When does GDPR apply to me?
If you have a small business you may ask, when does GDPR apply to me?
First, let’s consider a series of “Does GDPR apply if….?” questions. Then we’ll briefly touch on the basics for small businesses to comply.
What does GDPR apply to?
There are two main factors to consider when asking if GDPR applies to your company:
- GDPR applies to personal data.
- GDPR protects EU citizens.
According to GDPR article 4:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Further, the GDPR applies to personal data belonging to EU citizens and residents.
Therefore, whether or not GDPR applies to you has to do with the types of data you collect and whose data you collect. It is not based on the size and type of business you run. This is a notable point of difference with some other regulations like California’s CCPA.
A quick note on when GDPR applies vs. when CCPA applies:
The CCPA applies to businesses that have at least $25 million of annual gross revenue, or process data of at least 50,000 California residents, or get half their revenue or more from the sale of personal data. Size matters in California.
In contrast, GDPR has no minimum company size, revenue, or volume of data collection.
Does GDPR apply to small businesses?
Yes. If you collect the data of EU citizens and residents, your small or medium-sized business is considered a data controller. As such it must comply with GDPR. In many respects, you will be just as accountable as large enterprises for how you handle personal data.
However, if your company has fewer than 250 employees, you will get some exemptions. For example, you may not need to hire a DPO. Your record-keeping requirements will not be as demanding. Additionally, if your data processing activities are not “on a large scale”, you will not need always need to perform Data Protection Impact Assessments.
Regardless of the size of your company, if you store sensitive data that qualifies as “special category sensitive data”, you must keep complete records of how it is processed.
Protect all the personal data that you collect (i.e., anything that could be used to identify a person) with technical measures like encryption and password controls.
Does GDPR apply to sole proprietors?
Yes. Just like everyone else from small businesses and large enterprises, GDPR applies if you process the data of EU citizens and residents.
But, since your company has fewer than 250 employees, you will get some exemptions. For example, you will not be required to hire a DPO. Your record-keeping requirements will not be as demanding. Additionally, if your data processing activities are not “on a large scale” you will not always need to perform Data Protection Impact Assessments.
What if I am a blogger or influencer?
If you have visitors or followers from the EU and you collect their personal information, you are a data controller and must comply with GDPR. However, you will get some exemptions, like small businesses and sole proprietorships.
What if I run a small non-profit?
The GDPR applies to any organization that offers goods or services to EU citizens or residents, or collects personal information from EU citizens.
GDPR applies to Nonprofits and Associations in the following cases:
- Nonprofits: If you receive donations from citizens or residents of the EU.
- Associations: If you have members in the EU.
Does GDPR apply if my company is not in Europe?
Yes. Requirements do not depend on where your company is physically located or registered. If you have customers or employees who are EU citizens or residents, or plan to market to them in the future, you must comply with GDPR.
In fact, if you move customer data out of the EEA, there will be special security and privacy requirements you need to consider. Record-keeping requirements for cross-border transfers will also be stricter.
Does GDPR apply to my website?
Yes. If your website gets visitors from the EU it should comply with GDPR.
Here are some things you can do to make your website GDPR compliant:
- If you use contact information for marketing purposes, make sure you explain this in your policy and add an opt-in checkbox (unchecked!) to get active consent from the person to contact them about your promotions, etc.
- Double-check with your web hosting company, cloud storage providers, and any other platforms you connect to your site to collect people’s data. Make sure they protect their databases.
To ensure security and honor people’s GDPR rights, it is also a good idea to set up a data subject access request portal and an encrypted data upload point on your site.
I use cloud services. Is GDPR compliance their problem, or mine?
Both. Perhaps you store data in cloud servers and assume you are getting good security as part of that service. However, you are still the data controller. The storage services or third-party platforms you use may be considered data processors. You share responsibility for keeping data safe. Check to make sure your data processors are GDPR-compliant and private.
Then, make sure you:
- Protect the passwords and devices you use to connect to cloud services, and educate your employees to do the same.
- Inventory the data you store from time to time.
- Delete data you no longer need.
Does the GDPR apply to employee data too?
Yes, it does. Starting with the recruitment process, you collect a lot of information about employees and potential employees. This will include sensitive information. So get consent before you collect potential employees resume, police records, vaccination records, etc.
Just like other consents, make this one clear, explicit, and active. Don’t lump consent in with other clauses or hide it in contracts. You can also publish an employee data processing notice. It should let your team know that you collect their data and explain why.
It looks like GDPR applies to me. What should I focus on for easy compliance?
There is no perfect checklist for compliance. But these basic tips will take you in the right direction:
- Get consent to collect data for marketing with an unchecked “opt-in” checkbox.
- Keep your employees informed about how you collect and use their data.
- Respond promptly if people ask you for information about their data, or make other requests regarding it.
- Set up a safe data upload point.
- Protect the personal data you send by email.
- Inventory your data storage regularly.
- Delete data you no longer need.
- Document your policies and practices to demonstrate compliance.
Need some help? We offer privacy and compliance products specifically designed for SMBs. They are simple, cost-effective, and easy to use. Learn more →