In case you are time poor, the answer is almost certainly yes. This blog will deliberately not reference any of the 99 Articles or 173 Recitals that make up the GDPR. It will not mention case law or the guidance issued by the ICO and Article 29 Working Party. It doesn’t have to.
Popping in the odd reference to articles and recitals might add a gloss of credibility but I have spoken to many business leaders and stakeholders whilst delivering GDPR readiness services who have been misled into thinking GDPR didn’t apply to them because of seeing a reference to an Article that only applied to a small subset of GDPR. In doing so, they have been given a false reassurance that organisations, in particular those with under 250 employees, are somehow exempted from GDPR. They aren’t.
So what are the most basic core components of GDPR:
The General Data Protection Regulation (GDPR) applies to ‘personal data’. Personal data is data from which an individual can be identified, whether directly or indirectly. The most obvious example would be a name, address and phone number held as contact details. The definition provides for a much wider range of identifiers however, and can include such things as photos, CCTV footage, IP addresses, location data, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual. That list is not exhaustive, the key element is being able to identify an individual. This expansive definition is intended to reflect the changes in the ways in which organisations can collect, process and analyse information about people in the digital age.
Processing of Personal Data has a wider definition than can sometimes be assumed. It can include any operation or set of operations which is performed on personal data or on sets of personal data. This can include processes such as the collection, recording, organisation, structuring, storage, alteration, transmission, use, restriction, erasure or destruction of personal data. This applies whether it is automated or a paper based manual filing system. It is not only big data processing where a thousand data points are analysed to build a personal profile. Processing under the GDPR is everything from putting paper files into storage, having an exchange server, keeping a contact data base, having employment contracts or using cloud services. Put simply, if you use, hold, transfer, change or destroy data you are processing it.
Does GDPR apply to your organisation?
Yes, if your organisation processes personal data outside a purely domestic context then GDPR will apply to some extent. If you have less than 250 employees you are let off keeping certain documentation (in certain circumstances). But, GDPR still applies. It will touch organisations differently but my strong recommendation would be that all organisation find out well in advance how much preparation work they need to do, what the risks are and how to pragmatically mitigate them.
A final note to cover Brexit as this is another area of some confusion. The UK government has already confirmed GDPR will apply, perhaps with very minor changes, post-Brexit. It is in the first drafts of the Great Repeal Act. If Brexit doesn’t happen, GDPR continues to apply directly anyway. GDPR applying within the EU means that if we are to allow the free flow of personal data for reasons of trade, we need an ‘adequate’ data protection regime with equivalency to GDPR. Theoretically, there are circumstances where this might not happen but no major political party in the UK has suggested they would be in favour. There would be bigger things to worry about if that was the outcome of Brexit.
Author: John Payne
John is an information governance consultant with Cybercrowd. He specialises in data protection, information risk management and GDPR readiness.