Does GDPR apply to small business?

Does the GDPR apply to small business? And should you care?

Put simply, it probably does! And yes, you absolutely should care!

Who it applies to

The EU’s Privacy law (GDPR) has been in force since 25 May 2018, and applies to all businesses (irrespective of size) if any one of the following apply:

  • the business has a presence (office or people) in the EU, this includes having a website that targets people in the EU, such as using EU dominated pricing, testimonials from EU people or EU language options); OR
  • the business offers goods or services to individuals in the EU (whether at a fee or not); OR
  • the business monitors behaviour of individuals in the EU (which includes using analytics software on its website that tracks IP addresses of EU based devices).

You only need to meet one of these requirements for GDPR to apply to your business.

Why you should care

And the business should care, or at least it should care, for a number of reasons. Firstly, customers prefer to deal with companies that respect their privacy and their data so without complying the business is likely to lose customers, and secondly, if the business does not comply the business is exposed to fines of up to €20m or 4% of global group turnover, whichever is the higher. Worse still, the EU privacy regulator could order the business to stop processing any EU personal data immediately.

The GDPR is the gold standard of privacy compliance, and requires a complete “privacy by design and default” approach to the business, its customers, employees and suppliers; it demands transformational change. It is not a case of a quick update to the company’s privacy policy, and “she’ll be right”. There are no quick fixes or silver bullets. The business will need to go through a carefully planned and fully documented compliance program encompassing all departments within the business. Even using outside experts, this will take 3-6 months for a small organisation and will cost $10,000s if not $100,000s of dollars. Large companies in the US are spending USD 1-10m on their GDPR compliance programs. The regulators are getting increasingly active in enforcing the law and issuing fines, even when there is no loss of data. Under GDPR, a business can be fined for not having the right documentation, processes or record keeping safeguards, even if no data is lost or disclosed.

GDPR Article 27

If your business doesn't have a presence in the EU but does offer goods and services to individuals in the EU or monitors their behaviour then Art 27 of GDPR requires you to appoint a GDPR Representative in the EU. For additional information please read the article What is a GDPR Representative and when do I need one .

Can we help you be compliant?

If your business requires an Art 27 GDPR Representative, select the plan that fits your business size to start your 30 day free trial.

30 day free trial

Access to all features

No credit card required to trial

No obligation to continue after your free trial

Flat monthly fees, no hidden costs or long term subscriptions

OWNER

19 /month

Owner, with no employees

  • Art 27 GDPR Representative for all EU Member States
  • Unlimited data subject access requests (DSAR)
  • Website Certificate
  • GDPR Compliant
  • Customer Care Portal Logo
Try for Free
MICRO

35 /month

1 to 10 employees

  • Art 27 GDPR Representative for all EU Member States
  • Unlimited data subject access requests (DSAR)
  • Website Certificate
  • GDPR Compliant
  • Customer Care Portal Logo
  • PDF Certificate
Try for free
SMALL

69 /month

11 to 50 employees

  • Art 27 GDPR Representative for all EU Member States
  • Unlimited data subject access requests (DSAR)
  • Website Certificate
  • GDPR Compliant
  • Customer Care Portal Logo
  • PDF Certificate
  • Notifications, escalations & reporting
Try for free
MEDIUM

175 /month

51 to 250 employees

  • Art 27 GDPR Representative for all EU Member States
  • Unlimited data subject access requests (DSAR)
  • Website Certificate
  • GDPR Compliant
  • Customer Care Portal Logo
  • PDF Certificate
  • Notifications, escalations & reporting
  • Customer Care Portal Branding, Audit Logging & Pre-response approval
Try for free
LARGE

590 /month

over 250 employees

  • Art 27 GDPR Representative for all EU Member States
  • Unlimited data subject access requests (DSAR)
  • Website Certificate
  • GDPR Compliant
  • Customer Care Portal Logo
  • PDF Certificate
  • Notifications, escalations & reporting
  • Customer Care Portal Branding, Audit Logging & Pre-response approval
Try for free