T he General Data Protection Regulation (GDPR) comes into force on 25 May 2018. It unifies data protection laws across the EU to allow countries to interact in the certainty that their citizens' data will not be compromised by differing regulatory requirements.
The GDPR defines a series of rights for the individual and then introduces a series of principles on how businesses should process personal data. The essence of the combination of those rights and principles can be thought of the transfer the ownership of an individual's data from the organisation holding that data back to the individual.
The regulation must be followed by any business handling an EU citizen's data, regardless of whether that business is in the EU or not. The 'any business' part is important to note right at the outset. There are numerous articles saying that GDPR does not apply to businesses with less than 250 employees. That is categorically incorrect.
The GDPR applies to any size of business that collects or processes personal data
The definitions section of the GDPR lists a couple of definitions that make the reach of the GDPR very clear:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
We go into a lot more detail about personal data in What Data Does The GDPR Apply To?, but what's obvious here is that if your business holds any personal data whatsoever then the intention is that the GDPR will apply to you.
GDPR applies to personal data about any category of individual
It's also really important to note that there's no mention of the role of the person here, so it makes no difference whether the individual is a customer, an employee of a business you interact with, or indeed if they are one of your own employees - if you have their data then the GDPR applies.
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
That's pretty unambiguous too, in short, if you have the data, whether electronically or on paper, the GDPR applies. Furthermore, the very act of collecting or organising personal data is counted as processing.
The very act of collecting or organising personal data is counted as processing
This sounds a lot like the Data Protection Act (DPA)?
T he GDPR effectively replaces the DPA, but there is indeed a lot of overlap between the two. The GDPR has more onerous requirements than the DPA, but if your organisation is already aware of the details of the DPA and complying with them then the GDPR should not represent too much of an adjustment.
If you already comply with the DPA you've got a headstart on GDPR