General Data Protection Regulation (GDPR)

Posted on Monday 21st May, 2018 by

Introduction

This overview from Simms International plc, memory and storage specialists based in Lenham, highlights the key themes of the General Data Protection Regulation (GDPR) to help organisations understand the new legal framework in the EU. It explains the similarities with the existing UK Data Protection Act 1998 (DPA), and describes some of the new and different requirements. GDPR will come into force in the UK on May 25 2018.

Once implemented in the EU, GDPR will be relevant for organisations in the UK that process the data of EU citizens. GDPR also introduces several new elements – for example breach notification procedures and data portability. With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. Having clear laws with safeguards in place is more important than ever for the growing digital economy.

Need advice on the use of encrypted devices as part of your GDPR compliance?

Click here to contact us for help and support

Who does the GDPR apply to?

GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – i.e. the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to GDPR. If you are a processor, GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under GDPR. However, if you are a controller, you are not relieved of your obligations where a processor is involved – GDPR places further obligations on you to ensure your contracts with processors comply. GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to EU citizens. GDPR does not apply to certain activities, including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

GDPR is designed to help organisations achieve best practices for data protection. It advocates privacy by design and good information management policies, procedures and technologies to minimise possible data loss incidents.

Like the DPA, GDPR applies to ‘personal data’. However, GDPR’s definition is more detailed and makes it clear that information such as an online identifier – e.g. an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people. For most organisations, keeping HR records, customer lists, or contact details etc., the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of GDPR. GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of GDPR, depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data
GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). These categories are broadly the same as those in the DPA but there are some minor changes. For example, the special categories specifically include genetic and bio-metric data, where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences is not included, but similar extra safeguards apply to its processing (see Article 10). Further reading

Comments are closed.