It does bring severe penalties, but the regulatory environment is much easier to navigate. At the same time the rights of the citizens are enhanced, so that both ordinary people and businesses benefit.
Currently there are 28 Member States in the European Union, and every state has its own set of privacy laws. This is a major headache for businesses, who have had to comply with a new set of laws for each EU country they plan on expanding to.
This is contrary to the core principle of free movement of goods, services and capital within the EU, and the new regulation aims to put an end to this. All countries will be bound by the same set of regulations. Once a business adopts the guidelines from the GDPR, they can freely do business in another EU country, knowing that the privacy laws are the same.
Big Business and SMEs
So far, the situation has been perilous for small businesses, especially start-ups. They had to spend lots of resources on legal advice and bureaucracy in order to comply with differing sets of regulations, thus having to misallocate funds that would have found better use in the development of new services.
Big businesses, such as multinational corporations, had less trouble with complicated bureaucracy, as these expenses represent a miniscule portion of their global turnover. For smaller companies, however, this presented a major obstacle.
SMEs also often do not have enough expertise to manage the risks of personal data safeguarding and fail to implement certain security measures. The GDPR has been laid out following a risk-based approach: the more confidential the data is, the more safeguards are needed. However, it can be difficult to gauge the confidentiality of the data and allocate enough manpower to do so.
What Are ‘SMEs’ Exactly?
The definition of SMEs is defined in Annex 2 of the European Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises. SMEs are enterprises which employ fewer than 250 people and have an annual turnover not exceeding EUR 50 million and less than EUR 43 million on their balance sheets.
Further subdivisions exist. Small enterprises are those with less than EUR 10 million in turnover and with an annual balance sheet total of less than EUR 10 million. Micro enterprises employ less than 10 people and must have less than EUR 2 million in both of the above.
Derogations for SMEs
The GDPR contains special regulations that aim to make the life of SMEs easier. More precisely, small and medium-sized enterprises are exempt from certain labour-intensive operations that may place them on an unequal footing when competing against large businesses.
Specific needs of SMEs should be taken into account by the relevant authorities during the establishment of data protection mechanisms and codes of conduct. Certifications could be of major benefit to SMEs, as they serve as an indicator of good practices. Awareness-raising activities must also take into account SMEs.
However, the most important changes are listed in Article 30 of the GDPR. Pursuant to Article 30, SMEs need not appoint a data protection officer if their core business activity is not data processing on a substantial scale, or if they do not process sensitive personal data (special categories of data, outlined below). Even if such an officer would be required, they need not be a full-time employee. This will bring about a reduction in costs.
Furthermore, SMES do not need to keep records of their processing activities unless such activities are “likely to result in a risk to the rights and freedoms of data subjects”. Such processing should be occasional, and not include special categories of data, such as data relating to criminal convictions and offences.
If minor data breaches occur, it is not necessary to report this breach to the individual if the harm to the individual was insignificant or non-existent. This, of course, does not apply to special categories of data.
Special Categories of Data
Categories of data for which record-keeping is still required are listed in Article 9(1) of the GDPR. The data includes personal data regarding the person’s racial or ethnic origin, political and philosophical stances, membership in trade unions, biometric and genetic data, and data concerning one’s health, sex life and sexual orientation.
Take Care – The Rules Are the Same
These derogations do not mean that SMEs are under a light-weight approach to data processing. In fact, the GDPR is very clear on that – all enterprises are bound by the same rules regarding data safety and processing. Ignorance is not a defence accepted by the regulatory authorities, and fines can be very steep. That is why it is of paramount importance that SMEs begin with procedures to ensure compliance as soon as possible. These can be introduced gradually, but must be done eventually. Guidance of external qualified personnel can help them achieve their goals with no risk and at the lowest possible cost.