Skip to main content

When does GDPR apply to me?

GDPR is a set of data protection laws that apply to companies and organisations operating within the European Union (EU). It also applies to companies based outside the EU if they offer goods or services to EU citizens or monitor their behaviour.

The regulation seeks to protect individuals’ personal data and ensure that companies handle this data in a transparent and responsible manner. It imposes various obligations on companies, including obtaining consent for data processing, access to individuals’ data and reporting data breaches.

Does GDPR apply to you? To get an idea of whether GDPR will apply to your company, take the quick quiz below. Then, read on for more information and common questions regarding what GDPR is for and who needs to follow it.

Does GDPR apply to you?

What does GDPR apply to?

The GDPR applies to companies and organisations that process personal data of people in Europe. This includes the EU member states as well as Norway, Iceland and Liechtenstein. The GDPR also applies to companies and organisations that are based outside the EU but offer goods or services to people in the EU or monitor their behaviour. GDPR applies to all types of organisations, including businesses, public authorities, charities and non-profit organisations, regardless of size or industry. GDPR’s purpose is to protect personal data and ensure that companies process it in a transparent and responsible manner.

Compliance with GDPR regulations is mandatory by law, and non-compliance can result in fines and damage to the company’s reputation. Therefore, it is important that companies understand when the GDPR applies to them and take appropriate measures to comply with the regulation.

Does GDPR apply to small businesses?

Yes. If you collect the data of EU citizens and residents, your small or medium-sized business is considered a data controller. As such, it must comply with GDPR. In many respects, you will be just as accountable as large enterprises for how you handle personal data.

However, if your company has fewer than 250 employees, you will get some exemptions. For example, you may not need to hire a DPO. Your record-keeping requirements will not be as demanding. Additionally, if your data processing activities are not “on a large scale”, you will not need always need to perform Data Protection Impact Assessments.

Regardless of the size of your company, if you store sensitive data that qualifies as “special category sensitive data”, you must keep complete records of how it is processed. Protect all the personal data that you collect (i.e., anything that could be used to identify a person) with technical measures like encryption and password controls.

Does GDPR apply to small businesses?

Does GDPR apply to sole proprietors?

Yes. Just like everyone else from small businesses and large enterprises, GDPR applies if you process the data of EU citizens and residents.

But, since your company has fewer than 250 employees, you will get some exemptions. For example, you may not need to hire a DPO. Your record-keeping requirements will not be as demanding. Additionally, if your data processing activities are not “on a large scale” you will not always need to perform Data Protection Impact Assessments.

Start your privacy cleanup with your emails

With an analysis scan by DataMapper, you can have all Outlook accounts in your company scanned. You will receive key statistics on all (current and former) employees' emails - including information on which emails, employees and processes generate GDPR risk.

What if I run a small non-profit?

The GDPR applies to any organisation that offers goods or services to EU citizens or residents, or collects personal information from EU citizens.

GDPR applies to Nonprofits and Associations in the following cases:

  • Nonprofits: If you receive donations from citizens or residents of the EU.
  • Associations: If you have members in the EU.
Does GDPR apply to non-profits?

Does GDPR apply if my company is not in Europe?

Yes. Requirements do not depend on where your company is physically located or registered. If you have customers or employees who are EU citizens or residents, or plan to market to them in the future, you must comply with GDPR.

In fact, if you move customer data out of the EEA, there will be special security and privacy requirements you need to consider. Record-keeping requirements for cross-border transfers will also be stricter.

Does GDPR apply if my company is not in Europe?

Does GDPR apply to my website?

Yes. If your website gets visitors from the EU it should comply with GDPR.

Here are some things you can do to make your website GDPR compliant:

  • Set up a consent form with unchecked checkboxes for people to actively agree to the use of cookies.
  • Check the spots where you collect personal data. Look at your contact forms, and anywhere else where people are asked to share their name and email address. Link your privacy policy in each of these spots.
  • If you use contact information for marketing purposes, make sure you explain this in your policy and add an opt-in checkbox (unchecked!) to get active consent from the person to contact them about your promotions, etc.
  • Double-check with your web hosting company, cloud storage providers, and any other platforms you connect to your site to collect people’s data. Make sure they protect their databases.

To ensure security and honor people’s GDPR rights, it is also a good idea to set up a data subject access request portal and an encrypted data upload point on your site.

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

GDPR and cloud services

Both. Perhaps you store data in cloud servers and assume you are getting good security as part of that service. However, you are still the data controller. The storage services or third-party platforms you use may be considered data processors. You share responsibility for keeping data safe. Check to make sure your data processors are GDPR-compliant and private.

Then, make sure you:

  • Protect the passwords and devices you use to connect to cloud services, and educate your employees to do the same.
  • Inventory the data you store from time to time.
  • Delete data you no longer need.

Read more about keeping data safe in the cloud →

Does the GDPR apply to employee data too?

Yes, it does. Starting with the recruitment process, you collect a lot of information about employees and potential employees. This will include sensitive information. So get consent before you collect potential employees resume, police records, vaccination records, etc.

Just like other consents, make this one clear, explicit, and active. Don’t lump consent in with other clauses or hide it in contracts. You can also publish an employee data processing notice. It should let your team know that you collect their data and explain why.

Does the GDPR apply to employee data too?

What should I focus on to become compliant?

We have prepared a checklist for the areas that must be managed in order to comply with the GDPR. You can find the checklist here.

The shortcut to GDPR compliance

At Safe Online, we offer SaaS tools to protect personal data and to make it easier to comply with the GDPR. These solutions are specially developed for small and medium-sized companies. They are simple, cost effective and easy to use.

DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily

Sebastian Allerelli

Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →

GUIDE

How to handle sensitive personal data

GUIDE

How to find personal data with datamapping tool

GUIDE

How to prepare for a data audit