GDPR Guideline for Companies with less than 250 Employees

By now, most business owners will have heard more than they want to about the General Data Protection Regulation, commonly referred to as GDPR.

For those of you unfamiliar with the new legislation here is a quick version: This new law is a European Union (EU) ruling. As of May 25, 2018 it comes into being.

The interesting thing for United Kingdom-based businesses is that—while not remaining part of the EU bloc after 2019 — these regulations also apply to them. Why? Because British businesses will most likely continue to handle data of EU residents.

GDPR outlines how business data regarding EU citizens will be collected, utilized, and stored.

Main Points of GDPR

Businesses of all sizes must obtain EU citizens’ consent. That means all people with whom the business works, and trades, and does business must provide a clear explanation of what data is being collected, how data obtained from them will be used and how that data will be stored. Companies must also outline how long they intend to keep the data they collect.

If, at any time, a business wishes to use collected data for some purpose not originally agreed upon, they must get new permission for this re-purposing of data from all those whose data they wish to use in a way not originally described and agreed upon.

What Happens if Businesses Do Not Comply with GDPR?

If you think that your business can simply ignore the introduction of the GDPR and continue as before, well, think again. Any company that is found not to be complying with regulations of GDPR can be penalized with heavy fines, unless the company is exempt due to Article 30 (see below). In fact, many businesses are not yet ready for GDPR because they figure this legislation will not influence their company.

The truth is: If your company has any dealings with individuals who are EU residents, then your company is affected by this legislation.

What about Article 30 Exemptions?

Article 30 states that “The obligations referred to in paragraphs 1 and 2 shall not apply to (a company) employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10. “

Consideration in this processing must be given to how the rights and freedoms of EU citizens whose data you collect might be impacted.

What Records Must Show

Your records must show such information as:

  • Company/organization name
  • Details of the business
  • Designation of a Data Protection Officer
  • What data is being processed and why
  • Personnel from whom data is collected
  • Categories of personal information collected
  • Proof of safeguarding of data collected
  • Proof of your company’s security of data

Does Your Business Need to Have a Data Protection Officer?

This depends on the data you collect and how the data is collected, utilized and/or stored.

If the data is deemed to be “regular” and its collection is for systematic monitoring of any EU citizens, then you likely need a data protection officer.