Matthew Holman aims to clarify the SME exemptions and specific provisions set out in the compromise text of the GDPR. He also explores some of the areas where SME provisions were anticipated but ultimately were not included
The range of responses from SMEs to compliance with data protection legislation can be the source of great surprise. For some SMEs it is a real headache, but they get the basics. For others, good data protection is built into the fabric of their business and they make the most of the opportunities that good compliance offers. And then there are others who, despite having been in business for many years, have never actually heard of the Information Commissioner, and don't want to notify him of anything, thank you very much. The good news for the latter category is that, soon enough, they won't have to notify him any more. But is that where the good news stops?
This article analyses the text of the most recent version of the GDPR available at the time of writing, being the version 15039/15 DGD 2C produced by LIBE following the trilogue conclusion. For the purpose of this article and unless otherwise specified, SMEs mean micro, small and medium-sized business that have fewer than 250 employees and an annual turnover not exceeding €50m and/or an annual balance sheet total not exceeding €43m.
Small. Significant. Sacrosanct?
Only 1% of businesses in the UK employ more than 250 employees. SMEs accounted for about 99% of all private sector businesses in the UK in 2015. A significant swathe of the business population will be impacted by the arrival of the GDPR and would (in theory) stand to benefit from the relief offered by SME exemptions. A brief review of SME industry press regarding the GDPR reveals that one of the biggest worries SMEs have is the cost of compliance, not the (allegedly) restrictive effect on business practices. In 2012, the Ministry of Justice estimated that the total annual cost to SMEs in the UK of complying with the GDPR will be £291 million.The most significant expenditure is anticipated to be employing a data protection officer (or DPO) (£182 million) with reporting breaches and carrying out privacy impact assessments (or PIA) close behind (£55 million and £54 million respectively). Add to this the potential extra time spent working on new procedures and policies and much higher fines for non-compliance (excluding the extra cost of engaging lawyers) and it is easy to see why SMEs, with their limited resources, are justifiably concerned about the commercial realities of life with the GDPR.
The fundamental significance of SMEs to all EU economies was accepted in some form or another by all of the political bodies, consultations and advisory parties to the formal GDPR process. Each sought in different ways to provide exemptions for SMEs in order to offer relief to some of the more challenging aspects of the GDPR for businesses with limited resources. So what did we end up with?
SMEs throughout the GDPR
During the developmental stages of the GDPR, there were numerous representations made regarding how best to manage the thorny issue of SMEs in a law that is designed to apply uniformly across many countries, cultures and business formats. SMEs actually receive very little mention in the compromised version of the GDPR. Recital 11 says: 'To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a number of derogations. In addition, the Union institutions and bodies, Member States and their supervisory authorities are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.' There are similar provisions in Recital 130 regarding Commission implementing acts. Recital 76 also states that codes of conduct should be drawn up '…so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium-sized enterprises.' Supervisory authorities are to conduct awareness-raising activities addressed to the public that should include specific provisions regarding SMEs. Article 39(1) also states that EU member states and national supervisory authorities must encourage 'the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations carried out by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account' (my emphasis).
So, from this we can conclude that the combined will of the political bodies formally recognises that SMEs require different treatment from both large and public enterprises and envisages particular ways in which the specific needs of SMEs can be addressed. In particular, we can also see that the political bodies place significant importance on derogations and implementing acts of the Commission and further guidance and codes of conduct in order to elaborate on the application of the GDPR to SMEs.
Commission powers and guidance
In light of the conclusion above, you may be perplexed to learn that a lot of the provisions in the main text of the GDPR granting the Commission delegated authority to implement SME measures were deleted during trilogue. Proposals that were removed included the ability of the Commission to provide specific measures for SMEs regarding:
· obtaining consent from children;
· the provision of information regarding processing to data subjects;
· compliance with the principles of data protection by design and by default; and
· processing operations likely to present specific risks requiring an SME to undertake a PIA.
In addition, the Parliament's amended text of Article 54 (tasks of national supervisory authorities) stated that '[e]ach supervisory authority shall provide micro, small and medium-sized enterprise controllers and processors on request with general information on their responsibilities and obligations in accordance with this Regulation.' This text was ultimately deleted by the Council. Nevertheless, national supervisory authorities must develop (and encourage trade associations to develop) codes of conduct that are '…intended to contribute to the proper application of [the GDPR] taking account of… the specific needs of micro, small and medium-sized enterprises'. At the time of writing the ICO is in the planning phases of its first piece of guidance following the Commission's notice confirming that political agreement about the GDPR had been reached. SMEs (and those advising them) are advised to keep a close eye on the issues that the ICO seeks to address in its guidance and any specific recommendations made for SMEs.
SMEs and Data Protection Officers
The most consistent question that I have been asked about the GDPR is whether all SMEs will need to appoint a data protection officer (DPO) when the GDPR comes into force given the (quite fair) concern about extra cost to businesses.
The Commission press release following conclusion of the trilogue debate says that SMEs need not appoint a DPO unless they meet the criteria set out below. The specific reference to SMEs is misleading. In the original text of the GDPR, the Commission did include an exemption for SMEs. This was the source of a lot of debate and criticism. The ICO's opinion on the draft GDPR challenged the SME threshold on the basis that it is arbitrary and would unfairly exempt lots of small businesses that carry out very intrusive processing activities. The Parliament proposed to scrap the SME exemption on the basis that it is not a useful criterion for differentiating between undertakings in this context. Instead it replaced the exemption with a threshold based on whether a business' processing affected more than 5000 data subjects in any 12 months. The Parliament also sought to make the appointment of a DPO subject to a risk-based assessment saying that 'the appointment of a [DPO] should only be required if the data processing operation relates to the [undertaking's] core activities and poses a high risk. Only in such a high risk situation, [should] the obligatory appointment of a DPO be justified. In any other case, the appointment of a DPO should be optional.'
Ultimately, all thresholds based on numbers were removed during the trilogue discussions and so the GDPR has no SME exemption regarding DPOs. The Parliament's proposal to include a high risk qualification was also removed. With reference to the Commission's press release, all businesses will need a DPO (whether or not they are an SME) if the following criteria are met:
[where] the core activities… consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
[where] the core activities… consist of processing on a large scale of special categories of data pursuant to Article 9 (sensitive personal data) and data relating to criminal convictions and offences referred to in Article 9a.
A detailed examination of the key elements of these sub clauses is beyond the scope of this article, but it is prudent to touch briefly on them from the perspective of SMEs. The Parliament's amendments to the draft GDPR contained a proposed definition being that 'Core activities should be defined as activities where 50% of the annual turnover resulting from the sale of data or revenue is gained from this data'. Arguably such a definition would help exempt many SMEs whose use of data is secondary to their main operation. However, this definition did not survive in the final GDPR. Of equal interest will be the future guidance offered by the ICO and/or the European Data Protection Board (EDPB) regarding the definition of 'regular and systematic monitoring' and 'large scale'. The argument put forward by the ICO is (I suggest) persuasive: why should SMEs conducting intrusive large scale processing necessitating a DPO be exempt purely on their size of enterprise? Nevertheless, for the majority of SMEs, which do not conduct any processing that comes close to this description, the next most likely saviour from the DPO requirement will be that they are not doing anything on a 'large' scale or otherwise in a 'systematic' way. Given the significance placed on this issue by SMEs, expect detailed guidance on the key elements of the DPO definition.
SMEs and Fines
After DPOs, the second most pressing issue that SMEs seem to raise is the amount that they could be fined. The severity of the new increased cap for administrative fines has been well documented. The eventual conclusion was a two-tier system available to national supervising authorities. They can issue fines of up to €10m or 2% of worldwide turnover for less serious breaches (eg administrative failures regarding record keeping processes and privacy impact assessments) and up to €20m or 4% of worldwide turnover for more fundamental failures (eg breach of the basic data protection principles or breach of data subject's rights).
The original Commission proposal contained a specific caveat for SMEs. It was proposed that SMEs could get a written warning for first and non-intentional failures to comply. This lesser punishment was deleted in the Parliament and Council versions of the draft GDPR and was not resurrected in the trilogue discussion. Consequently, all businesses are exposed to the new regime, regardless of size. Of particular concern to SMEs is that non-compliance arising from procedural or record-keeping issues can give rise to the lower tier of fines, something that the ICO originally criticised. It is also worth noting that, when assessing the level of fine, national supervisory authorities need to take account of adherence to codes of conduct or approved certification methods. SMEs would be well advised to monitor developments with their specific industry sectors and, of course, any official guidance. Doing so may act as some level of defence where the breach occurred despite the code of conduct being properly observed.
SMEs, Notification and Records of Processing Activities
The GDPR abolishes the duty on businesses to notify the ICO of their processing activities.This will no doubt be welcomed by SMEs far and wide not least because, under the DPA, failure to notify carries criminal and civil penalties, which seem grossly disproportionate to the benefits offered by ICO notification.
To replace the notification regime, the GDPR says that controllers need to maintain records of their processing activities. The GDPR is prescriptive regarding the content of those records. It lists things such as the purpose of the processing, the description of the categories of data subjects and personal data, the categories of recipients to whom personal data is disclosed and (where possible) the time limits for erasure and a description of the security measures taken by the controller. There are similar provisions for processors, although they are slightly less prescriptive.
Article 28(4) creates an exemption for controllers and processors that have less than 250 employees. It is important to note that this is not the SME definition that relates to turnover and balance sheet values; it is based exclusively on head count. Article 28(4) was criticised by the Article 29 Working Party, which was the principal advocate of risk-based qualifications to the 250 employee exemption. The Parliament proposed to delete entirely Article 28(4) and the Council pushed for inclusion of the exemption with some risk-based qualifications. The result is that the SME exemption remains but with three qualifications to the 250 employee threshold, which are where the processing:
· is likely to result in a risk for the rights and freedoms of data subjects;
· is not occasional; or
· relates to sensitive personal data.
The GDPR does not provide any further detail regarding these three qualifications, something that will almost certainly follow in further guidance from the national supervisory authorities and/or the EDPB. Without this guidance it will be extremely difficult for SMEs (and those advising them) to meaningfully determine if their application of the qualifications mirrors what was intended by the GDPR.
A detailed analysis of the various legislative drafts gives some indication as to the Council's intentions when proposing the first qualification (relating to risks to data subjects' rights and freedoms). The original Council wording said that a SME would not be able to benefit from the exemption where the processing '…is likely to result in a high risk for the rights and freedoms of data subjects such as discrimination, identity theft or fraud, unauthorised reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage'. This wording did not survive into the GDPR although, at the very least, it is indicative of the kinds of risk to the rights and freedoms of data subjects envisaged in the new Article 28 (4). It could be argued that the intention behind removing the specifications listed in the Council text was to widen the potential scope of the qualification.
Final Issues: SMEs, Data Processors and Data Subject Information Rights
The GDPR brings with it new obligations (and liabilities) for data processors, namely: provision of an appropriate level of security, data breach notifications to controllers, designation of DPOs, record-keeping, direct liability to pay compensation, policing of controllers and assistance with the controller's compliance with its security obligations, breach notifications, impact assessments and prior consultations with data protection authorities. At a first glance, this is great news for controller SMEs: big bad processors have to help with compliance under the new GDPR. Unfortunately there is a reasonable likelihood that current agreements between controllers and processors will not be compliant with the GDPR and will probably need updating. This gives processors a foot in the door to renegotiate the terms and potentially re-allocate the risks imposed on them by the GDPR. SMEs are often not in a strong negotiating position when buying or selling processing activities with larger commercial enterprises; a watchful eye should be kept on the smart work-arounds that will inevitably make their debut in the new world of processor agreements.
Some practitioners may also recall that at one time the Parliament had proposed wording to Article 14 (information to be provided where the data are collected from the data subject) which meant that the duty to provide a detailed list of information about things such as the source of data and the nature of the processing were not binding on a 'small or micro enterprise which processes personal data only as an ancillary activity.' This proposal did not survive into the GDPR and as such there is no SME exemption regarding the duty to provide information at the time of data collection.
There can be no doubt that the coming changes to data protection legislation will have a significant impact on SMEs. The political negotiations at an EU level seem to have resulted in a lot of discussion about the protection of SMEs. However, ultimately, many specific provisions have been removed, predominately due to the GDPR raison d'etre of empowering citizens and ensuring uniform protections across the Union. It is plain to see that the basic remit of exemptions for SMEs is still to be fully worked out: this is a significant area of flux. Michal Boni MEP was reported on 28 January 2016 as saying at the CPDP Conference in Brussels that appropriate guidance must be issued for SMEs. SMEs and their advisors can take comfort from the presence of specific exemptions regarding records of processing activities and must keep a watchful eye on the horizon for delegated acts from the Commission and new guidance from the EDPB and/or national supervisory authorities.
Matthew Holman is a solicitor at EMW Law, a Commercial law firm with offices in London and Milton Keynes. Matthew specialises in technology and data privacy and he advises many SMEs and large corporations about data privacy issues. He would like to thank the EMW Commercial team for their assistance, specifically research colleagues Arjun Majumdar and Rachel Edwards.
 Paraphrase from an actual client/solicitor meeting between the author and the board of an e-commerce business when told that their proposed use of personal data almost certainly required notification with the ICO.
 The full text of the definition of micro, small and medium sized enterprises is taken from the Commission Recommendation 2003/361/EC 6 May 2003 Article 2.
 Department for Business Innovation and Skills – Business Population Estimates for the UK and Regions 2015 – 14 October 2015
 Ministry of Justice Impact Assessment – 22 November 2012
 The Ministry of Justice estimates that around 4% of SMEs and micro organisations (approximately 42,000) could be carrying out processing that requires them to appoint a DPO – Ministry of Justice Impact Assessment, p 35
 Recital 102
 Article 39(1)
 Article 8(3), now deleted.
 Article 12(6) and 14(7), both now deleted.
 Article 23(4), now deleted.
 Article 33(6), now deleted.
 Article 38(1)
 European Commission Press Releases – Questions and Answers – Data Protection Reform - 21 December 2015
 Information Commissioner's Office – Proposed new EU General Data Protection Regulation: Article-by-article analysis paper – 12 February 2013
 LIBE Committee 4 GDPR trilogue comparison 17 December 2015, at page 369
 European Parliament – Committee on Civil Liberties, Justice and Home Affairs – Amendments (7) 2091 – 2350 – 3 March 2013, at p 40
 Article 35(1) (b) and (c)
 European Parliament – Committee on Civil Liberties, Justice and Home Affairs – Amendments (7) 2091 – 2350 – 3 March 2013, at pp 45-46
 Article 79(3)(new)
 Article 79(3a)(new)
 LIBE Committee 4 GDPR trilogue comparison 17 December 2015, at pp 549-551
 Information Commissioner's Office – Initial analysis of the European Commission's proposals for a revised data protection legislative framework – 27 February 2012
 Article 79(2a) (j)
 Recital 70
 Article 28(1)
 Article 28(2)(a)
 LIBE Committee 4 GDPR trilogue comparison 17 December 2015, at p 331
 See 14 ante.
 Article 30(1)
 Article 31(2)
 Article 35(1)
 Article 28(2a)
 Article 77 (1) – (2)
 Article 26 (2) (h)
 Article 26 (2) (f)
 LIBE Committee 4 GDPR trilogue comparison 17 December 2015, at page 264
 Privacy Law & Business – International e-news – 27 January 2016