GDPR Misconceptions - Small organisations are exempt from the GDPR

In order to write our GDPR courses, I had to first understand what it’s all about. This was no simple task. The regulations themselves are – like any good piece of legislation – pretty unclear. So, I needed to also read lots of secondary literature; I’ve read more articles, blogs, and industry guidance, and had more conversations with colleagues, friends and…just about anyone who’ll listen, than I care to mention. And in all of this, I have found that everyone, including myself, has fallen prey to the same few myths and misconceptions. I wanted to use this series of blog posts to help clear up these errors in thinking and hopefully make the daunting task of getting to grips with the GDPR just that little less daunting.

Small organisations are exempt from the GDPR - false. 

This is, perhaps, one of the biggest and most persistent myths I’ve seen while researching the course. It’s also the myth which worries me the most as it may encourage smaller organisations to abide by the GDPR, thinking that they are exempt.

So, let me say this as plainly as I can – The GDPR applies to ALL organisations regardless of size, turnover, or number of employees.

Small organisations still need to uphold the rights of the data subject, they still need a lawful reason for processing data, they still need to only hold data for as long as necessary, not use it for any unspecified reasons, and make sure it’s properly safeguarded whilst in their possession. This, in essence, is the GDPR and this, in practice, applies to any organisation who processes or controls the personal data of EU citizens.

Now, the writers of the regulations do understand that not every organisation is created equal and that a massive, multi-national business will likely have more resources to spare than a local, self-employed one-man-band who handles every aspect of the business themselves. As such, they’ve allowed for certain exemptions.

For example, Article 30 of the GDPR requires all Controllers and Processors to keep detailed written records of all their data processing activities. However, it goes on to say that organisations with fewer than 250 employees are exempt from this requirement – unless they process special categories of personal data (sensitive data), the processing is not occasional, or that there is a likelihood that the processing might pose a risk to people’s rights and freedoms.

Having said this, it’s still probably a good idea to keep these kinds of records, even if you’re not required to. Article 30(4) of the regulations requires you to be able to make all of the processing information mentioned earlier available to the Supervisory Authority on request – you’ll also need to provide it if you receive a Subject Access Request. This would be easier if you’d kept these kinds of records in the first place, rather than trawling through masses of information to find what you need – assuming you’re able to find the information at all.

GDPR eLearning Courses

Get free trial access to our GDPR eLearning courses at any time! So far we've helped over 350,000 work towards GDPR compliance! Make sure you do it the simple way, with iHASCO. 

Check out our Information Security Training bundle to find our GDPR Essentials, GDPR for Management, and Cyber Security courses!