The truth is that nothing is straight forward when data protection is concerned!
Even concepts that initially appear ‘simple’ are often layered with complexity that will often just leave you with more questions than when you started.
With the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, this blog will help you tackle some of GDPR’s key concepts, answering your questions on how the new regulations will affect your handling of personal data.
What is personal data?
Personal data is any information that identifies a living individual. It covers more than just names and contact information, and includes a wide range of pieces of information including:
- Information about someone’s health and genetics.
- ID numbers.
- IP addresses and other online identifiers left behind when someone uses your website.
- Information about someone’s physical, physiological, genetic, mental, economic, cultural or social identity.
It doesn’t have to be immediately obvious who the person is for the data to be personal – having to do a bit of legwork or put two and two together doesn’t make it any less ‘personal’. For example, an IP address will in most cases allow you to identify who the user is personally, even if it only becomes evident after using certain technological methods.
Another common misconception about personal data is that it is information about someone stored on a computer. This is untrue. Personal data includes information held in letters, numbers, images or even sound recordings. It does not have to be factual and can include subjective opinions and assessments.
What is processing personal data?
If you use personal data in any way whatsoever, you are ‘processing it’. Processing is almost a catch all term that describes how personal data is used by businesses. You do not have to use personal data productively, actively seek it out or even store it, to be processing it.
Therefore, even if you receive personal data through emails and you feel that you do nothing else in particular with it, you are still subject to the rules of GDPR. When thinking of how you process personal data, a good starting point is to think of how you use information about your customers, suppliers and employees.
Who does GDPR apply to?
The simple answer to this question is any business or organisation, public or private, that processes personal data. This is then split down into two concepts: data controllers and data processors.
Determining whether your business is a data controller, data processor or both in certain circumstances is one of the most complex questions in data protection law, as it depends on numerous variables and ultimately decides what actions you must take to stay compliant – therefore it is crucial you know your role from the outset.
However, in basic terms, every business is a data controller. A data controller is a legal entity (not an individual) who determines how and why personal data is used. Every business is a data controller because they decide how and why they use their employee’s data. In most cases they will decide the same for their clients’ data also.
A data processor does not decide how and why personal data is used – it follows the instructions of a data controller. Businesses that provide outsourced HR, website hosting or courier services for example are often data processors as they only perform basic functions using personal data, and only in a way that follows the specific instructions of another business.
Sometimes there are very fine lines when making the distinction and there are a lot of specific factors to take into account – but remember, a business can be both a data controller and a data processor at the same time, even in the same set of circumstances.
Are you GDPR ready?
Our team of experts have produced a GDPR Self-Audit Tool to help businesses like yours prepare for the upcoming regulation changes. The easy to use tool gives you the ability to complete the audit of your organisation’s data processes at your own speed and pace.
The Self-Audit Tool includes several documents to give you an overview of how you are already complying with the new regulations while identifying areas you need to focus on to become “GDPR ready”.