Having come into effect on May 25th 2018, GDPR is considered to be one of the world’s strongest set of data protection rules, which set out expectations on organisations about how they can handle data, while also enhancing the way in which people can access data about themselves, ensuring it is up to date, correct and only used for the purpose for which it was collected in the first place.
The original GDPR documentation is incredibly daunting for a lot of readers, with a full 99 chapters to attempt to get through, most business owners have opted for the simple translation approach provided by many organisations. But are they all the correct???
For the most part yes, while different GDPR consultants have different approaches to compliance, the most important factor is to get to compliance.
The regulations were originally created as a framework for laws across Europe and were approved by the European Parliament and European Council in April 2016, shortly after which the regulations were published.
Each member country was given the opportunity to make their own small changes to suit individual circumstances, Hence the release of The Data Protection Act 2018 which superseded the previous 1998 Data Protection Act.
Personal data is at the core of GDPR, Broadly speaking it involves any data that can be used to directly or indirectly identify a living person. There are several obvious categories such as name, location data or an online username, sometimes it can be a bit less obvious, such as IP Addresses and Cookie identifiers which are both considered personal data.
Therefore, any business, individual or organisation that collects such data is required to comply with GDPR and The Data Protection Act 2018.
Under GDPR there are also categories of data that can be defined as special category, these include such things as race, ethnic origin, political opinions, religious beliefs and many more.
The critical thing about what makes up personal data is that it allows a living person to be identified. Businesses, individuals and organisations who handle data are categorised as either Controllers or Processors. Both are covered by the regulations. most small businesses can easily fall into both categories.
“Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data,” the UK’s data protection regulator, the Information Commissioner’s Office (ICO) says. It’s also possible that there are joint controllers of personal data, where two or more groups determine how data is handled. “Processors act on behalf of, and only on the instructions of, the relevant controller,” the ICO says. Controllers have stricter obligations under GDPR than processors.
Although GDPR is an EU legislation it applies to any business, individual or organisation around the world that works with EU citizen data.
Any use of personal data must be defined by one of the lawful bases.