Does the General Data Protection Regulation (GDPR) affect small employers?

Yes. The General Data Protection Regulation (GDPR) applies to organisations of all sizes. The reason for this is that, even where an organisation employs only a few people, it could be processing a large amount of data in the course of its business and the consequences of non-compliance with the GDPR could be significant.

The GDPR requires organisations to take measures that are appropriate, taking into account the nature, scope, context and purposes of processing, as well as the likely risks to the rights and freedoms of individuals. Further, supervisory authorities are required to ensure that any fines are effective, proportionate and dissuasive. Therefore, it is less likely that the supervisory authority will focus its attention on organisations that do not process a large amount of personal data and are not involved in higher risk processing. Further, those organisations would not be expected to commit as many resources to GDPR compliance as higher risk organisations would.

There is a limited exemption for organisations with fewer than 250 employees in relation to record-keeping requirements, but employers should be aware that this is only a narrow exemption and that the other requirements and principles of the GDPR apply regardless of the organisation's size. Further, organisations with fewer than 250 employees must still retain a record of their processing activity if the processing:

  • is likely to result in a risk to the rights and freedoms of data subjects;
  • is not "occasional";
  • includes special categories of data (ie sensitive personal data); or
  • includes personal data relating to criminal convictions and offences.

It is therefore unlikely that small employers would be able to rely on the exemption, as most employers will process special categories of data relating to their employees.