How to deal with GDPR if you are a small to medium- sized business (SME)?

How to deal with GDPR if you are a small to medium- sized business (SME)?

Are you an owner of a small company with less than 250 employees and you are overwhelmed by all the rules and requirements that new EU regulation – GDPR – ask from businesses? Well, you are not the only one. Here in eBerryBox, we also have many questions regarding what applies to us as a small business, what we need to do, and how we can make it as simple as possible to comply with the rules. Hence, we decided to put all that we found relevant for SMEs in one place and share it with you.

Before we go into details

Since we know how valuable time is for any business, we want to start this GDPR journey with the flowchart which should help you to get a simplified picture of what GDPR is about and where your attention should be concentrated on depending on your business practises. In addition, below you will find the list of exceptions to general rules which might be applicable to you and will make your life easier.

  • If you anonymise personal data you hold, then it falls outside the Regulation. Nevertheless, you have to make sure that it is practically impossible to re-identify the data subjects.
  • You do not need specific consent from clients for sending them their invoice and other transactional e-mails.
  • You can also process personal data without consent if it is necessary for a contract with the individual: for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract.
  • You only need consent from a person to communicate electronically with them – by e-mail, SMS, fax or telephone. You do not need consent to send them physical mail.
  • You do not have to keep records of your processing activities and categories, and to make those records available to the supervisory authority, except if there could be a risk to the rights and freedoms of data subjects, or you are processing any ‘special categories’ of data (like health, sexual orientation and so on) or about criminal convictions.
  • You only need to assign a DPO if you regularly or systematically monitor individuals’ personal data on a large scale, or if you process large volumes of sensitive or special category data.

Even if you found your business on the exception side, we still highly recommend that you go through the whole article in eBerryBox website or simply Contact Us just to be sure that you are safe when it comes to complying with the rules.