You’d have to have been living under a rock for the last two years to have not at least heard the term GDPR (General Data Protection Regulations). These legislations came into effect back in May 2018 and are designed to protect the personal data of all EU citizens who may be sharing their sensitive data with businesses. They were also set out to encourage all organisations to take responsibility for the data they collect, store and process. Failure to do so can lead to a fine (sometimes costing businesses millions) and/or a damaged reputation.
But as with anything, GDPR does have some exceptions to the rules. The guidelines outline some very specific exemptions depending on the nature of your business and your reasons for collecting data. But you should never rely solely on believing your exempt as all businesses (and any subsequent data breaches) are approached on a case-by-case basis. As such, it pays to understand what these exemptions are and who they apply to.
That’s why we’ve put together this guide. In these next sections, we’ll take a look at who is affected by GDPR, what makes you exempt from these regulations and how these exemptions work.
What businesses must comply with GDPR?
For the most part, all businesses who collect or use data from EU citizens (whether they’re an EU nation or not) were affected by GDPR. It is often a misconception that smaller businesses are not subject to GDPR, but the truth is it doesn’t matter how big or small your business is, if you’re collecting sensitive data you must adhere to the regulations. Pre-May 2018, this meant that most businesses had to make large changes to their organisations to comply with these new laws. Otherwise, they could face scrutiny and legal action. For many, this meant a lot of preparation, analysis and implementing strong new security systems.
But wait, if we’re saying that everyone who collects data must comply with GDPR, where do these expeditions come in? In this next section, we’ll take a look at the six key reasons you might be exempt from General Data Protection Regulations.
What are the exemptions to GDPR and who do they apply to?
If you’re exempt from GDPR, this means you don’t always have to comply with some, or all of the regulations set out in the legislation. As a general rule, there are five categories that these exemptions fall into, though as we say these things are usually addressed on a case-by-case basis and include businesses in law enforcement, finance, public interest and more. Below we will provide examples to help give more context to where these exemptions apply:
Public interest
Public interest is always a controversial area because what some believe is important, others don’t always agree with. So, if journalists, researchers or any other publication request information and/or collect personal information that might not fit within GDPR guidelines, they need a good reason to do so. If the information they collect and share is in the public interest, they may be exempt from GDPR. This will have to be assessed depending on the nature and severity of the data they are publishing and whether it truly is a public interest story.
National security
On a similar note, personal data may also be collected, stored, and shared if it is a matter of safeguarding national security. As part of GDPR, people have the right to request access to their private information and ask for it to be deleted at any time. However, if it’s in the interest of national security governing bodies may have the right to deny access to this information, especially if it causes a conflict of interest or could cause prejudice in any way.
Law enforcement
This is perhaps the biggest category because there are a number of possible exemptions that may apply as a result of law enforcement, the judicial system and protecting the public. It’s important to understand GDPR exemptions in regards to law enforcement because this can be a little misleading. That’s because the general rule of thumb is that anyone deemed to be a ‘competent authority’ such as a police officer or judge is outside the scope of GDPR any way because they have their own set of laws surrounding privacy and security.
This means that most cases of crime, taxation, legal privilege, auditing and immigration fall outside of GDPR anyway. But for those cases that don’t, they may still be exempt in certain areas. There are also various parliamentary and judicial exemptions including legal services and judicial appointments.
Healthcare
Exemptions also apply to a huge amount of health data and if professionals in the industry feel someone is at risk, they may not have to abide by GDPR. Of course, this doesn’t mean all healthcare professionals have the right to decide whether they follow the guidelines, but in the case of potential harm, exemptions can be made. Examples of these could be social work data, educational data and domestic or child abuse data. The professionals also have the right to refuse access to this data if they think it will have a damaging impact on those involved.
Finance and management
Some financial and management situations can lead to exemptions. In these scenarios individuals or organisations can refuse access to information if it is a conflict of interest, for example, it relates to a criminal case. Examples of this could be insurance claims, redundancy and any information that could have an impact on the financial markets.
Domestic use
Finally, although it might seem a bit strange (and obvious) to point out, but with so much information and a certain amount of scaremongering going on, people may be confused how GDPR applies to domestic situations. You are allowed to collect and store data for the purposes of writing a letter or sending an email to a friend or family member. It’s also OK to take and share photos in a similar situation, so don’t panic about the data you have in your Filofax (if you still have one) or your smartphone.