities consist of processing operations the, ‘purpose, scope or nature of which involve systematic monitoring of data subjects on a large scale’ or ‘unless your core activities consist of processing on a large scale special categories of data’, it appears unlikely that you will fall under any mandatory obligation to have a DPO.
That doesn’t mean that SMEs do not have to ignore this provision, the GDPR not only sets out a mandatory requirement on who has to have a DPO but also sets out the role, tasks, and qualities that any DPO should have/undertake, in other words every SME should have a DPO to manage compliance and tasks set out within the GDPR. It is unclear as yet, on what activities, what should be considered as “core”, and just how “large”, large is. For example, if you’re a small thingy maker, and your main activity is making things, then there is probably no need to process personal information as an essential part of your main business. However, if you are a residential letting agency and your main activity is providing homes, then personal data processing is absolutely essential to your main activity.
The GDPR is going to be the statutory instrument from 2018, and it sets out serious financial penalties for breaches of its Articles, and although an SME would need to be processing copious amounts of personal information with a total disregard for the new regulation to attract the fine of €20million or 4% or annual turnover (whichever is greater).
While there are some areas of the GDPR where SMEs are recognised as having fewer resources and competencies so that a small thingy maker in Skelmersdale with a small database containing their 10 employees and limited sales prospects may well pose less of a risk to the privacy of UK and EU citizens than E Corp with its numerous processing activities and large databases.
But be warned that the GDPR regulation expects all designated personnel to take a proactive approach to data protection (DP) and privacy and it contains many Articles which apply equal treatment, regardless of organization size, SMEs, therefore don’t get off the compliance hook, they cannot simply do nothing they also have to come to terms with this upcoming legislation.
The advice here then is to implement your GDPR strategy sooner rather than later, if you are an SME you could soon find yourself under pressure from your clients, subscribers and supply chains to impose a process on you in order to fulfil their own responsibilities as data controllers. You might even find that your larger corporate clients rate you as a higher risk to them if you aren’t able to evidence being in control of your information.