GDPR refers to the General Data Protection Regulation (EU 2016/679) - It was adopted 27 April 2016 (so it's already law!) and any organisation offering goods and services to European Union residents has to achieve compliance by 25 May 2018. There are real penalties for non-compliance:

  • Potential imprisonment for company directors
  • Fines can be imposed for a wide range of contraventions of up to €20,000,000 or 4% of global turnover, whichever is the greater. (If GDPR had been in effect, just one of Yahoo's recent data breaches could have led to a $198m fine!)

The aims

GDPR aims to standardise data legislation across the EU in common law, replacing outdated and inconsistent legislation mostly dating from 1995 when technology and data usage were very different. Under GDPR EU data subjects will have eight core rights and a stumbling block to trade and data transfer between member states will be removed. Now there is a definition of 'data breach' and rules to govern what happens when one occurs, with a framework of tough penalties to enforce compliance. GDPR is also designed to work with additional legislation such as PECR and the ePrivacy Directive.


Key terms

  • Data are not just 1s and 0s but the information that is held on individuals in paper as well as electronic filing systems. Individuals who work at organisations are considered 'natural person's (distinct from 'legal persons') and so GDPR will apply to B2B as well as the more obvious B2C consumer data.
  • Data Controllers include the natural or legal person, public authority or similar that determine the purposes and means of the processing of personal data. Key questions might include Why you have data; How long it is retained for; What it is used for; Why it is necessary; etc.
  • Data Processors include the natural or legal person, public authority or similar that processes personal data on behalf of the Data Controller. Many organisations can be both a Data Controller and a Data Processor; but a Data Processor can share liability with an otherwise separate Data Controller for non-compliant processing.
  • Data Processing means obtaining, recording, holding information or data, or carrying out any operation or set of operations on the information or data. 
  • Data Subjects are the natural persons who can be directly or indirectly identified by the Data Controller, or a third party, using reasonable means. 
  • Personally Identifiable Information (PII) refers to any information which relates to an identified, or identifiable, natural person or Data Subject. Data becomes PII if it enables a natural person to be identified directly or indirectly in combination with other information that the Data Controller or Processor might reasonably expect to have access to. Examples might include a name, an identification number, location data, and many more examples. However, a name ('John Smith') might not constitute PII unless in combination with other data it can identify a natural person (which 'John Smith' is this?) Here's an example of how something like Postcode might be PII in one circumstance but not in another. Sensitive data such as biometric or ethnic information "deserve specific protection" as a special class of PII.

Related

This article is for information only and is not intended to be legal advice on this matter. If you have specific questions on how this may affect your organisation then you should consult a legal professional.