GDPR may already be set in law, but it is not due to ‘go live’ until 25th May 2018. Therefore, it is likely to be an evolving subject, and this guide is simply meant as just that – a guide, looking at GDPR from the perspective of December 2017, before the law has actually been implemented. This guide is not definitive, but rather an educated perspective based on a collection of information from multiple sources about what is known about GDPR at the point of writing it.
The General Data Protection Regulation (GDPR) will come into force on 25th May 2018 and is a regulation designed to set the guidelines going forward for the collection and processing of personal identity information by companies and organisations.
This new regulation replaces the 1995 EU Data Protection Directive, and will be part of EU privacy and human rights law. Under the previous directive, data laws were implemented individually in each country and were not consistent across the EU. The new regulation should bring greater consistency and harmony by bringing all data protection elements under one law for all countries.
The regulation from the EU consists of 99 articles under the guidance of 6 privacy principles, and covers data that is produced by an EU citizen, whether or not the company processing that data is located within the EU and it covers people who have stored data within the EU, whether or not they are EU citizens.
The UK was very involved in the drafting of the regulation, which was designed to make companies take the issue of data protection more seriously and to strengthen the rights that EU citizens have over their data.
The focus of the regulation is on ensuring that businesses are transparent and protect individual privacy rights, i.e. data will be viewed more as the property (and under the control of) the individual or user rather than the business or provider.
GDPR applies to all UK, EU and worldwide companies and organisations that store, process and use the data of EU citizens, including people living in the UK. It also applies to people from countries outside the EU who are currently working, staying or on holiday in the EU and UK.
The kind of data covered by GDPR includes data stored on / in / at:
Paper filing systems and paper in filing cabinets and storage
Computer filing systems and databases
Mobile devices, and mobile storage devices e.g. USB sticks and external zip drives
PC and laptop hard drives
3rd party outsourcing companies e.g. accounts, payroll, telesales / marketing, cloud providers
GDPR covers organisations / groups that previously didn’t have to register under the Data Protection Act e.g. charities, sports clubs, and any group that holds personal information e.g. names, addresses, email addresses, telephone numbers, and even stored facial recognition images.
Also, one important difference with GDPR is that companies will no longer need to register with the ICO, no longer need to pay a fee to them, and no longer need to disclose to them what information they intend to store about data subjects (customers and others).
GDPR will also cover a much wider area in terms of what counts as personal data.
Under the new Regulation, any data that could identify an individual such as genetic, mental, cultural, economic or social information will count as personal data.