Does GDPR apply to small business?

Does the GDPR apply to small business? And should you care?

Put simply, it probably does! And yes, you absolutely should care!

Who it applies to

The EU’s Privacy law (GDPR) has been in force since 25 May 2018, and applies to all businesses (irrespective of size) if any one of the following apply:

the business has a presence (office or people) in the EU, this includes having a website that targets people in the EU, such as using EU dominated pricing, testimonials from EU people or EU language options); OR
the business offers goods or services to individuals in the EU (whether at a fee or not); OR
the business monitors behaviour of individuals in the EU (which includes using analytics software on its website that tracks IP addresses of EU based devices).

You only need to meet one of these requirements for GDPR to apply to your business.

Why you should care

And the business should care, or at least it should care, for a number of reasons. Firstly, customers prefer to deal with companies that respect their privacy and their data so without complying the business is likely to lose customers, and secondly, if the business does not comply the business is exposed to fines of up to €20m or 4% of global group turnover, whichever is the higher. Worse still, the EU privacy regulator could order the business to stop processing any EU personal data immediately.

The GDPR is the gold standard of privacy compliance, and requires a complete “privacy by design and default” approach to the business, its customers, employees and suppliers; it demands transformational change. It is not a case of a quick update to the company’s privacy policy, and “she’ll be right”. There are no quick fixes or silver bullets. The business will need to go through a carefully planned and fully documented compliance program encompassing all departments within the business. Even using outside experts, this will take 3-6 months for a small organisation and will cost $10,000s if not $100,000s of dollars. Large companies in the US are spending USD 1-10m on their GDPR compliance programs. The regulators are getting increasingly active in enforcing the law and issuing fines, even when there is no loss of data. Under GDPR, a business can be fined for not having the right documentation, processes or record keeping safeguards, even if no data is lost or disclosed.

GDPR Article 27

If your business doesn't have a presence in the EU but does offer goods and services to individuals in the EU or monitors their behaviour then Art 27 of GDPR requires you to appoint a GDPR Representative in the EU. For additional information please read the article What is a GDPR Representative and when do I need one .

Let's make you compliant

It is relatively easy to comply with both EU GDPR and UK GDPR representative requirements. By appointing and maintaining both an EU and a UK representative you will be compliant in both jurisdictions.

We are happy to act on your behalf, as your GDPR representative. Our monthly, flat-fee price is based on the size of your business.

Select your business size to appoint us as your GDPR representative in the EU & UK today.

Cookies

Essential

Analytics

Marketing

Cookie declaration
About Cookies

Essential (8) Analytics Marketing

Essential cookies assist in making our website usable by providing functions such as navigation or access to secure areas of the site. They also may be used to help comply with legal requirements, such as GDPR. This website cannot function correctly without these cookies.

Name	Provider	Purpose	Expiry	Type
XSRF-TOKEN	juksta.eu	Helps prevent Cross-Site Request Forgery (CSRF) attacks.	Session	HTTP Cookie
juksta_session	juksta.eu	Preserves users states across page requests.	Session	HTTP Cookie
juksta_represent_session	juksta.eu	Preserves users states across page requests.	Session	HTTP Cookie
init_cookie_consent	juksta.eu	Helps manage cookie types preferences.	7300 days	HTTP Cookie
cookie_consent	juksta.eu	Keep user selected cookie types.	7300 days	HTTP Cookie
_ga	Google Analytics	Registers a Unique Identifer, used to generate statistical data on how the visitor uses the website for Google Analytics.	2 years	HTTP Cookie
_gid	Google Analytics	Registers a Unique Identifer, used to generate statistical data on how the visitor uses the website for Google Analytics.	1 day	HTTP Cookie
_gat_*	Google Analytics	Used by Google Analytics to throttle request rates, which means that it limits the collection of data on high traffic sites.	1 day	HTTP Cookie

Analytic cookies help owners understand how visitors interact with their sites by collecting and reporting information.

Marketing cookies are used by 3rd parties to track users across websites with the intent to display advertising targeted to the individual user. There are no marketing cookies used by this website.

Cookies are small files of data generated by a website and saved by your web browser. Their purpose is to allow information to be remembered and accessed as you visit websites. There are different types of cookies, some placed by this website and others by 3rd party providers embedded in our pages.

You can change your cookie preferences at any time via our Cookie Management page.

For additional information on how we manage your privacy and process your data please visit our Privacy Policy.