Does the UK GDPR apply to small employers?

Yes. The UK General Data Protection Regulation (retained from EU Regulation 2016/679 EU) (UK GDPR) applies to organisations of all sizes. The reason for this is that, even where an organisation employs only a few people, it could be processing a large amount of data in the course of its business and the consequences of non-compliance with the UK GDPR could be significant.

The UK GDPR requires organisations to take measures that are appropriate, taking into account the nature, scope, context and purposes of processing, as well as the likely risks to the rights and freedoms of individuals. Further, the Information Commissioner's Office (ICO) is required to ensure that any fines are effective, proportionate and dissuasive. Therefore, it is less likely that the ICO will focus its attention on organisations that do not process a large amount of personal data and are not involved in higher risk processing. Further, those organisations would not be expected to commit as many resources to UK GDPR compliance as higher risk organisations would.

There is a limited exemption for organisations with fewer than 250 employees in relation to record-keeping requirements, but employers should be aware that this is only a narrow exemption and that the other requirements and principles of the UK GDPR apply regardless of the organisation's size. Further, organisations with fewer than 250 employees must still retain a record of their processing activity if the processing:

  • is likely to result in a risk to the rights and freedoms of data subjects;
  • is not "occasional";
  • includes special categories of data (eg data relating to health); or
  • includes personal data relating to criminal convictions and offences.

It is therefore unlikely that small employers would be able to rely on the exemption, as most employers will process special categories of data relating to their employees.