GDPR: what SMEs need to know regarding privacy

Clarifying the new EU data protection regulation.

GDPR - General Data Protection Regulation - is in the news. With the May 25, 2018, effective date looming, non-European businesses large and small are preoccupied with the question of compliance.

As a small, even one-person, business or a mid-sized company, you probably still have a lot of questions. The wealth of information out there is often contradictory and rarely clear. Allow us to share with you our insight based on our extensive experience working with European companies and authorities on personal data protection.

Does the GDPR apply to me as an SME?

Do you do business with people who live in Europe? Then the short answer is yes.

The GDPR regulates the processing of personally identifiable information (PII). Processing, simply put, means collecting, storing or using information. Since our means of communication are predominantly electronic today, you collect and store, in some way, information that personally identifies these people.

What is personally identifiable information (PII)?

The simplest form of this is your email contact list that gathers and stores a person’s first name, last name, and email address, usually containing part or all of that name. Even a professional email address, i.e. [email protected] is concerned.

Other examples of PII are:

  • a home address;
  • an identification card number;
  • location data (for example the location data function on a mobile phone) 1 ;
  • an Internet Protocol (IP) address;
  • a cookie ID 1 ;
  • the advertising identifier of your phone;
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

By now, you’re probably asking…

Why is it important to protect personally identifiable information (PII)?

The GDPR aims to protect against potential misuse, i.e. unauthorized use, of such personally identifiable information. By this, we mean either by a company in the course of its business (sending unsolicited promotional emails, sales of lists, profiling for advertising or decision purposes, etc.), or by an illicit entity that steals the information from a professional or company, using it to commit a crime (fraud, theft, defamation etc.)

Therefore, such information as a company registration number, a generic company email address like [email protected], or any data that is anonymized (e.g. anonymized census data), is not considered PII because it presents no risk to an identifiable individual.

Is all PII the same?

No. Some information is considered sensitive. Sensitive data includes information about the health, race, sexual orientation, religious, philosophical or political beliefs, criminal record, and genetic or biometric data of an individual. In other words, anything that can be used against them and cause them harm. Such information is subject to extra safeguards.

What if I use a third-party platform to process the data?

If you are a small business engaged in the sale of products via a storefront platform, for example, you are not subject to GDPR. Your communication with your customers takes place via the platform, and order, payment and shipping information is processed by the company in question.

What does the GDPR require me to do?

  • Tell people what data you collect and what you do with it — You need to set this out clearly in your Privacy Policy.

  • Ask them to expressly agree to that — You cannot assume they agree and ask them to say if they do not. You must get them to opt in. (This was already a requirement for promotional communications, covered by the e-Privacy Directive in the EU, and is also a requirement in Canada.) They can change their mind at any time and opt out and you must allow them to easily do this.

  • Allow them to access the data you hold on them — If someone asks you to show what data you have regarding them, you must be able to easily do so. If someone asks you to send that information to another company, you must be able to easily do so. If someone asks you to erase the data you have on them, you must be able to easily do so.

  • Review your vulnerability to breaches and put into place procedures in case of breach — You will need to implement appropriate technical and organizational measures to avoid possible data breaches. If there is a data breach, you have to notify the supervisory Data Protection Authority (DPA) without undue delay, and at the latest within 72 hours after having become aware of the breach. If the breach concerns information that presents a high risk to the rights or freedoms of the person(s), you will need to notify those affected directly.

  • Keep records — If you process data regularly, or if it is sensitive, or poses a threat to rights and freedoms, you will need to keep track of consents and agreements and your processing activities, even if you are a company of less than 250 employees.

  • Be responsible for the information you hold — If you transfer the data to a country that is not approved by the EU authorities, you must make the necessary legal arrangements to keep the processing of it GDPR-compliant. If you process data for another company, you should make sure it is legally very clear what each company’s responsibilities are. If processing data is part of your core business, i.e. you do it on a large scale, and the information you process poses a threat to the rights and freedoms of the individuals concerned, you need to appoint a Data Protection Officer, even if you are a company of less than 250 employees.

  • Prove you need to process sensitive information — The GDPR is explicit about the cases in which you can do so, and you will need to show that you fit one of the categories and comply with any national restrictions.

  • Be particularly careful if personal information is processed automatically and may lead to a decision — You must be able to show that no discrimination is possible, and you must be able to cease the automatic processing of an individual’s information upon request by them.

  • Show you can remain compliant — You must have a data protection strategy in place and make sure it is always current.

But how do I do all that?

Becoming GDPR-compliant is a process requiring a plan, resources, a full understanding of the framework, and the right operational skills. In Europe, GDPR is not such a big deal because personal data protection is nothing new. In fact, the new regulation does not revolutionize data protection, but strengthens and unifies it throughout the 28 member states of the EU.

As a result, it also simplifies the regulatory environment for international business. You may not know it but, if you were doing business with people in the EU already, you were subject to the regulations of their country of residence, which could vary from place to place. Now you only have one set of rules to worry about, though enforcement remains a national responsibility.

We understand that this is a headache for North American companies. Find out how we can apply our 20 years of experience in Europe to helping you achieve ongoing GDPR-compliance. Contact us

Important Note: This post does not constitute legal advice.


  • Articles 2, 4(1) and(5) and Recitals (14), (15), (26), (27), (29) and (30) of the GDPR
  • WP 01245/07/EN, WP 136 Opinion 4/2007 on the concept of personal data
  • Article 29 Working Party Opinion 05/2014 on Anonymisation Techniques

1:The use of location data or cookies is covered by further, specific legislation also – the ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 (OJ L 201, 31.7.2002, p. 37) and Regulation (EC) No 2006/2004) of the European Parliament and of the Council of 27 October 2004 (OJ L 364, 9.12.2004, p. 1).