Can small organisations bypass the GDPR