Guidance note : data security guidance for microenterprises

Abstract

The Data Protection Commission (DPC) has developed this guidance to assist microenterprises in implementing the appropriate technical and organisational security measures to safeguard the personal data they are processing. A microenterprise is defined as an organisation having fewer than 10 employees and an annual turnover (the amount of money taken in a particular period) or balance sheet (a statement of a company's assets and liabilities) below €2 million. If your company is a microenterprise engaged in the processing of personal data, as either a data controller or a data processor, you will be subject to the provisions of the GDPR. A data controller is defined under Article 4 GDPR as a natural or legal person that determines, alone or jointly with others, the purposes and means of the processing of personal data. The same Article defines a data processor as a natural or legal person that processes personal data on a data controller’s behalf.