Does GDPR apply to a single person business or small SME
In a nutshell yes it does.
GDPR came into law on 25th May 2018 and from that date, it has become the responsibility of the business to make sure they are operating with the GDPR guidelines.
In most single-person businesses or SMEs, there is only one person in the business- this is not unusual, but you still must abide by the same regulations as the big companies.
For you to operate as a business you must have clients or customers- you must make your money from somewhere – to do this, you will be capturing personal data is some form or another.
For example, if you sell jewellery via social media- you must get names and addresses to post out orders, you have to issue invoices even if you are using PayPal, Revolut, Facebook, etc as opposed to the usual company invoice via an accounts package – all this data gathering is covered under GDPR.
If you offer services as opposed to a product – again you will have either clients or customers- To carry out a service you need to find out personal data – a gas repair person needs an address to call to, name and phone number etc – again this is all personal data.
How you gather, use, process, retain and store this information are all areas you need to look at.
Questions you should be asking yourself:
1) Why am I gathering this information – is it strictly necessary or is it excessive ie do I need 3 contact numbers for the client?
2) Am I processing this data only for what it was gathered for? Are you adding names and emails to marketing/mailing lists because they are clients/customers? This is a big no-no
3) How long are you storing this personal information for? Did you offer a guarantee with the sale of your product or service? Do you need to record the personal data in a few different areas of your business? Accounts, receipts, mailing lists, emails, social media etc
4) How are you storing this personal data? Is it stored on paper? Or maybe on the computer or in a CRM? Is it secure? Finally – are you storing it for longer than necessary?
Go through the above questions and see If you have information that could be deleted- it will surprise you to see just how much personal data you are storing.
This is one step in your GDPR programme!
It only takes one step at a time
Find out more about RE-GDPR, visit their Profile on WhatsWhat.ie
So, what does GDPR mean for small businesses? Practically the same as it does for large enterprises and organizations. If your business processes Personal Data or Personally Identifiable Information (PII) in the US, which is data that can be used to identify specific individuals, the business is subject to the rules of GDPR – even where the data is manually maintained on a structured paper based format.. Due to the substantial potential penalties for breaches of GDPR, the safest option is to assume GDPR compliance will apply unless your business is not based in the EU and does not sell or plan to sell to data subjects in the EU.