Is Your Business Exempt From the GDPR?
Who is exempt from the GDPR?
It's a common question, particularly for small businesses located outside the EU. After all, GDPR compliance often requires an overhaul of your legal documents, processing activities, storage options, security practices, and the appointment of individuals to continually oversee it all.
The list of formal GDPR exemptions is exceptionally small thanks to the territorial scope of the law. Effectively, if you collect data from, market to, or are willing to serve customers located in the European Union, then you must comply with the GDPR.
However, the technical details of the law are more complex than that.
Is your business exempt from the GDPR? Keep reading to learn who must comply, who has a legal out, and what to do to protect yourself from violations.
- 1. Who Must Comply with the GDPR: The Scope of the Law
- 2. Who is Exempt from the GDPR?
- 2.1. Is There any Exception for Small Businesses?
- 3. Other Issues: When is Data Considered to be "Personal Data?"
- 4. The Primary Exceptions to the GDPR Rules (GDPR Derogations)
- 4.1. Data Processing for Research
- 4.2. Personal Data and Freedom of Expression
- 5. What's Needed: Clear Policies from the EU and Transparency from You
Who Must Comply with the GDPR: The Scope of the Law
If you want to know who absolutely must comply with the GDPR, look no further than Article 3, which provides the territorial scope of the law.
Article 3 says that the GDPR applies to data controllers and data processors located in the European Union, even if the processing happens abroad.
Article 3(2) says that the regulation also applies to processors and controllers not established in the EU when they:
- Offer goods and services to data subjects in the European Union (including both residents and citizens)
- Monitor the behavior of data subjects in the European Union (through targeted advertising, mentioning customer bases, using currency or language in Member States)
- Process data in a place where an EU Member State law applies (namely a consulate or diplomatic mission)
The bottom line: if you are located in the EU, you must comply. If you are based somewhere else but deal with individuals who are located in the EU, then you must comply.
If you meet one or more of the three criteria above, there are no exceptions.
Who is Exempt from the GDPR?
If you operate in the EU, then you must comply with the GDPR. There is no legal way around it.
The only way to be exempt from the GDPR is if you:
- Actively discourage the processing of data from EU data subjects (i.e., block your site in the EU)
- Process personal data of EU citizens outside the EU as long as you don't directly target EU data subjects or monitor their behavior
In other words, an EU data subject can find you on their own and give you their data to process in your home country (or another place outside the EU). However, if you are marketing to EU demographics, using a European language or currency on your website, or loosely targeting European customer bases, then you must comply with GDPR rules.
The monitoring clause can be misleading. You might think that if you don't spend money on targeted ads in the EU, then you can be exempt from the law even if you occasionally have a European customer once or twice a year.
This is untrue.
A further explanation of "offering goods and services" sheds light on who does and doesn't need to comply.
You don't need European customers or even to target European customers to fall under the jurisdiction of the GDPR. However, if you have the intention to offer goods and services (such as advertising worldwide shipping even without specifically mentioning the EU), then you must comply with the GDPR even without any economic activity.
If you're a small business, ask yourself this: Would I be willing to process and ship an order to a European customer who found my business on their own?
If the answer is yes, then you must comply with the GDPR. If not and you don't monitor behavior, then you can potentially get away without GDPR compliance.
Is There any Exception for Small Businesses?
If you meet the criteria that require compliance with the GDPR, there are no exceptions based on business size, location, or turnover.
The only differentiation the law makes is for businesses with fewer than 250 employees. Those small businesses must still comply with the GDPR. However, you don't need to keep a written record of your processing.
Even then, there are still exceptions to the records issue if you process data that:
- Could impact rights and freedoms
- Reveals race, ethnicity, biometric data, genetic data, political or religious beliefs, or trade union membership
- Contains information related to criminal offenses
- Is personal and processed regularly
The fourth criterion - personal and processed regularly - refers to marketing and other types of data collection. It doesn't refer to data you process to send someone an order or email a client.
Other Issues: When is Data Considered to be "Personal Data?"
Perhaps one of the most convoluted issues surrounding the GDPR is the definition of personal data.
There's no comprehensive list of what does and doesn't constitute personal data. It all depends on the interpretation of the official definition:
"Personal data means any information related to an identified or identifiable natural person ('data subject')."
In some cases, names, hair color, economic, social, and genetic data are all personal data under the law. However, the GDPR clarifies its meaning:
"An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
That might include data such as:
- Birth dates
- National identifying numbers (Social Security, National Insurance, PPS, etc.)
- Phone numbers
- Physical addresses
- Email addresses
- Eye color
- Employer (including salary information)
- Student ID numbers
- Religious beliefs
- Genetic data
- Medical history
Ultimately, it often comes down to the circumstances of the data. When a piece of data identifies an individual when used with other data, then it becomes personal data.
For example, even someone's name may not be an individuating piece of data. But when you combine it with their occupation, age range, or a telephone number, it narrows down the number of individuals significantly, or even to a point where one individual appears.
What does this mean for exemptions?
It all comes down to context, but the general rule is to err on the side of caution and avoid hiding behind any variations in definitions or terms, particularly if you collect any data from European IP addresses. You may find it prudent to assume that you fall under the jurisdiction unless you have clear confirmation that you do not.
Pseudonymization and encryption of your data is also a good idea, and it's mandatory under the GDPR.
The Primary Exceptions to the GDPR Rules (GDPR Derogations)
If you are a commercial enterprise, you tend to have two choices: comply with the GDPR or block your site from EU IP addresses and avoid EU-based data.
However, the rules change if you process data for reasons beyond commercial or marketing purposes.
The GDPR does not apply to you if the data controller is:
- An individual who uses data for a personal activity (i.e., collecting emails for a personal wedding website or family newsletter)
- A government agency or law enforcement organization collecting data for crime prevention, investigation, or prosecution (when related to public safety)
- Processing data related to defense, security, and/or public security
- Processing data related to national interest (social, health, budget, national security, etc.)
These items aren't exemptions by nature. Rather, the GDPR simply doesn't cover them, so they fall outside the law's jurisdiction.
- Freedom of expression
- Freedom of information (including official documents)
- Personal data of employees
- Data for scientific research
- Churches and religious associations
- National Identification numbers and related systems
- Obligations of secrecy
The GDPR may not dictate your activities in these cases, but in almost all cases, you must still protect the data you process using the appropriate security measures.
Additionally, you are still guided by Member State law (if you operate within an EU Member State), which may be more or less strict than the GDPR and feature details that are more likely to fluctuate.
Keep in mind that Member States may also introduce their own exemptions, conditions, and specific rules. Doing so allows them to prevent the overhaul of certain existing systems that would otherwise have crippling bureaucratic effects (such as restructuring a national identification number system).
Why does the GDPR provide exceptions in these cases? The high level of protection required by the GDPR threatened to place real constraints on activities like scientific research or freedom of expression.
The exemptions tend to apply when the GDPR would "prejudice your purpose" or "prevent or seriously impair" your ability to process data in the way that is necessary for your purpose.
The Information Commissioner's Office in the UK shares the full list of exemptions which includes:
- Crime, law, and public protection
- Regulation, parliament, and the judiciary
- Journalism, research and archiving
- Health, social work and education
- Child abuse
- References and exams
- Finance, management and negotiations
- Subject access requests
These exemptions aren't blanket exemptions from the GDPR. Instead, they allow you to avoid certain rights or principles.
Data Processing for Research
Research, in particular, occupies a prized place in the GDPR even though Recital 159 defines it "in a broad manner." Generally, it includes "technological development and demonstration, fundamental research, applied research, and privately funded research."
Meanwhile, statistical research refers to "any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results."
Public health research, in this case, falls under scientific research pursuant to Recital 159.
Although research is not a lawful basis for processing, Article 6(4) recognizes that organizations processing data for research can avoid the restrictions otherwise in place for sensitive categories and secondary processes. It also removes the subject's right to object and erasure because allowing it can threaten the dataset.
The same bodies can process data without consent and in exceptional cases, it can even transfer personal data to a third country without the GDPR-mandated transfer mechanisms in place.
However, the exemptions don't simply remove all constraints from the GDPR.
For example, Article 89(1) stipulates that controllers processing research data must continue to implement the appropriate "technical and organizational measures" and "appropriate safeguards" to ensure the data included is only data is not only pseudonymized and encrypted, but is only used for research purposes. It also stipulates that the controller acts "in keeping with recognized ethical standards for scientific research."
In essence, while the GDPR provides new and increased obligations for data processing, research is one of the exemptions from the blanket mandate. By providing the exemption, the GDPR attempts to avoid stifling research, corrupting scientific datasets, and preventing unnecessary costs without removing the safeguards that protect individuals.
However, it is still important to recognize that the GDPR measures in place can clash with practices like data deposit requirements funded by journals or legal restrictions related to data sharing. For example, scientists working with genetic data may be prevented from sharing individual-level data to journal repositories as required for submitting their work to journals.
In these cases, it is up to both the GDPR and scientific journals to reconsider the issues presented by both policies.
Personal Data and Freedom of Expression
The balance between data privacy and freedom of expression is a delicate one. Article 85 of the GDPR says that it's up to Member States to reconcile the right to freedom of expression and information (including journalism, academic, literary, and artistic expression).
Member States are allowed to provide exemptions and derogations on this basis from:
- Chapter II - Principles
- Chapter III - Rights of the Data Subject
- Chapter IV - Controller and Processor
- Chapter V - Transfer of Personal Data
- Chapter VI - Independent Supervisory Authorities
- Chapter VII - Cooperation and Consistency
- Chapter IX - Specific Data Processing Situations
In other words, exemptions depend on whether you operate in France, Germany, Poland, Bulgaria, or another EU country.
One concern posed among human rights groups like Human Rights Watch is that the right to be forgotten/erasure provision can be used to suppress information that is both truthful and non-defamatory, such as an attempt by a politician to request the removal of a news article detailing an arrest in their youth.
In other words, the GDPR provides for freedom of expression, but it leaves it up to the states to do so and because of this, significant gaps persist in the law. For a full list of the exemptions published by EU member states, visit this article.
What's Needed: Clear Policies from the EU and Transparency from You
Even a year into the GDPR, there's still a huge amount of opaqueness associated with the law. Who does it apply to? Who is exempt, and what is the extent of their exemption?
Although clear policies from the EU would be ideal for all non-EU businesses and organizations that worry about where they fall under the GDPR, these are unlikely thanks to the vast scope of the law (both territorial and technological). Because the law covers all data processing of all types, it must account for the necessary processing (such as scientific research) without inhibiting essential activities like health and social research.
As a result, you see lists of exemptions based on Member State laws and preferences as well as competing policies and practices that both embrace and stifle practices like research.
Ultimately, the GDPR relies on transparency from you.
Rather than avoiding GDPR compliance on a perceived technicality, it is better to choose your camp now. Either comply with the GDPR to the full extent of the law or make sure that you do not have an opportunity to violate the law by taking steps to prevent the collection of personal data from EU residents.
If you fall under one of the GDPR's exemptions, explore the exemption in full and be sure to comply in the required areas, even if they don't necessarily make sense for your processing purpose.