General Data Protection Regulations (GDPR) were set out in 2018 to protect the personal data of all EU citizens and resulted in businesses across the world having to re-think how they collected and used personal data. But before the regulations came into effect, many businesses had to make a lot of changes and put measures in place to ensure they would comply with the new rules. While all organisations have to comply with the regulations that have been set out, there are a few exemptions from these provisions.
There are several different reasons why a business might be exempt from the usual GDPR guidelines, though as a general rule no one should ever assume they are exempt. These exemptions, if they apply, might mean that businesses don’t have to worry about the right to be informed, access or deletion requests, individual rights or reporting personal data breaches.
But before we go any further, there are also some areas we must look at first that are not actually covered by GDPR and could therefore behave like an exemption. These are:
Personal or household activities: If you are storing and using data in a purely personal sense and it has nothing to do with any commercial activity, then this is outside of the bounds of GDPR. For example, holding an address book with which you send letters to friends and family or taking pictures for yourself to enjoy.
Law enforcement: Those who are collecting information for law enforcement or as part of investigating a crime are outside the scope of GDPR. That is as long as they are the competent authorities, not just anyone can profess to be collecting data for an investigation.
National security: GDPR also doesn’t cover data be collected, processed or used for the purpose of safeguarding national security.
Why are there exemptions and how do they work?
Whether or not you’re exempt from GDPR very much depends on the reason why you’re collecting, holding or processing personal data. In some other cases, you may find you’re exempt because complying with regulations could:
- Have a damaging effect on what you’re trying to do
- Prevent you from obtaining and processing data that is required for a necessary purpose
- Put someone in danger or cause prejudice
- Break a law
That said, you should never assume your exempt or think it’s a one size fits all approach. GDPR exemptions tend to operate on a case-by-case basis as ruled by the Information Commissioners Office (ICO).
But if you are relying on an exemption you need to carefully document your reasons for this and any evidence you may have, just in case this is challenged or you need to demonstrate your compliance.
The different GDPR exemptions you should be aware of
Now we’re going to take a look at the various different GDPR exemptions you need to be aware of using advice from ico.org. You might find you fall into one of these categories and may therefore be exempt from certain regulators under GDPR. However, if there is no reason why you should be exempt from any of these guidelines then you must comply 100% like any other business.
- Public interest
If you claim an exemption based on public interest, you need to be careful. There will always be debate about what is really in the interest of the public and what is an agenda, so if you’re using this as an exemption you need a good reason and a lot of proof to do it. Public interest exemptions cover:
- Journalism, academia, art and literature
- Research and statistics
- Archiving
- Healthcare, education and social work
There are a number of reasons you might be exempt from following GDPR when it comes to healthcare and educational data and the wellbeing of others. If you feel that the personal data you hold could cause harm or put someone in harm’s way, you do not have to give access to this information even despite the ‘right to be informed’ set out in GDPR guidelines. This is particularly true if the information relates to a minor. Examples of this type of data include:
- Healthcare data set to be processed by a court, outlining individual’s expectations and wishes or that could cause harm
- Social work data set to be processed by a court, outlining individual’s expectations and wishes or that could cause harm
- Educational data set to be processed by a court, outlining individual’s expectations and wishes or that could cause harm
- Child abuse data
- References and exams
- Confidential references
- Exam scripts and exam marks
- Finance and management
There are some financial and management scenarios that might make you exempt from GDPR. If you believe that access to this information could cause a conflict of interest then you can refuse to share this. For example, if it’s involved in a criminal case, redundancy or insurance claim. Finance and management exemptions include:
- Finance, management and negotiations
- Corporate finance
- Management forecasts
- Negotiations
- Law enforcement and National security
Finally, this is the largest section of them all. Personal data may also need to be collected and stored if it’s a matter of national security or law enforcement. If this is the case, you could be exempt from certain general data protection regulations. You can also refuse data access and deletion requests if it’s a matter of security or part of a criminal investigation. These exemptions can include:
- Crime, law and public protection
- Taxation
- Information required to be disclosed by law
- Information connected with legal proceedings
- Legal professional privilege
- Self-incrimination
- Disclosure prohibited or restricted by an enactment
- Immigration
- Audit functions
- Bank of England functions
- Parliamentary privilege
- Judicial appointments, independence and proceedings
- Crown honours
The GDPR exemptions you should be aware of
As you can see, there are some clear areas of law, education, finance, healthcare and public interest that could make you exempt from GDPR. As a general rule of thumb it’s best never to assume you’re exempt from regulations, but instead collect sufficient evidence to support your argument. If you identify with any of the above, you may on occasion be exempt from following GDPR.
