Who Does GDPR Apply To?
The General Data Protection Regulation (GDPR) governs the way in which personal data is gathered and handled in the European Union (EU). Personal data is defined as any information relating to an identified or identifiable, living person. GDPR applies to any individual or organisation that handles personal data within the EU. Countries outside of the EU that handle personal data are known as 'Third Countries' under GDPR. They may have their own data protection legislation but they are required to comply with GDPR in the following circumstances:
- When supplying goods/services to the EU
- When processing data about citizens residing within the EU
GDPR for Small and Medium-Sized Enterprises (SMEs)
Whilst companies of any size are required to comply with GDPR, SMEs are subject to reduced documentation requirements. Enterprises with 250 or more employees are required to document all of their processing activities whilst enterprises with fewer than 250 employees are only required to document the information listed below:
- Regular processing activities
- Activities that could potentially risk the rights/freedoms of individuals
- Processing of special category data (personal data that is seen to be more sensitive and is resultantly subject to tighter restrictions)
- Processing of data relating to criminal convictions/offences
Data Controllers and Data Processors
Data controllers are the organisations that owns data and decides what it will be used and processed for. Data controllers must comply with GDPR by both design and by default. Compliance by design involves the active integration of data protection into your processing activities. Whilst compliance by default means ensuring you only process data that is necessary for a specified purpose. Data processors are organisations that process personal data on behalf of the data controller. The data controller retains responsibility for the personal data so should ensure that all third parties sign a written contract agreeing to comply with GDPR compliant data policies.
Whilst all EU member states are obliged to adhere to GDPR legislation, they have been allowed to implement certain exemptions. Exemptions can be introduced in the following areas: national security, defence, criminal offences, public interests, judicial proceedings, breaches of ethics in regulated professions, monitoring of official authorities, protection of rights and freedoms and enforcement of civil laws.
Member states are also at liberty to introduce exemptions in the following processing activities: freedom of information, public access to official documents, national identification numbers, employee data processing, secrecy obligations, religious associations and processing for archival/research/statistical purposes.
Why Is GDPR Important?
Primarily GDPR is important since it provides a single set of rules for all EU organisations s to adhere to, thus giving businesses a level playing field and making the transfer of data between EU countries quicker and more transparent. It also empowers EU citizens by giving them more control over the ways in which their personal data is used.
Prior to introducing the new GDPR legislations, the European commission found that a mere 15% of citizens felt that they had complete control over the information that they provided online. With such low trust amongst the general public it is clear that consumer habits will ultimately be affected. Measures to rebuild this confidence, through introduction and proper implementation of GDPR, are expected to increase trade.
Thorough implementation of data protection policies and staff education are important as non-compliance could result in a data breach. The Information Commissioner's Office (ICO) can issue fines of up to 4% of your annual turnover or €20 million, whichever is greater, in the event of a serious data breach. Data protection training is a necessity in mitigating the risk of data breaches.