Although Article 30 of the regulation declares that organisations with fewer than 250 employees will not be bound by GDPR there are several stipulations that mean they probably still should.
Firms of over 250 employees must employ a Data Protection Officer (DPO). This person is responsible for ensuring that a business collects and secures personal data responsibly. GDPR will also apply to small businesses under 250 employees if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9.
Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but at least within 72 hours.
Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.
Failure to comply with the GDPR will lead to heavier punishments than ever before. Under current rules, the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for malpractice but the GDPR will be able to fine up to €20 million or 4 per cent of annual turnover (whichever is higher).