The intent of the General Data Protection Regulation (GDPR) is strengthen and unify data protection for all individuals within the EU. The General Data Protection Regulation (GDPR) will apply in the UK and EU from 25th May 2018 and the government has made it clear that leaving the EU will not affect the commencement of this new legal framework.
The GDPR applies to ‘processors’ and ‘controllers’. According to the Data Protection Act, a data controller is a person who determines the purposes for which the personal data is to be processed and the data processor means any person who processes the data on behalf of the data controller. If you are a processor the GDPR places specific legal obligations on you, such as requiring to maintain records of personal data and processing activities. These obligations for processors are a new requirement under the GDPR and as a result processors will have significantly more legal liability if they are responsible for a data breach. With regards to controllers, the GDPR places obligations on them to ensure the contract with processors comply with the GDPR.
The GDPR will apply to personal and sensitive personal data. Personal data refers to names, addresses, financial information but also online identifiers such as an IP address. Even some forms of encrypted data could be viewed as personal data if the pseudonymised data can be attributed to an individual. Sensitive data refers to ‘special categories of personal data’ and can include genetic and biometric data where processed to uniquely identify an individual. Overall, the GDPR has widened the definition of data to include anything that can identify an individual.
Next month we will be providing insight into the territorial scope of the GDPR. If you would like to discuss the GDPR further please get in contact: firstname.lastname@example.org