When does GDPR apply to me?
GDPR is a set of data protection laws that apply to companies and organizations operating within the European Union (EU). It also applies to companies based outside the EU if they offer goods or services to EU citizens or monitor their behaviour.
The regulation seeks to protect individuals’ personal data and ensure that companies handle this data in a transparent and responsible manner. It imposes various obligations on companies, including obtaining consent for data processing, access to individuals’ data and reporting data breaches.
Does GDPR apply to you? To get an idea of whether GDPR will apply to your company, take the quick quiz below. Then, read on for more information and common questions regarding what GDPR is for and who needs to follow it.
What does GDPR apply to?
The GDPR applies to companies and organizations that process personal data of people in Europe. This includes the EU member states as well as Norway, Iceland and Liechtenstein. The GDPR also applies to companies and organizations that are based outside the EU but offer goods or services to people in the EU or monitor their behaviour. GDPR applies to all types of organisations, including businesses, public authorities, charities and non-profit organisations, regardless of size or industry. GDPR’s purpose is to protect personal data and ensure that companies process it in a transparent and responsible manner.
Compliance with GDPR regulations is mandatory by law, and non-compliance can result in fines and damage to the company’s reputation. Therefore, it is important that companies understand when the GDPR applies to them and take appropriate measures to comply with the regulation.
Does GDPR apply to small businesses?
Yes. If you collect the data of EU citizens and residents, your small or medium-sized business is considered a data controller. As such, it must comply with GDPR. In many respects, you will be just as accountable as large enterprises for how you handle personal data.
However, if your company has fewer than 250 employees, you will get some exemptions. For example, you may not need to hire a DPO. Your record-keeping requirements will not be as demanding. Additionally, if your data processing activities are not “on a large scale”, you will not need always need to perform Data Protection Impact Assessments.
Regardless of the size of your company, if you store sensitive data that qualifies as “special category sensitive data”, you must keep complete records of how it is processed. Protect all the personal data that you collect (i.e., anything that could be used to identify a person) with technical measures like encryption and password controls.
Does GDPR apply to sole proprietors?
Yes. Just like everyone else from small businesses and large enterprises, GDPR applies if you process the data of EU citizens and residents.
But, since your company has fewer than 250 employees, you will get some exemptions. For example, you may not need to hire a DPO. Your record-keeping requirements will not be as demanding. Additionally, if your data processing activities are not “on a large scale” you will not always need to perform Data Protection Impact Assessments.
What if I am a blogger or influencer?
If you have visitors or followers from the EU and you collect their personal information, you are a data controller and must comply with GDPR. However, you will get some exemptions, like small businesses and sole proprietorships.
What if I run a small non-profit?
The GDPR applies to any organization that offers goods or services to EU citizens or residents, or collects personal information from EU citizens.
GDPR applies to Nonprofits and Associations in the following cases:
- Nonprofits: If you receive donations from citizens or residents of the EU.
- Associations: If you have members in the EU.
Does GDPR apply if my company is not in Europe?
Yes. Requirements do not depend on where your company is physically located or registered. If you have customers or employees who are EU citizens or residents, or plan to market to them in the future, you must comply with GDPR.
In fact, if you move customer data out of the EEA, there will be special security and privacy requirements you need to consider. Record-keeping requirements for cross-border transfers will also be stricter.
Does GDPR apply to my website?
Yes. If your website gets visitors from the EU it should comply with GDPR.
Here are some things you can do to make your website GDPR compliant:
- If you use contact information for marketing purposes, make sure you explain this in your policy and add an opt-in checkbox (unchecked!) to get active consent from the person to contact them about your promotions, etc.
- Double-check with your web hosting company, cloud storage providers, and any other platforms you connect to your site to collect people’s data. Make sure they protect their databases.
To ensure security and honor people’s GDPR rights, it is also a good idea to set up a data subject access request portal and an encrypted data upload point on your site.
GDPR and cloud services
Both. Perhaps you store data in cloud servers and assume you are getting good security as part of that service. However, you are still the data controller. The storage services or third-party platforms you use may be considered data processors. You share responsibility for keeping data safe. Check to make sure your data processors are GDPR-compliant and private.
Then, make sure you:
- Protect the passwords and devices you use to connect to cloud services, and educate your employees to do the same.
- Inventory the data you store from time to time.
- Delete data you no longer need.
Does the GDPR apply to employee data too?
Yes, it does. Starting with the recruitment process, you collect a lot of information about employees and potential employees. This will include sensitive information. So get consent before you collect potential employees resume, police records, vaccination records, etc.
Just like other consents, make this one clear, explicit, and active. Don’t lump consent in with other clauses or hide it in contracts. You can also publish an employee data processing notice. It should let your team know that you collect their data and explain why.
What should I focus on to become compliant?
We have prepared a checklist for the areas that must be managed in order to comply with the GDPR. You can find the checklist here.
The shortcut to GDPR compliance
At Safe Online, we offer SaaS tools to protect personal data and to make it easier to comply with the GDPR. These solutions are specially developed for small and medium-sized companies. They are simple, cost effective and easy to use.