What the GDPR means for SMEs.
The General Data Protection Regulation is set to turn many organisations upside down and inside out as they implement change to bring themselves up to the standard required by the new Regulation.
The final text of the General Data Protection Regulation (GDPR) was published in the Official Journal of the European Commission a couple of weeks ago leading to me reviewing and updating some of the blogs I have written in the past.
This blog is about some of the specifics of the GDPR that relate to small businesses. First off many people forget that both the current EU Directive and the new General Data Protection Regulation (GDPR) aim to 1) facilitate the free transfer of data between the member states of the European Union; and 2) uphold the rights and freedoms of EU citizens to privacy which, to be honest, is why I get cross with people who preach that data protection is about stopping information processing. The underpinning philosophy of the legislation is to facilitate the free movement of data within a framework that upholds, respects and assures privacy and the proper and appropriate use of data.
Just like the Data Protection Act (DPA), the GDPR does not apply to people who are processing personal data in the course of their own exclusively personal or household activity. So just because you keep your Christmas card list in excel, or you have CCTV cameras on your house to deter intruders does not mean that you fall under the scope of the GDPR. But if you step outside of that definition, say you’re a sole trader working from home – as soon as you begin undertaking commercial activities for instance – you are highly likely to come under the scope of the Regulation and in fact, the GDPR contains a definition of an “enterprise” within Article 4(18) as any legal entity engaged in economic activity.
The GDPR broadly expects SMEs to comply in full with the Regulation. They are expected to manage their data flows and data processes to the same extent as larger better-resourced organisations. They are expected to consider the risks that their business practices pose to the privacy of their data subjects and to adopt business practices which do not introduce unnecessary privacy risks. They are expected to balance their own legitimate interests with the rights of data subjects and carry documentation and evidence that they have made these considerations within their business decision-making process.
However, the GDPR does contain a few exemptions for SMEs and certain other specific references to SMEs which appear to make allowances for the smaller risk that they may pose to the privacy of EU Citizens as compared to larger more complex organisations. This is important – I don’t think the exemptions are a recognition of organisation size, resources and capability – I think the exemptions are introduced to take account of the comparative risk that they pose. I think it is also the case that the European Commission has no desire to bog its businesses down in red tape and bureaucracy where it is not appropriate and which may hinder the free movement of data within the Union.
When I wrote the original blog controllers employing more than 250 people were required to appoint a data protection officer. The qualification has changed and it seems unlikely many SMEs will fall under this requirement now. If you are a public authority or body you need a DPO but otherwise, unless your core activities (whether controller or processor) consist of processing operations the purpose, scope or nature of which involve systematic monitoring of data subjects on a large scale or unless your core activities consist of processing on a large scale special categories of data*, or personal data relating to convictions and offences, it seems unlikely that you will be caught by the mandatory requirement to have a DPO. But that’s not to say that you get away with having no one in the hot seat! The GDPR simply sets out a mandatory requirement to have a DPO and then helpfully sets out the role, tasks, and qualities that a DPO should have/undertake. Arguably every controller should have a DPO to head up compliance and carry out the tasks set out in GDPR.
These activities, what would be considered as “core”, and just how “large” is to be quantified haven’t yet been defined. A general understanding of monitoring is using CCTV, or wearable tech for example.
Just where the line is in terms of what processing would be classified as “core” is yet to be defined or tested but if you’re a small widget-maker – your main activity is making widgets. There is no need to process personal data as an integral part of your main activity. Sales effort involving personal data is ancillary to the core business purpose. However, if you are a housing association and your main activity is providing social housing the processing of personal data is essential to your main activity. You can’t provide a range of services including collecting rent, dealing with anti-social behaviour, and managing tenancy arrangements without processing personal data. But what about if you are a lawyer? Your core activity is providing legal advice and representing clients. To what extent does this activity involve the processing of personal data? As I say this is to be clarified and tested but that’s my take on it.
In a previous version of the GDPR text, SMEs were referred to directly in relation to the fines. The Regulation, and remember this is going to be the binding statutory instrument from 2018, sets out stiff financial penalties for breaches of its Articles but the references to organisations employing fewer than 250 people in relation to the imposition of fines have been replaced by a more general account of the factors to be taken into account in the decision and the level of any fine. An SME would need to be processing large volumes of personal data with a cavalier disregard for the Regulation and other aggravating circumstances to attract the maximum fine of € 20 million.
Another specific reference to SMEs is contained in Article 30, “Each [data] controller … [and] processor … shall maintain a record of processing activities under its responsibility” except for a “an enterprise or an organisation employing fewer than 250 persons” unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data … or personal data relating to criminal convictions and offences”
Again the Regulation appears to be allowing SMEs some leeway in the degree of documentation and record-keeping that they are required to maintain in relation to information processes provided that they don’t present a significant risk to data subjects. Just how much leeway is difficult to say but if for instance you’re a small widget-maker and you are occasionally processing personal data, you may well not be required to maintain such an extensive information governance framework as if you’re a small marketing services firm working as a data processor whose core activity is processing mail shots.
But going out on a bit of a limb I am often critical of the minimal compliance approach. Why would any business of 200 to 250 people not want to exercise a high level of control over its data processes and be able to demonstrate it through record-keeping?
So in summary there are a few areas of the Regulation where SMEs are recognised as having fewer resources and capabilities and the spirit of the Regulation encourages us to take a risk-based approach meaning that a small widget-maker in Basingstoke with a tiny database of sales prospects and a database of their 10 employees may well pose a lesser risk to the privacy of EU Citizens than a larger more complex organisation with numerous processing activities and larger databases. But be warned that the Regulation expects all controllers to take a more proactive approach to DP and privacy and contains many articles which apply equally no matter what size of organization you are.
So it seems to me that being an SME doesn’t get you off the compliance hook. SMEs cannot simply do nothing – they too have to get to grips with this legislation but please do not be told that you simply HAVE to put a whole load of bureaucratic processes in place because that may not be the case.
One final thought is this – if you are an SME covered by some of these exemptions and running a lean operation – you may find pressure from your customers and supply chain to impose a bureaucratic process on you in order to fulfil their responsibilities as a data controller. You may well find that your big corporate customers rate you as a higher risk to them if you are not able to demonstrate being in control of your data processing and that to be honest is one of the aspects of the Regulation that I like. Pressure on ALL organisations from several sources to comply not just from the regulator. My advice is that the sooner you start to get your GDPR strategy in place – the better.
19th May 2016