The General Data Protection Regulation (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens and residents back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC) from 1995. The regulation was adopted on 27 April 2016. It applies from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require any enabling legislation to be passed by national governments.
The definition of Personal Data is very wide and covers any information which can be used to identify a natural person. This might include their name, contact details, location data, online identifiers (such as an IP address and mobile device IDs), photographs and more. The definition covers direct identification and indirect identification, such as two different data sets that you hold which might not identify an individual on their own but which can be used together to identify a data subject.
Again, the definition of Data Processing is widely drafted. The GDPR defines it as “any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means”. It then goes on to provide a list of example operations, but in short - if you do anything with personal data (including deleting it) then you are processing it.
A Data Controller is a person or body which alone or jointly “determines the purposes and means of the processing of personal data” whereas a Data Processor “processes personal data on behalf of a controller”. The key distinction is around determining the ‘purpose and means of processing’. If these decisions rest with you, then you are a Data Controller. Both Data Controller and Data Processors have significant obligations under GDPR.
Not on its own, but an ISO27001 certified Information Security Management System does provide you with a strong, risk based starting point to demonstrate that you are applying appropriate technical and organisational measures and controls to protect personal data. In the event of a breach of GDPR, your adherence to an approved ‘code of conduct’ or certification such as ISO27001 may also be taken into account when the value of any fine is set. All the same, GDPR extends beyond Information Security so it’s important that you take this into account when preparing for compliance.
No, GDPR isn’t a ‘pass/fail’ standard. It requires organisations to take a ‘risk based’ approach to data protection whereby they implement protective measures corresponding to the level of risk associated with their data processing activities.
You should ideally involve the owners of personal data that you process across your business. This will typically include such functions as IT, HR, Finance, Legal and Marketing. Depending on the nature and size or your organisation, you may need to involve multiple stakeholders to understand and start mapping your data flows.
The UK Government is committed to GDPR notwithstanding the Referendum result. Even if the UK was not bound by the regulation, any organisation processing the personal data of data subjects in a member state would still be affected.
Get in touch if you would like to learn more about GDPR, and how your organisation can benefit from business level advice or technical solutions. The personal information provided will be used to contact you about Softcat’s GDPR services.