What is the GDPR?

T he General Data Protection Regulation (GDPR) comes into force on 25 May 2018. It unifies data protection laws across the EU to allow countries to interact in the certainty that their citizens' data will not be compromised by differing regulatory requirements.

The GDPR defines a series of rights for the individual and then introduces a series of principles on how businesses should process personal data. The essence of the combination of those rights and principles can be thought of the transfer the ownership of an individual's data from the organisation holding that data back to the individual.

The regulation must be followed by any business handling an EU citizen's data, regardless of whether that business is in the EU or not. The 'any business' part is important to note right at the outset. There are numerous articles saying that GDPR does not apply to businesses with less than 250 employees. That is categorically incorrect.

Key info:

The GDPR applies to any size of business that collects or processes personal data

The definitions section of the GDPR lists a couple of definitions that make the reach of the GDPR very clear:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Article 4(1) - Definitions GDPR

We go into a lot more detail about personal data in What Data Does The GDPR Apply To?, but what's obvious here is that if your business holds any personal data whatsoever then the intention is that the GDPR will apply to you.

Key info:

GDPR applies to personal data about any category of individual

It's also really important to note that there's no mention of the role of the person here, so it makes no difference whether the individual is a customer, an employee of a business you interact with, or indeed if they are one of your own employees - if you have their data then the GDPR applies.

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Article 4(2) - Definitions GDPR

That's pretty unambiguous too, in short, if you have the data, whether electronically or on paper, the GDPR applies. Furthermore, the very act of collecting or organising personal data is counted as processing.

Key info:

The very act of collecting or organising personal data is counted as processing

This sounds a lot like the Data Protection Act (DPA)?

T he GDPR effectively replaces the DPA, but there is indeed a lot of overlap between the two. The GDPR has more onerous requirements than the DPA, but if your organisation is already aware of the details of the DPA and complying with them then the GDPR should not represent too much of an adjustment.

Key info:

If you already comply with the DPA you've got a headstart on GDPR

For organisations that haven't considered the DPA the GDPR will require a considerable amount of thinking and further action, that's definitely something that should be started sooner rather than later.

Important: This site describes our current understanding of the General Data Protection Regulation (GDPR).

We are not lawyers, always seek specialist GDPR advice for your organisation.

About Redox Software

At Redox we specialise in producing bespoke software written especially for your business. We can write you a system that can be used on your computer, via the web or on your tablet/phone – or any combination of those - either now or in the future.

Latest Redox Posts


Our Contact Details

The Colin Sanders Innovation Centre
Mewburn Road, Banbury
Oxfordshire. OX16 9PA

+44 (0)1295 817646