New data protection law is due to come into force on 25 May 2018 in the form of the General Data Protection Regulation (GDPR). One of the many myths surrounding the new data law is that it doesn't apply to businesses that have less than 250 employees.
Where has this myth come from?
To take SMEs into account, GDPR includes an exemption on record-keeping for businesses with less than 250 employees. However, it's important to note that this does not make the business exempt from all other aspects and they are still required to comply with the rest of GDPR.
What record-keeping obligations do businesses have under GDPR?
Businesses must maintain records of the processing activities for which they are responsible or which they undertake on behalf of those who are responsible. There are different record-keeping requirements depending on whether a business is a controller (those that determine the purpose and means of processing of the personal data) or a processor (those responsible for processing the personal data on behalf of the controller). Article 30 of GDPR sets out in full the specific information that businesses must retain.
The records held by businesses must be kept in writing, including electronically, and be made available to a supervisory authority on request (in the UK the supervisory authority is the Information Commissioner's Office).
What is the exemption?
The record-keeping obligations under the GDPR do not apply to businesses employing fewer than 250 employees. However, there are certain circumstances where such a business must continue to comply with the record-keeping obligations under GDPR. For example, where the processing includes data relating to criminal convictions or includes special categories of data such as racial or ethnic origin.
Record-keeping is, of course, just one of the many obligations that businesses have under the GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.