General Data Protection Regulation – what is it and what should you be doing to prepare?08 Feb 2017
On 24 October 2016, the government confirmed that, despite Brexit, the UK will still be implementing the EU’s General Data Protection Regulation (GDPR) in May 2018 and reminded businesses that they should be taking steps to prepare for this now.
To help you do so, we will be issuing a series of articles covering the key changes to be introduced by the GDPR and our suggested action points.
Given that the penalties alone for non-compliance will increase forty-fold under the GDPR (to €20 million or greater), its introduction is a major new risk item for UK organisations.
Part 1 – GDPR: Who does it apply to and what is ‘personal information’?
In this first instalment, we will explain who it applies to and what information it covers.
Who it applies to:
The GDPR will broaden the test as to who will be caught by the data protection regime. Now, any entity collecting personal data relating to an EU resident will be caught. This includes, for example, websites based entirely outside of the UK/EU, but who sell to EU citizens.
This is a wider test than the current one which, typically, only catches entities established in the EU who process personal data.
You may be aware that the current regime draws a distinction between data “controllers” (i.e. the person who collects and controls the data) and data “processors” (i.e. any person who processes the data on the controller’s behalf through using, storing, organising the data etc.) and places the onus squarely on controllers to ensure that the information is being processed correctly.
As a major headline change, the GDPR will now also place specific new obligations on processors and can make them liable in the event they are responsible for a breach. We will discuss these obligations in more depth in our next article.
This expanded scope will catch out a lot of businesses who might have thought the new regime was of little concern. In addition, depending on your business’ activities, you may also now be required by your customers and suppliers to alter or improve your businesses processes to comply with the GDPR.
What it covers:
Now that it’s clear more businesses than ever will be caught by the regime, let’s consider what ‘personal data’ actually is. Importantly, the GDPR extends the definition of “personal data” beyond the current law.
Personal data includes data identifying “directly or indirectly, by means reasonably likely to be used by the controller or…any other person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”. This is a very wide definition and will catch almost all of the data that businesses collect about individuals.
In addition, the GDPR introduces specific provisions addressing “pseudonymisation”, that is, processing data in a way which makes it difficult/impossible to identify the individual to whom the data relates. This can be done by splitting up the information, coding the information or using other similar processes to anonymise the information. Data processed in this way will still be subject to regulation but often less stringently than it would usually be.
It’s clear that the GDPR will apply to a wider range of businesses, carrying out further activities, and to a broader spectrum of data, than ever before. In order to ensure your compliance, we recommend starting preparation early, as many of the necessary IT system changes will be extensive in nature, and take time to implement.
To help you with this, our next article will provide more detail around the obligations to be placed on controllers and processors, and the potential penalties for non-compliance.
If you have any queries relating to data protection, please contact a member of our team on 0161 832 3434.