It’s been 19 years since the Data Protection Act was introduced, and the European Union has set out to give it a makeover with some tough new rules on how businesses should store and use personal data. Fortunately, Sponge have digested the new regulation and we’re going to break it down into manageable chunks, showing you how it will apply to your business.
The General Data Protection Regulation (GDPR) is the new and improved legal framework devised by the European Union to help safeguard people’s rights when it comes to their personal data. It’s set to take over from the current Data Protection Act (DPA), applying to all of Europe instead of just the UK.
You may be thinking... But Brexit? The UK government have confirmed that regardless of how the negotiations go the new laws will still apply to us.
You’ll need to make sure that your processes when handling personal data are compliant, otherwise you’ll be looking at
not a small number!
Who does the GDPR apply to?
There’s two main labels used within the GDPR, ‘Controllers’ and ‘Processors’. Controllers are businesses (or even individual people) that collect personal data and decide how it should be used. For example, you’d be a controller if you:
- Collect someone’s name and address when they purchase a product from your online shop so that you can ship the item to them.
- Collect someone’s email address when they’re signing up for your subscription-based web app.
- Collect someone’s contact details when they’re making a booking on your website.
Processors, on the other hand, don’t actually collect any data for themselves. Processors are chosen by the controller to handle processing of the personal data. Processing has a lengthy description, but covers actions such as viewing, altering or deleting data.
If you work with any personal data that you didn’t directly collect and you’ve been given a task that uses this data, you’re likely considered to be a processor.
It’s not only about collecting data from the web. When you check in to a hotel and they take a copy of your passport, they’re collecting your personal data and are still considered a controller.
What is personal data?
Personal data is any piece of information that could be used to identify a person. This could be their name, their email address, phone number or even their IP address!
There’s also a second type of data that the GDPR talks about; Sensitive personal data. This, again, has a long definition but mainly concerns data that could reveal someone’s racial/ethnic origins, religious beliefs or sexual orientation. Rules around collecting and using sensitive data are a bit tougher, but if you’ve got consent from the person then you’ll likely be fine.
Are you aware that Sponge also offer GDPR compliance training for your employees?
This article has been a quick introduction to a long and complicated regulation that will affect many businesses operating in the EU. The next article in this series will focus on the 6 principles of the GDPR and how to start preparing for the changes.