Small and Medium Entreprises (SMEs) and the General Data Protection Regulation
Small and Medium Entreprises (SME) in the United Kingdom in particular, and the European Union in general, operating in, or targeting individuals within the European Union will be caught, regardless of the location of servers. Non EU businesses who target EU citizens with goods or services will also be expressly caught by the rules. Said businesses need to designate a representative in the EU to act as a point of contact with regulators and data subjects on compliance matters. It is important to note that businesses may be subject to the obligations of the GDPR either as a data controller or a data processor. Organisations may be subject to the GDPR in two ways:
· Data controllers are subject to the full range of compliance obligations. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
· Data processors are, for the first time under the GDPR, subject to a vast number of obligations and sanctions directly, particularly in relation to security, sub-processing and international transfers. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data or behalf of the controller.
The distinction of the controller and processor is paramount to understand the liability and obligations under both the current DPD and GDPR regimes. There is also the possibility that certain businesses and its customers could be deemed as joint data controllers in respect of the data. The GDPR applies to the processing of personal data wholly or partly by automated means. It also applies to “structured manual filing systems”. All commercial processing will be caught in the new regulation. There are some very limited exceptions (including purely personal/ household activity and certain activities of Member States, EU institutions and law enforcement bodies) (Article 2).
The new definition of personal data set out in the GDPR is much wider, intended to reflect current online data capture and future proof the legislation as far as possible. Key definitions in include: “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Stricter conditions and rules apply to the processing of special categories of personal data — often referred to as sensitive personal data — which covers: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The GDPR requires organisations to adopt a more formal and proactive approach to ensuring compliance with their privacy related obligations. One of the new principles is that a data controller shall be responsible for and demonstrate compliance with the other principles. In this sense, controllers are bound to: implement appropriate technical and organisational measures to ensure and be able to demonstrate compliance, and to review and update those measures where necessary. This could be achieved by means of appropriate policies and/ or adherence to codes of conduct. Also, to maintain detailed records of processing activities under their responsibility. Processors are also subject to the requirement to document processing. Such records must be made available to supervisory authorities on request. Small businesses (those employing fewer than 250 people) are exempt unless the processing is high-risk.
In relation to the appointment of Data Protection Officers: certain data controllers and processors will need to designate a data protection officer (DPO), with the expert knowledge and ability to advise the organisation on its obligations and monitor compliance. This function could be outsourced, and groups of undertakings may appoint a single DPO. The requirement applies to all public authorities. For the private sector, the thresholds for needing a DPO are: core activities of the controller or processor consist of processing obligations which, by virtue of their nature, their scope and/or their purpose, require regular and systematic monitoring of data subjects on a large scale; or the controller or processor consist of processing on a large scale of special categories of data (i.e. sensitive personal data) or personal data relating to criminal convictions and offences.