Businesses of all sizes
T he most commonly held misconception about the GDPR is that it does not apply to small and medium sized businesses (specifically SMEs with less than 250 employees). This is absolutely not the case and the ICO have confirmed to us explicitly that the GDPR does apply to all businesses regardless of their size. The confusion arises due to slightly modified data recording requirements for businesses of those sizes. Recital 13 explains the rules around business size in more detail.
All businesses that process personal data
I f your business holds or processes personal data then the GDPR applies to you. This is the case whether you are the organisation that is determining the purposes of processing the data (i.e. typically the business that has the relationship with the individual), known as the 'controller', or an organisation processing data on behalf of the controller (known as the 'processer').
Under the older rules most legal responsibility fell on the controller, but under GDPR large amounts of the same rules that apply to controllers also apply to processors and there is a shared responsibility in the case of data breaches .
The use of a processor does not relieve the controller of their obligations under the GDPR, indeed it places obligations on the controller to ensure that their processors are complying with the GDPR too.
Businesses inside and outside the EU
T he GDPR doesn't just apply to businesses within the EU, it also applies to businesses outside the EU that trade with individuals within the EU