Currently, you must comply with the Data Protection Act 1998 (the ‘DPA’) in relation to your business’ collection and use of details relating to individuals, such as customer or employee records; however, a new General Data Protection Regulation (the ‘GDPR’) has been promulgated by the EU and will come into force in 2018. Owing to the need to prepare for the GDPR’s arrival, many, if not all, organisations are already looking to its terms as the standard for GDPR compliance. Therefore, we have focused on its provisions, rather than those of the current DPA.
The GDPR will automatically come into effect in all EU Member States on 25th May 2018, without the need for any national implementing laws. From that moment on ‘data controllers’ and ‘data processors’ will be exposed to the full effect of the law, which includes the risk of regulatory action (enforcement notices and fines) and the risk of compensation claims brought by individuals.
The law applies to the ‘processing’ of ‘personal data’ by controllers and processors based in the EU; by ones based outside of the EU, if they are offering goods or services to people in the EU, or monitoring their behaviour in the EU; to personal data that are exported from the EU to other countries.
Processing means any operation that is performed on personal data, from the moment of its initial collection. The GDPR applies to processing that is conducted wholly or partly by automated means and to wholly manual data that is structured in indexed files.
Information relating directly or indirectly to an identified or identifiable human being, which includes obvious identifiers (such as name, address); value judgments about people (as in HR records); online identifiers (such as IP addresses and browsing histories); and advanced medical information (genome, biometrics and DNA data). Publicly available information are all in scope (so gathering personal data from social media websites is regulated).
