The EU General Data Protection Regulation (GDPR) comes into force across the EU on 25th May 2018. The Regulation dramatically increases the obligations and responsibilities of businesses and organisations which control or process data. As these new obligations and responsibilities are paired with severe new sanctions, businesses should take the time to ensure their compliance in advance of the Regulation coming into force.
Who is Affected
The Regulation is binding on businesses and organisations that are involved in controlling or processing the personal data of individuals in the EU regardless of the location of the company or the location of the data processing. Although the situation is somewhat complicated by Brexit, the UK government has indicated that it will implement equivalent or alternative regulations that will largely follow the GDPR.
Personal data is defined so broadly as to cover any information that can be used to directly or indirectly identify a person. This can be anything from genetic or economic data to social media posts, computer IP address or cookie identifiers. The definition even includes data that is protected by a pseudonym, where identifying data is held separately, for example, in a hospital where samples are labelled with numbers rather than patient names before being sent for testing. Notable exceptions apply to national security activities and law enforcement.
The Regulation is applicable to data controllers and data processors. A data controller is any person or body which collects data and determines how that data is to be processed, for example an employer, a bank or a medical practice. Data processors are persons or bodies which process the data on behalf of the controller, for example a payroll company, accountant or "cloud" provider. A business or company may be both a data controller (in relation to its own employees' personal data) and a data processor.
Personal data held in both electronic format and in hard copy is covered by the Regulation.
Increased Administrative Responsibilities
The GDPR builds on obligations under existing data protection legislation and will increase the administrative responsibilities owed by data controllers and processors. Given the scope and size of the Regulation it is not possible to give an exhaustive list, but below are some of the most important requirements:
Data controllers are obliged to implement "appropriate technical and organisational measures" to both ensure...