What is the GDPR?

GDPR is coming, but what is it?

Coming into force on 25th May 2018, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back the control of their personal data, which includes the right to be forgotten.
It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

To whom does the GDPR apply ?

The GDPR applies to ‘controllers’ and ‘processors’ of data. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT company performing the actual data processing. Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU citizens. The definitions of a Controller and Processor are broadly the same as under the DPA (Data Protection Act) – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.

What are the sanctions?

GDPR

The following sanctions can be imposed:

  • a warning in writing in cases of first and non-intentional non-compliance
  • regular periodic data protection audits
  • a fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
  • a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

What information does the GDPR apply to?

Personal data Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people. For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.

This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. Sensitive personal data The GDPR refers to sensitive personal data as “special categories of personal data”. These categories are broadly the same as those in the DPA, but there are some minor changes. For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.

What is the GDPR? ilicomm Technology Solutions

10 Steps to GDPR Compliance

ilicomm will guide your business through a 10 step process to move your business to GDPR compliancy. Download the GDPR journey planner.

GDPR for Small Organisations

Are you an SME?

GDPR Information for small to medium-sized organisations

Find out what your business needs to do today

GDPR is coming

Find out the next steps to take to start your GDPR Journey.

GDPR FAQ's

GDPR question?

We may have an answer to that. Frequently asked questions about the GDPR.

NEED MORE INFORMATION?Contact us to see how we can help your business

Call our Sales Team on: +44 (0)121 289 3434
or email us at: hello@ilicomm.com