Tuesday, October 30, 2018

GDPR Exemptions for firm’s with less than 250 employees

A common misconception is that firm’s with less than 250 employees believe they are exempt from GDPR – This is a myth

The only potential exemptions to those firm’s with less than 250 employees are:

  1. Record keeping
  2. The requirement for a Data Protection Officer (DPO)

Article 30 deals with the record keeping requirements of Data Controllers and Data Processors and Article 30.5 states that “The obligations referred to in paragraphs 1 and 2 shall not apply to (a company) employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

Upon consideration of Article 30 the exemption to the record keeping requirement may prove not to be that much of an exemption, as much of the information required will often constitute information needed as part of best practice so it is likely that most companies will be keeping this information regardless of their size. These records will be requested during any ICO audit to demonstrate compliance.

With regards to the requirement for a DPO the original intention was to mandate a DPO for all organisations with an exemption for small business with less than 250 employees. However, this was revised and a DPO was mandated where an organisation is a public body, is regularly and systematically monitoring data subjects on large scale and is processing on a large scale sensitive personal data, this will apply to a lot of firms.  

The requirements of a DPO are set out in Article 39 and while a DPO is not mandated, as all organisations handle some personal data it is best practice to have an allocated resource available to handle those tasks such as Subject Access Requests or Data Breaches.

Ultimately, any company found not complying with GDPR Regulations can be penalised with heavy fines so don’t be that firm that falls into the trap of believing the Regulations don’t apply to you because you are a small firm.

Links to relevant GDPR Articles:

Article 30 - http://www.privacy-regulation.eu/en/article-30-records-of-processing-activities-GDPR.htm

Article 37 - http://www.privacy-regulation.eu/en/article-37-designation-of-the-data-protection-officer-GDPR.htm

 

Author: Laura Griffiths