Disclaimer: I’m a Software Engineer who has spent a bunch of time working on issues relating to the GDPR from a systems design/security/process point of view. I’m definitely not a lawyer so this is my perspective and not legal advice. If you want legal advice, get a lawyer.
Question: How does the GDPR apply to micro, small and medium-sized enterprises (SMEs)?
The General Data Protection Regulation (GDPR) protects the personal data of EU residents who are in the EU. This regulation comes into effect 25th May 2018 (see Article 51/Paragraph 4) and has been designed to bring personal data protection up to date as the previous directive (Directive 95/46/EC) was adopted in 1995 and had fallen well behind in being able to cover modern day data protection issues.
Firstly, some definitions
Defintion of micro, small and medium-sized enterprises (SMEs) is very specific – the GDPR references the Article 2 of the Annex to Commission Recommendation 2003/361/EC. I’ve included extracts fro the Annex below but to summarise (and note below that annual turnover is also taken into account) an SME is defined as being a business that employs fewer than 250. Specific thresholds for micro, small and medium are defined exactly (again see below).
Derogation (to quote wikipedia) is “the partial suppression of a law”. There area number of parts of the GDPR which allow for derogation (for example personal data transfer limitations are derogated in the case of international public health authorities tracking contagious diseases) and there is a single specific derogation in the case of SMEs which is mentioned in Recital (13) and clearly indicated in Article 30 “Records of processing activities”.
The Derogation of record-keeping
Article 30 lists mandated responsibilities for data controllers and data processors, effectively requiring both that there are live documents which contain the full records of how information is processed, who has access, who is responsible and how the companies processes meet the GDPR. The responsibilities are covered in paragraph 1 and 2 and the final paragraph in the Article indicates that SMEs who meet derogation requirements can ignore paragraph 1 and 2 (so all record keeping requirements).
What this means is that the rest of the GDPR applies – but by reducing the record keeping burden for SMEs the EU is acknowledging that this burden would likely be beyond the capacity of many SMEs (or would use too many resources). The SMEs still need to meet other requirements (some examples being the right to be forgotten and adequate security for personal data) but they will be able to respond to GDPR queries on an adhoc basis when needed.
Specific Needs / Special Consideration for SMEs
In five places in the GDPR the specific needs of SMEs is mentioned – primarily indication that all EU member state regulatory bodies (and in fact the EU Commission itself) should take the special needs of SMEs into account when enforcing the GDPR (and in their interaction and education of SMEs).
This is vague but the implication seems to be (and in keeping with the idea of derogation of record keeping for SMEs) that SMEs will not be expected or required be as responsive and to have resources (legal and technical) assigned for GDPR compliance / complaints in the way that a large enterprise would be.
Extracts from the GDPR
The following extracts from the GDPR cover the issues discussed above – I have used bold text to highlight specific parts.
Recital (13)
In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC.
Recital (98)
Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.
Recital (132)
Awareness-raising activities by supervisory authorities addressed to the public should include specific measures directed at controllers and processors, including micro, small and medium-sized enterprises, as well as natural persons in particular in the educational context.
Recital (167)
In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission when provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. In that context, the Commission should consider specific measures for micro, small and medium-sized enterprises.
Article 30 “Records of processing activities”
5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
Article (40) “Codes of conduct”
1. The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
Article 42 “Certification”
1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.
Extracts from Annex to Commission Recommendation 2003/361/EC
The following extracts from the annex referenced in the GDPR to define micro, small and medium-sized enterprises – I have used bold text to highlight specific parts.
Article 2
Staff headcount and financial ceilings determining enterprise categories
1. The category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million.
2. Within the SME category, a small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million.
3. Within the SME category, a microenterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million.
I am sorry, but you are wrong with your conclusion on following: “What this means is that the rest of the GDPR applies – but by reducing the record keeping burden for SMEs the EU is acknowledging that this burden would likely be beyond the capacity of many SMEs (or would use too many resources).” SMEs which have employees have to keep the records according to Art. 30 GDPR.
Thanks for your comment – I believe that my conclusion is correct where SMEs meet the derogation requirements from the same Article (30):
Which is to say that organisations larger than SMEs with any sort of personal data are required to meet all the mandated responsibilities of record keeping, while SMEs that are not covered by the above points are still required to meet the general requirements of the GDPR but in a more ad-hoc and less-documented way.
Further to that – to quote the EU Commission itself (see: Do rules apply SMEs):