General Data Protection Regulations

GDPR

The first major overhaul of the Data Protection and Privacy legislation since the Data Protection Act 1998.

So what is all the fuss about?

Well for many, including sole traders and the smaller SME’s it’s perhaps the first time such legislation has been mentioned and specifically targeted at them.  Why?  The new legislation applies to any organisation that processes personal data.  It always has, but the GDPR changes the focus turning many business models a full 180 degrees.

In effect:- GDPR gives people greater control over their own personal data, and strengthens the rules around personal data that organisations process as custodians of that data.

In order to fully grasp the methodology eNacyH invites your organisation to transition into the GDPR landscape in a compliant way, unfortunately as it’s going to be law, we cannot re-word the legislation, but hope to embellish on certain facets to put it in clear manner.

So let’s start. Is the Information?

Data?

‘Data’ is information which:-

a. is processed by means of equipment operating automatically in response to instruction given for the purpose.  (computerised)

b. is recorded with the intention that it should be processed by means of such equipment (a.) (manual paper to be computerised)

c. is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system. (filing cabinets, or similar where the information is stored in a structured or indexed way and therefore necessarily readily accessible.)

d. does not fall within a.-c. above but forms part of an accessible record. (generally a health, medical, educational or public record held by a local authority for housing or social services purposes).

e. is recorded information held by a public authority and does not call within any of the paragraphs a.-e.

For the purposes of the GDPR, as a database stores the information, the information is data under the legislation under category

a., processed by means of equipment operating automatically

Personal Data?

Personal Data

Any information relating to an identifiable ‘natural’ person who can be directly or indirectly identified in particular reference to an identifier.

This definition reaches far and wide from just your name.  It also includes any identification by number, location data or online identifier which takes account of new technological advances and the way organisations collect personal information.  It also includes voice data, video data and digital images.

The GDPR introduces some new terms where organisations have tried to secure the data using various technology so that the data records cannot directly (or indirectly) identify individual.

‘Pseudonymised’ Personal Data.  In other words this is key-coded, or put another way encrypted, hashed or other means that the data cannot be re-compiled into a form which could then identify the individual. The key for the organisation to re-compile the data is held securely and separately from the data itself.

‘Anonymised’ Personal Data.  As above, but there is no key-coding, no way to re-compile or reconstruct the data nor therefore re-create the relational or identification of individuals.

A new criminal office is being introduced for anyone trying to re-compile such data.

Sensitive/Special Personal Data?

Sensitive/Special Personal Data.

The GDPR refers to this as a special category of personal data as it relates to information that individuals may assume to be of a more sensitive. This category of personal data includes information about an individuals:-

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for the purpose of uniquely identifying a natural person
  • Health
  • Sexual orientation or sex life

Processing such data is prohibited without an additional lawful basis being met.  This is similar to the Schedule 3 of the Data Protection Act 1998, but remember if you are processing Sensitive Personal data, you will also have to lawful basis under Personal Data too.

Criminal Convictions and Offences are not in this category of Personal Data, under the GDPR, but similar extra safeguards apply to its processing (Article. 10).

Having established whether the information you have is personal data, it’s important to get to grips with the definitions under the GDPR.

It’s equally important to know that any information about individuals being used solely for domestic and personal reasons is not governed by the regulations, but due consideration and an honest evaluation has to be given in this regard.  For example a personal blog which contains affiliate links, or promotional items where the blogger receives a monetary benefit is!

The data protection legislation does not apply to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.