Small Business does it apply to me?

It is easy to read into the GDPR regulations that they do not apply to small business however that is not the case. It is important to review the category of information that is being collected, stored or used as there is no size limit for companies handling for example health related information.

Regulation Article 9

Processing of special categories of personal data
1. Processing of personal  data revealing  racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies:…….

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
This suggests that health information as a special category is subject to the highest levels of protection.

This Hiscox article below points to some useful thoughts with regard to GDPR.

“The regulation must be observed by any organisations with more than 250 employees, which on the face of it may give the impression that many UK small businesses will be exempt. However it isn’t quite that simple. A business must still comply if it’s involved in regular “processing” of certain categories of personal data, which legally is taken to include collecting and storing as well as actually using data.

These categories include health data, information on individuals’ racial or ethnic origin, political affiliations, religious beliefs, genetic and biometric data and sexual orientation”

read more