1. What is the GDPR?
The General Data Protection Regulation (GDPR) is an EU regulation that came into force in all 28 Member States in May 2018. It regulates the protection of personal data for all individual citizens of the European Union and the European Economic Area. It applies to start-ups and large organisations.
In short, the GDPR sets out how organisations can handle personal data; what principles they must abide by when processing personal data and the technical and organizational measures they should have in place to safeguard the information.
2. What about Brexit?
The government has made it clear that data protection law is one of the areas where they would like to maintain parity with the EU. While leaving the EU will mean the GDPR is no longer UK law, as the ICO make clear: “the UK government intends to write the GDPR into UK law, with the necessary changes to tailor its provisions for the UK (the “UK GDPR”). The government has published a ‘Keeling Schedule’ for the GDPR, which shows the planned amendments.”
3. Does the GDPR apply to my organisation?
Yes, if you have personal data about individuals for any business or other non-household purpose. In the words of the Information Commissioner’s Office (ICO); “(t)he law applies to any ‘processing of personal data’, and will catch most businesses and organisations, whatever their size.” However, “(y)ou will not need to comply if you only use the information for your own personal family or household purposes – e.g. personal social media activity, private letters and emails, or use of your own household gadgets.”
4. What is ‘personal data’?
Briefly, personal data means information about a particular individual that can be used to identify them.
It is important to keep in mind that this information does not need to be private in order to be considered personal. Even information which is public knowledge or is about someone’s professional life can constitute personal data.
Furthermore, GDPR can also apply to anonymous information. If you are still able to identify someone from ‘anonymous’ data by combining it with other pieces of information, it will still be classed as personal data, and subject to the provisions of GDPR.
5. What is data processing?
Data processing covers a broad range of activities. The intention of the GDPR is to ensure personal data is afforded protection for all conceivable uses. The ICO’s guidance is clear about this, stating “(a)lmost anything you do with data counts as processing; including collecting, recording, storing, using, analyzing, combining, disclosing or deleting it.”
6. What is the Information Commissioners Officer’s (ICO) role?
The ICO is the regulator for data protection in the UK. They offer advice and guidance, promote good practice, monitor breach reports, conduct audits and advisory visits, consider complaints, monitor compliance and take enforcement action where appropriate. For more information regarding the ICO, please see our Introduction to the Information Commissioner’s Office for further information.
7. What should my organisation do next?
The GDPR is a flexible piece of legislation designed to safeguard personal data in a wide range of situations. As the ICO note, “this flexibility does mean that you need to think about – and take responsibility for – the specific ways you use personal data.” The first step therefore is to ask the right questions to determine what provisions of the GDPR apply to your organisation’s processing activities.
To this end the ICO have devised a series of GDPR checklists for start-ups and small businesses to help you understand your data protection obligations. We have used these checklists to devise an automated GDPR solution that will help you quickly and efficiently understand what your risks are. We will advise you on how to treat each risk built by industry standards.
If you would like to assess your company’s GDPR risk in a matter of minutes, please click here to start a trial. If you would like a demo of the platform, please contact Matt from our Customer Success Team: firstname.lastname@example.org