Ben at Datapact asked me a simple question. ‘When does GDPR apply to an organisation?’ In case you are time poor, and cannot read on, the answer is almost always. Unless the organisation is a family business selling to family members in the family home. This is only a slight exaggeration. Any organisation, of any size, that processes personal data (the wide GDPR definitions are below) will fall under GDPR. GDPR – Asking the wrong question!
This blog will deliberately not reference any of the 99 Articles or 173 Recitals that make up the GDPR. It will not mention case law or the guidance issued by the ICO and Article 29 Working Party. It doesn’t have to.
Popping in the odd reference to articles and recitals might add a gloss of credibility but I have spoken to many business leaders and stakeholders who have been misled into thinking GDPR didn’t apply to them because of seeing a reference to an Article that only applied to a small subset of GDPR. In doing so, they have been given a false reassurance that organisations, in particular those with under 250 employees, are somehow exempted from GDPR. They aren’t.
So, what are the most basic core components of GDPR:
The General Data Protection Regulation (GDPR) applies to ‘personal data’. Personal data is data from which an individual can be identified, whether directly or indirectly. The most obvious example would be a name and address held in an Employment Contract or customer database. The definition provides for a much wider range of identifiers however, and can include such things as photos, CCTV footage, IP addresses, location data, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual. That list is not exhaustive, the key element is being able to identify an individual. This expansive definition is intended to reflect the changes in the ways in which organisations can collect, process and analyse information about people in the digital age.
Processing of Personal Data has a wider definition than can sometimes be assumed. It can include any operation or set of operations which is performed on personal data or on sets of personal data. This can include processes such as the collection, recording, organisation, structuring, storage, alteration, transmission, use, restriction, erasure or destruction of personal data. This applies whether it is automated or a paper based manual filing system. It is not only big data processing where a thousand data points are analysed to build a personal profile. Processing under the GDPR is everything from putting paper files into storage, having an exchange server, keeping a contact database, having employment contracts or using cloud services. Put simply, if you use, hold, transfer, change or destroy data you are processing it.
When does GDPR apply to an organisation?
If an organisation processes personal data outside a purely domestic context then GDPR will apply to some extent. If an organisation has less than 250 employees they are let off keeping certain documentation (in certain circumstances). But, GDPR still applies. It will touch organisations differently but my strong recommendation would be that all organisation find out well in advance how much preparation work they need to do, what are the risks and how to pragmatically mitigate them.
How it applies to organisations is the better question. This would require a much longer blog however, and to be truly useful would need to consider the specifics of a single organisation. As organisations need to understand what types of personal data they process, how they process it, whose personal data it is, where it is processed and when it is processed. From this starting point, they will have the context to begin to understand how the regulations will apply.
A final note is to cover Brexit as this is another area of some confusion. The UK government has already confirmed GDPR will apply, perhaps with very minor changes, post-Brexit. It was in the first drafts of the Great Repeal Act and mentioned in the Queen’s speech. If Brexit doesn’t happen, GDPR continues to apply directly anyway. GDPR applying within the EU means that if we are to allow the free flow of personal data for reasons of trade, we need an ‘adequate’ data protection regime with equivalency to GDPR. Theoretically, there are circumstances where this might not happen but no major political party in the UK has suggested they would be in favour. There would be bigger things to worry about if that was the outcome of Brexit.
If you would like to purchase or find out more information about the GDPR changes or services we offer,CLICK HERE or send us a message and one of our team will be in contact shortly.