What does the GDPR mean for small businesses?

By Philip Brining

The General Data Protection Regulation is set to turn many organisations upside down and inside out as they implement change to bring themselves up to the standard required by the new Regulation.  In this blog DPP’s Phil Brining considers the impact on small businesses.

The final text of the General Data Protection Regulation (GDPR) was published in the Official Journal of the European Commission a couple of weeks ago leading to me reviewing and updating some of the blogs I have written in the past.

This blog is about some of the specifics in the GDPR that relate to small business.  First off many people forget that both the current EU Directive and the new General Data Protection Regulation (GDPR) aim to: 1) facilitate the free transfer of data between the member states of the European Union; and 2) uphold the rights and freedoms of EU citizens to privacy which, to be honest, is why I get cross with people who preach that data protection is about stopping information processing.  The underpinning philosophy of the legislation is to facilitate the free movement of data within a framework that upholds, respects, and assures privacy and the proper and appropriate use of data.

Just like the Data Protection Act (DPA), the GDPR does not apply to people who are processing personal data in the course of their own exclusively personal or household activity.  So just because you keep your Christmas card list in excel, or you have CCTV cameras on your house to deter intruders does not mean that you fall under the scope of the GDPR. But if you step outside of that definition, say you’re a sole trader working from home – as soon as you begin undertaking commercial activities for instance – you are highly likely to come under the scope of the Regulation and in fact the GDPR contains a definition of an “enterprise” within Article 4(18) as any legal entity engaged in economic activity.

The GDPR broadly expects SMEs to comply in full with the Regulation.  They are expected to manage their data flows and data processes to the same extent as larger better resourced organisations. They are expected to consider the risks that their business practices pose to the privacy of their data subjects and to adopt business practices which do not introduce un-necessary privacy risks.  They are expected to balance their own legitimate interests with the rights of data subjects and carry documentation and evidence that they have made these considerations within their business decision making process.

However, the GDPR does contain a few exemptions for SMEs and certain other specific references to SMEs which appear to make allowances for the smaller risk that they may pose to the privacy of EU Citizens as compared to larger more complex organisations.  This is important – I don’t think the exemptions are a recognition of organisation size, resources and capability – I think the exemptions are introduced to take account of the comparative risk that they pose.  I think it is also the case that the European Commission has no desire to bog its businesses down in red tape and bureaucracy where it is not appropriate and which may hinder the free movement of data within the Union.

When I wrote the original blog controllers employing more than 250 people were required to appoint a data protection officer.  The qualification has changed and it seems unlikely many SMEs will fall under this requirement now.  If you are a public authority or body you need a DPO but otherwise unless your core activities (whether controller or processor) consist of processing operations the purpose, scope or nature of which involve systematic monitoring of data subjects on a large scale or unless your core activities consist of processing on a large scale special categories of data*, or personal data relating to convictions and offences, it seems unlikely that you will be caught by the mandatory requirement to have a DPO.  But that’s not to say that you get away with having no one in the hot seat!  The GDPR simply sets out a mandatory requirement to have a DPO and then helpfully sets out the role, tasks, and qualities that a DPO should have/undertake.  Arguably every controller should have a DPO to head-up compliance and carry out the tasks set out in GDPR.

These activities, what would be considered as “core”, and just how “large” is to be quantified haven’t yet been defined.  A general understanding of monitoring is using CCTV, or wearable tech for example.

Just where the line is in terms of what processing would be classified as “core” is yet to be defined or tested but if you’re a small widget maker – your main activity is making widgets.  There is no need to process personal data as an integral part of your main activity.  Sales effort involving personal data is ancillary to the core business purpose.  However, if you are a housing association and your main activity is providing social housing the processing of personal data is essential to your main activity.  You can’t provide the range of service including collecting rent, dealing with anti-social behaviour, and managing tenancy arrangements without processing personal data.  But what about if you are a lawyer?  Your core activity is providing legal advice and representing clients.  To what extent does this activity involve the processing of personal data?  As I say this is to be clarified and tested but that’s my take on it.

In a previous version of the GDPR text SMEs were referred to directly in relation to the fines.  The Regulation, and remember this is going to be the binding statutory instrument from 2018, sets out stiff financial penalties for breaches of its Articles but the references to organisations employing fewer than 250 people in relation to the imposition of fines has been replaced by a more general account of the factors to be taken into account in the decision and the level of any fine.  An SME would need to be processing large volumes of personal data with a cavalier disregard for the Regulation and other aggravating circumstances to attract the maximum fine of €20million.

Another specific reference to SMEs is contained in Article 30, “Each [data] controller … [and] processor … shall maintain a record of processing activities under its responsibility” except for a “an enterprise or an organisation employing fewer than 250 persons” unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data … or personal data relating to criminal convictions and offences”

Again the Regulation appears to be allowing SMEs some leeway in the degree of documentation and record keeping that they are required to maintain in relation to information processes provided that they don’t present a significant risk to data subjects.  Just how much leeway is difficult to say but if for instance you’re a small widget maker and you are occasionally processing personal data, you may well not be required maintain such an extensive information governance framework than if you’re a small marketing services firm working as a data processor whose core activity is processing mail shots.

But going out on a bit of a limb I am often critical of the minimal compliance approach.  Why would any business of 200 to 250 people not want to exercise a high level of control over its data processes and be able to demonstrate it through record-keeping?

So in summary there are a few areas of the Regulation where SMEs are recognised as having fewer resources and capabilities and the spirit of the Regulation encourages us to take a risk-based approach meaning that a small widget maker in Basingstoke with a tiny database of sales prospects and a database of their 10 employees may well pose a lesser risk to the privacy of EU Citizens than a larger more complex organisation with numerous processing activities and larger databases.  But be warned that the Regulation expects all controllers to take a more proactive approach to DP and privacy and contains many articles which apply equally not matter what size of organization you are.

So it seems to me that being an SME doesn’t get you off the compliance hook.  SMEs cannot simply do nothing – they too have to get to grips with this legislation but please do not be told that you simply HAVE to put a whole load of bureaucratic process in place because that may not be the case.

One final thought is this – if you are a SME covered by some of these exemptions and running a lean operation – you may find pressure from your customers and supply chain to impose bureaucratic process on you in order to fulfil their responsibilities as a data controller.  You may well find that your big corporate customers rate you as a higher risk to them if you are not able to demonstrate being in control of your data processing and that to be hones is one of the aspects of the Regulation that I like.  Pressure on ALL organisations from several sources to comply not just from the regulator.  My advice is that the sooner you start to get your GDPR strategy in place – the better.

Philip Brining

19th May 2016

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

    Data Protection People Limited – March 2021