[GDPR] Training – What and Who does GDPR apply to?

A Guide to Data Protection and the GDPR

This article forms part of a collection to introduce you to what Data Protection and ‘GDPR’ are. It’s based upon staff training that we’ve provided for companies to make sure they had a basic working knowledge and were able to take the steps to protect individuals personal information in their care.

This guide takes you through the overview and basics of Who and What the GDPR applies to. If you have any questions or require consultation or guidance please don’t hesitate to contact me to discuss further.

What does GDPR apply to?

The General Data Protection Regulation has a much wider definition then the Data Protection Act 1998 that it replaced and covers any information relating to an identified or identifiable living person (even if it’s from a collection of data).

When it comes to Website development and infrastructure management, A great example of this is an IP Address – As an IP Address can be used with other information – Like a Name in circumstances to identify someone, it’s considered personal data. Other examples Like Name, Address etc are far more obvious.  There are ‘special categories’ of data to cover off more sensitive information that an organisation might store such as; Racial or ethnic origin, political or religious opinions, or information regarding an individuals health (including biometric data such as blood tests, fingerprints and DNA), sex life or sexual orientation.

The GDPR isn’t just limited to digital databases but paper-based as well – Generally any bit of data that can be used to identify someone is covered and should only be used and stored if needed and even then should be done so with a good level of security and training. 

If you’re trying to work out if the data you hold is Personally Intenfitifable Information (PII) then ask yourself the following questions;

  1. Can a living individual be identified from the data, or, from the data and other information in your possession, or likely to come into your possession?
  2. Does the data ‘relate to’ the identifiable living individual, whether in personal or family life, business or profession? 
  3. Is the data ‘obvious about’ a particular individual (medical history, criminal record, a record of work, achievements in a sporting activity – e.g. The Winner of the 1998 100m Sprint Gold  – Linford Christie
  4. Is the data ‘linked to’ an individual so that it provides particular information about that individual (e.g. There is a single named individual employed in a particular post, the salary information about the post will be personal data ‘related to’ the single employee occupying that position.
  5. Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual. (e.g. Data about an individual’s phone or electricity account, A single bit of data may not be personal but a collection of or  say an entire phone bill would be).
  6. Does the data have any biographical significance in relation to the individual?
  7. Does the focus or concentrate on the individual as its central theme rather than on some other person or some object, transaction or event? (e.g. the information as to the number of products produced by a machine in a week could be used either to access the efficiency of the machine, or it could be used to access the productivity of the individual operating the machine). 
  8. Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity.

Who does GDPR apply to?

Very simply GDPR applies to all EU organisations and public authorities (such as the Government) that store or process the personal data of EU citizens. On top of this post-Brexit (The exit of the UK from the EU) for the UK it’s worth saying that the GDPR was shrined into UK law as part of the Data Protection Act 2018 and has not yet been repealed and as such UK organisations and British citizens also fall under this definition. This means that no matter where in the world the organisation is based if it offers goods and services to individuals in the EU (and the UK) then it must abide by these rules or face legal action.

When it comes to organisations the responsibilities can be broken down into two categories; Those that apply to Data Processors and additional responsibilities that Data Controllers must abide by. 

First a quick reminder about the terminology of Data Subject, Data Controller and Data Processor.

  • Data Subject – Is the end customer/client or user interacting with a company/organisation/government.
  • Data Controller – Is who the data subject is interacting with and who is directing what should happen with the data, they have the overall responsibility for ensuring compliance with the GDPR.
  • Data Processor – Is who processes the action for which the data has been collected (this includes storing it) on behalf of the Data Controller. A company can both be a Data Controller and a Data Processor. Data Processors are also liable for any breach of the GDPR while the data is within their care but it is the responsibility of the controller to make sure that the processor is meeting its obligations.

To give an example – You (The Data Subject) might work at an IT company (Data Controller) and have submitted your financial information to them to be paid. Your company itself doesn’t handle it’s own finances and outsources them to a specialist accountancy firm (Data Processor) who take your financial details, store them and process as directed by your company.

Data Controllers could also be your bank, your local supermarket, your local government etc.

If your company does have third-party acting on its behalf to process data that falls under GDPR then you will need to make sure you have a contractual agreement with them that lays out the scope of this and the responsibilities that organisation has to adhere to GDPR while working with you.

The only organisations / public entities that GDPR does not apply in full to are certain law enforcement activities where personal data may be processed for national security purposes. It’s also important to say that GDPR doesn’t apply to personal activities and as such if you write your partners name on a shopping list and lose it in Tescos you cannot be fined by the ICO.