How to deal with GDPR if you are a small to medium-sized business (SME)?

  • On April 26, 2018
  • consent, data protection, GDPR, obligations, personal data, SME

Are you an owner of a small company with less than 250 employees and you are overwhelmed by all the rules and requirements that new EU regulation – GDPR – ask from businesses? Well, you are not the only one. Here in eBerryBox, we also have many questions regarding what applies to us as a small business, what we need to do, and how we can make it as simple as possible to comply with the rules. Hence, we decided to put all that we found relevant for SMEs in one place and share it with you.

Before we go into details

Since we know how valuable time is for any business, we want to start this GDPR journey with the flowchart which should help you to get a simplified picture of what GDPR is about and where your attention should be concentrated on depending on your business practises. In addition, below you will find the list of exceptions to general rules which might be applicable to you and will make your life easier.

  • If you anonymise personal data you hold, then it falls outside the Regulation. Nevertheless, you have to make sure that it is practically impossible to re-identify the data subjects.
  • You do not need specific consent from clients for sending them their invoice and other transactional e-mails.
  • You can also process personal data without consent if it is necessary for a contract with the individual: for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract.
  • You only need consent from a person to communicate electronically with them – by e-mail, SMS, fax or telephone. You do not need consent to send them physical mail.
  • You do not have to keep records of your processing activities and categories, and to make those records available to the supervisory authority, except if there could be a risk to the rights and freedoms of data subjects, or you are processing any ‘special categories’ of data (like health, sexual orientation and so on) or about criminal convictions.
  • You only need to assign a DPO if you regularly or systematically monitor individuals’ personal data on a large scale, or if you process large volumes of sensitive or special category data.

Even if you found your business on the exception side, we still highly recommend that you go through the whole article just to be sure that you are safe when it comes to complying with the rules.

1- What is GDPR?

GDPR is the EU General Data Protection Regulation coming in force the 25th of May. The purpose of it is to protect EU citizens’ data privacy by determining when and how organizations should process personal data associated with a physical person.

2- Does it apply to you?

Even if your business belongs to the category described as a small or medium (having less than 250 employees), GDPR applies to you if you process and hold the personal data of individuals residing in the European Union. This includes customers’, suppliers’ and employees’ personal data collected, processed and stored on a spreadsheet, on computer network, mobile phone, or in the cloud.

3- What is personal data?

Personal data is any information related to an individual, e.g. customer or HR information that can be used to directly or indirectly identify the person:

  • name, CPR or ID number
  • Photo
  • e-mail address
  • bank details
  • posts on social networking websites
  • online identifier of all kinds (e.g. IP, cookies, RFID)
  • sensitive personal data: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

4- What is data processing?

Processing refers to collecting, storing, using, etc. personal data.

5- Who does control and process data?

Imagine that you own a beauty salon and you gather e-mails, phone numbers or any other personal data from your clients with the purpose to send them information regarding your products, offers and services and you ask eBerryBox to take care of those e-mails on your behalf. In this case, based on GDPR, you are considered as a data controller while we in eBerryBox become data processors.

On the other hand, if you own a one man’s carpentry services company and you have contact information of your clients on a spreadsheet being the only person who has access to it and use it, then you become a data controller and a processor at the same time.

If we put it in more precise terms, data controller is the one who holds personal data and decides the purpose of the data processing activities, meanwhile, data processor is the one who processes personal data on behalf of the controller.

6- For what purpose can you use data and how long?

The personal data you have about your clients, employees, etc., can be processed for a specific, explicit and legitimate purpose only and it has to be accurate, updated, and protected by security measures. When the purpose has been fulfilled, you should not hold that information any longer, it should be deleted.

7- Consent

Consent is a freely given, specific, informed and clear statement that a person makes, giving you a permission to use his/her personal data for a specific purpose. If you have two or more different purposes you want to use the personal data for, you should get a consent for each of it independently.

The request for consent must be clear and separated from other policies on your website or communications, and you should attach the purpose for data processing to the consent. Explicit consent is required only for processing sensitive personal data (see part 3).

It must be as easy for individuals to withdraw consent, as it is to give it, and you as a company are obliged to maintain a record that proves that the consent was given.

  • You do not need specific consent from clients for sending them their invoice and other transactional e-mails.
  • You can also process personal data without consent if it is necessary for a contract with the individual: for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract.
  • You only need consent from a person to communicate electronically with them – by e-mail, SMS, fax or telephone. You do not need consent to send them physical mail.

8- Make sure people know how you use their data – your obligations

Whether you are a data controller or a data processor, you must inform individuals about how you use their data. This you should do in a so called privacy or fair processing notice, and it can be either a single document or a page on your website.

Depending on whether you are a data controller or a data processor, slightly different requirements apply.

If you are a data processor, in your privacy notice inform people about the following:

  • who is the controller of that data and contact information of the controller;
  • whether or not personal data concerning them is being processed, where and for what purpose;
  • how long processing will last;
  • categories of recipients who get access to process the information (e.g. your supplier);
  • whether the information will be transferred to third countries;
  • the right to have the personal data corrected or deleted;
  • the right to object to processing and limit processing;
  • the right not to be profiled. Profiling should be understood as processing of personal data, which is intended to evaluate certain personal aspects. However, consent may be given to the profiling for e.g. marketing purposes;
  • the right to have their information handed over, so they may be transferred to another service provider;
  • the possibility to withdraw a consent;
  • the possibility to complain to the supervisory authority;
  • whether the personal data are processed as part of a contract;
  • whether information is processed for new purposes.

If you are a data controller and you collect information from the third party, you have to:

  • inform the data subject about which categories of personal data is to be processed;
  • from which source the information comes from.
  • if requested, provide a copy of the personal data, free of charge, in an electronic format.

The fact that you buy some personal data (e.g. a customer database) does not give you the right to process it.

Based on GDPR, it is required to provide comprehensive, clear and transparent privacy policies and detailed records of processing activities. However, for businesses with fewer than 250 employees the records of processing activities are not required unless they relate to processing personal data that could result in a risk to the rights and freedoms of individual, or processing of special categories of data or criminal convictions and offences.

9- Keep personal data safe – data protection

Whether you are a data processor or a controller, you have to make sure that personal data you hold is safe. You are required to design data protection tools in your IT systems from the very beginning – in GDPR terms, privacy by design.

You can consider data pseudonymisation, anonymisation, and encryption. These terms might sound unfamiliar to you, so we recommend you discuss this with your IT people.

In general, it is highly recommended to hold and process only the data absolutely necessary for the completion of your work/service and to limit the access to personal data to those processing it.


GDPR checklist for Danish SMEs 

When going through the checklist, include past and present employees’, suppliers’ as well as customers’ and anyone else’s personal data you store or use.

  1. Know your data: what kind of personal data you have (for example, name, address, e-mail, bank details, photos, IP addresses or more sensitive, such as health details or religious views), where data comes from, where it goes and how you use it, for what purpose.
  2. Make sure you have consent to process personal data.
  3. Check your security measures and policies, they have to be GDPR-compliant. If you do not have, you must get them in place.
  4. Make sure you are able to provide requested information from individuals regarding their personal data within one month from the original date of request.
  5. Your employees should understand what personal data is and what a breach means. They should report about the serious breach within 72 hours. It is also important that everybody involved in your business is aware of a need to report any mistakes to the Data Protection Officer (DPO) or the person or team responsible for data protection compliance. This applies to data held by you in any form – not just electronic. Paper-based data that is structured according to specific criteria should be treated with the same level of care.
  6. Where your suppliers (processors) are processing personal data on your behalf, you as a controller have an obligation to update your contracts with your data processors and to include a number of mandatory clauses that can be found in Article 28(3) of the GDPR. By doing so you can be sure that processors are contractually GDPR-compliant.
  7. Have very clear privacy notices.
  8. Decide whether you need to employ a Data Protection Officer (DPO). Most small businesses will be exempt. However, if your business involves a ‘regular or systematic’ monitoring of data subjects on a large scale, or which involve processing large volumes of ‘special category data’, you must assign a DPO. It is still not fully defined what ‘large scale’ means, but some of the examples that are given include processing: patient data by a hospital, travel data for people using a city’s passenger transport service, customer data by an insurance company or a bank.


Written by Paulina Juknaite