Call Us: US - +1 845 478 5244 | UK - +44 20 7193 7850 | AUS - +61 2 8005 4826

regular and systematic monitoring of data

Does your small or medium organization have to meet the same requirements as those huge companies that can afford to hire an army of compliance officers? Although it might not seem fair, in most cases the answer is yes.

The GDPR does differentiate between small and larger businesses when it comes to record-keeping requirements. Organizations with fewer than 250 employees don’t have to keep records with the same level of detail – unless “”the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data… or personal data relating to criminal convictions and offences referred to in Article 10″.as those companies whose personnel exceed that number.” In that case, your records will need to go into the same level of detail.

You might think if your business is small, you don’t need to appoint a data protection officer to comply with the GDPR. Think again. This is a case where size doesn’t matter; the determining factors are how much and what kind of personal data you collect, store, or process. Regardless of the size of your org, you need a DPO if you engage in “regular and systematic monitoring of data subjects on a large scale” or if you collect records on a large-scale pertaining to:

  • Criminal convictions
  • Ethnicity
  • Religious or philosophical beliefs
  • Political opinions
  • Trade union membership
  • Health
  • Sex life or sexual orientation

Let’s take another example: the HIPAA security rule. The U.S. Department of Health and Human Services (HHS) has recognized that small healthcare entities have different circumstances and needs, and allows covered entities to implement appropriate solutions based on size, complexity, and capabilities, as well as your technical infrastructure and cost considerations.

These slight modifications to the rules for smaller entities don’t exempt you from meeting the base requirements of the respective regulations.