The processing of personal data must be based on one of the lawful bases for processing set out in Articles 5 and 6 GDPR. These principles are summarised in the principles of lawfulness (personal data must be obtained in a lawful and fair manner), transparency (the data subject must know whether and which personal data are being held about him or her), data minimisation (personal data must be adequate, relevant and no more than is necessary for the purpose justifying their processing, e.g., in the case of school certificates it is not necessary that they indicate the student's religion or in the case of identity cards it is not necessary that they indicate the cardholder’s religion), time limitation (personal data cannot be kept longer than necessary),
accuracy (personal data must be accurate and regularly updated), and integrity (taking
appropriate technical and organisational security measures in order to avoid unauthorised access,changes, leaks of personal data and accidental loss, destruction, damage). It is noteworthy that GDPR’s provisions are horizontal, in the sense that as there are no exemptions or “lightweight approaches” based on the organization size, availability of recourses and capabilities. SMEs are therefore bound by these principles, and they need to incorporate them in their day-to-day business. For example, all SMEs, similar to larger organisations, need to be clear on the lawful basis of their data processing (principle of lawfulness), they need to provide information notices to their employees and customers (principle of transparency), they need to have a defined retention time for their personal data records (principle of time limitation) etc.
The GDPR does, however, have a few provisions for smaller enterprises, i.e. those with fewer than 250 employees. Therefore, SMEs:
Are exempt from having to keep records of their processing activities, unless the processing of personal data is a regular activity, or in case it poses a potential threat toindividuals’ rights and freedoms, or includes sensitive personal data or criminal records.
Are required to appoint a Data Protection Officer only if processing is their main business and if it poses threats to individuals’ rights and freedoms. An example could be monitoring individuals or processing sensitive data or criminal records in particular as it is done on a large scale.
Are entitled, under GDPR to consider the cost of implementations of privacy-by-design architectures and other data security controls as part of assessing the technical and organizational measures which are put in place to offer data protection.
DPIAs: GDPR Article 35 on data protection impact assessment (DPIA) identifies the “scope” and the “context” of processing as areas to consider when determining whether a DPIA is required. As a result of this language, the size of the processing could be one factor in determining whether there is likely a high risk to the rights and freedoms of natural persons. Nevertheless, despite the size of the business, organizations which have any doubt as to whether a DPIA is required should engage in the impact assessment.
Source: GDPR