Email 0131 531 9066
Posted on June 15, 2017

Will you be GDPR* compliant by 25 May 2018?

Image of the ICO information commissioners office websiteAlthough that is currently 9 months away, these things take time to put in place and test rigorously. If you need to to ask that means the *General Data Protection Regulation, the government has confirmed that the UK’s decision to leave the EU will not affect its implementation. The ICO (Information Commissioners Office) is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Who does the GDPR apply to? The GDPR applies to ‘controllers’ and ‘processors’. These definitions are broadly the same as under the DPA (Data Protection Act) ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are subject to the DPA, it’s most likely that you will also be subject to the GDPR.

As a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

As a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach.  Do take particular note that these are new obligations for processors, a new  requirement under the GDPR.

The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. And it will apply to the UK now and after Brexit.

What data/information does the GDPR apply to?

Personal data :  Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.

For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.

Personal data that has been pseudonymised (taking database identifying fields and replacing them with artificial identifiers, or pseudonyms eg key-coded) can fall within the scope of the GDPR depending on how easy or difficult it is to attribute the pseudonym to a particular individual.

Sensitive personal data: The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). These categories are broadly the same as those in the DPA, but there are some minor changes. For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.

More specifically the GDPR affects and includes the rights  for individuals:
the right to be informed;
the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to data portability;
the right to object; and
the right not to be subject to automated decision-making including profiling.

Plus the right to data portability is new. It only applies:
to personal data an individual has provided to a controller;
where the processing is based on the individual’s consent or for the performance of a contract; and
when processing is carried out by automated means.

Posted by Neale Gilhooley with much of this information coming from these sources:

ICO website for further reading

ICO PDF titled Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now.