DATA - European legislation (GDPR)

It looks like the Europeans may be sending us a little bit more regulation before we drop out.

This may not be a bad thing. Read on for more information on the General Data Protection Regulation which seeks to create a harmonised data protection law framework across the EU and aims to give citizens back the control for their personal data whilst imposing strict rules on those hosting and processing the information they have gathered. The regulation also introduces rules relating to free movement of personal data within and outside of the EU.

The Information Commissioner's Office (ICO) say:

"[The ICO] have produced an overview highlight[ing] the key themes of the General Data Protection Regulation (GDPR) to help organisations understand the new legal framework in the EU. It explains the similarities with the existing UK Data Protection Act 1998 (DPA), and describes some of the new and different requirements. It is for those who have day-to-day responsibility for data protection.

The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
 

What information does the GDPR apply to?

Personal data

Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.

For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.

Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual."

For full details on the new GDPR visit https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

Steve Heap, General Secretary
AFO