Is there a difference between the types of data records SMEs & larger firms must keep for GDPR?
There is, but only if you process data occasionally…
Under the GDPR, SMEs (fewer than 250 employees) must hold internal records of data processing activities & where this data is being processed.
Businesses with more than 250 employees must keep more detailed records on:
- name & details of organisation
- name of data protection officer (DPO)
- why your organisation processes this data
- details on the types of data held
- details on who data is shared with - foreign transfers outside of the EU, retention schedules etc
- a description of technical & organisational security measures
If you are handling data regularly as an SME, we would advise that you adhere to the requirements of a 250+ employees business as a matter of best practice to manage reputation and risk as effectively as possible. In support of this recommendation GDPR states that these extra record keeping duties will apply to SMEs if “the processing it carries out is likely to result in a risk to the rights & GDPR for small businesses freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data ... or personal data relating to criminal convictions & offences.”
As an SME do I need a data protection officer?
Whether or not you need such an officer is based on what data you collect.
For further information, including on Subject Access Requests (SARs), the Right to be forgotten and much more we have compiled a Whitepaper just for SMEs: GDPR for small businesses. This paper provides a straightforward overview & answers your questions to help you work towards compliance. To access this Whitepaper Sign Up to Gravicus Osprey where you will also get 5 Free Data Protection Impact Assessments (DPIAs) with Osprey DPIA.
Telephone: 0203 858 0636
Simply smart data management with Osprey