During a recent seminar where Bruce & Butler Limited were invited to talk on GDPR I was presented with the following statement by one of the delegates:
“GDPR does not apply to our organisation because we have an Article 30 Exemption.”
Thankfully the person I was speaking with was sceptical and had decided to come along to the seminar and find out what GDPR was all about.
SO WHAT IS ARTICLE 30?
Article 30 covers ‘Records of Processing Activities’. These records form part of an organisations accountability requirements under GDPR, specifically to maintain a record of processing under the Data Controller or Data Processors responsibility.
The five paragraph Article includes the caveat that its requirements do not apply to an organisation employing fewer than 250 people unless further conditions are met*.
Having not met the person who had made the statement I cannot guarantee this was his/her thought process but, I am under the assumption he/she read this article entirely without context or a basic knowledge of the GDPR.
During my discussion with the delegate, I asked if their organisation had fewer than 250 staff. They did. From an 88-page document (that I am sure some of those reading this have read back to front several times) he/she had managed to pick out these 14 words:
“shall not apply to an enterprise or an organisation employing fewer than 250 persons”
These 14 words have then formed their opinion that GDPR does not apply to their organisation because they do not employ enough people. This is a dangerous position for an organisation to be in from a compliance perspective.
No Exemption – What next?
Had no one looked at this opinion with a sceptical mind the organisation might have ignored GDPR completely. It doesn’t apply to us. This is simply not the case and each day GDPR gets closer another day’s preparation is lost.
GDPR applies to all Data Controllers and Data Processors that are processing the personal data of a European Citizen or an individual within the European Union. Your organisation’s size may exclude you from having to comply with certain aspects of the regulation but there is no ‘Get out of GDPR free card’.
GDPR is coming. If your organisation is not already preparing ask yourself, why not? They might be unaware it is on its way. They might not think it applies to your organisation or, they might just be burying their head in the sand.
If you require any further information, or if you wish to speak to an industry specialist in relation to any Data Protection matter, please feel free to contact us using the information on the website.
* Art. 30 (5) The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
Please feel free to say anything to us. Our staff will reply to any message as soon as possible. Alternatively, please call us on 0800 999 5550 or email us firstname.lastname@example.org
© 2019 Bruce & Butler. All Rights Reserved. Another handcrafted site by REAL
Your Message successfully sent!