Does GDPR apply to small business?

Does the GDPR apply to small business? And should you care?

Put simply, it probably does! And yes, you absolutely should care!

Who it applies to

The EU’s Privacy law (GDPR) has been in force since 25 May 2018, and applies to all businesses (irrespective of size) if any one of the following apply:

  • the business has a presence (office or people) in the EU, this includes having a website that targets people in the EU, such as using EU dominated pricing, testimonials from EU people or EU language options); OR
  • the business offers goods or services to individuals in the EU (whether at a fee or not); OR
  • the business monitors behaviour of individuals in the EU (which includes using analytics software on its website that tracks IP addresses of EU based devices).

You only need to meet one of these requirements for GDPR to apply to your business.

Why you should care

And the business should care, or at least it should care, for a number of reasons. Firstly, customers prefer to deal with companies that respect their privacy and their data so without complying the business is likely to lose customers, and secondly, if the business does not comply the business is exposed to fines of up to €20m or 4% of global group turnover, whichever is the higher. Worse still, the EU privacy regulator could order the business to stop processing any EU personal data immediately.

The GDPR is the gold standard of privacy compliance, and requires a complete “privacy by design and default” approach to the business, its customers, employees and suppliers; it demands transformational change. It is not a case of a quick update to the company’s privacy policy, and “she’ll be right”. There are no quick fixes or silver bullets. The business will need to go through a carefully planned and fully documented compliance program encompassing all departments within the business. Even using outside experts, this will take 3-6 months for a small organisation and will cost $10,000s if not $100,000s of dollars. Large companies in the US are spending USD 1-10m on their GDPR compliance programs. The regulators are getting increasingly active in enforcing the law and issuing fines, even when there is no loss of data. Under GDPR, a business can be fined for not having the right documentation, processes or record keeping safeguards, even if no data is lost or disclosed.

GDPR Article 27

If your business doesn't have a presence in the EU but does offer goods and services to individuals in the EU or monitors their behaviour then Art 27 of GDPR requires you to appoint a GDPR Representative in the EU. For additional information please read the article What is a GDPR Representative and when do I need one .

Let's make you compliant

It is relatively easy to comply with both EU GDPR and UK GDPR representative requirements. By appointing and maintaining both an EU and a UK representative you will be compliant in both jurisdictions.

We are happy to act on your behalf, as your GDPR representative. Our monthly, flat-fee price is based on the size of your business.

Select your business size to appoint us as your GDPR representative in the EU & UK today.