Data protection and privacy laws are increasingly gaining importance, much of the credit for which goes to the EU, a unique economic and political union for pioneering the consolidation and framing of regulations in this direction, to cater to the times we live in. There is no escaping GDPR if you are a top lawyer, anywhere in the world, involved in transactions affecting EU Residents.
Here’s a super quick guide that will bring you up to speed with EU GDPR and help you understand compliance requirements under the Regulation.
A brief history of GDPR
The European Union (EU) already had the European Data Protection Directive in place in 1995 (the Directive came into effect on 13 December 1995), which the member states were to implement in their national laws by 1998.
But in the wake of modern technologies, it became imperative to update this Directive and widen the scope of regulations pertaining to data protection. For several years since 2000’s, the EU kept discussions around this topic active through conferences, papers, surveys, etc.
In 2016, the EU adopted the General Data Protection Regulation (GDPR), the toughest privacy and security law in the world. This Regulation replaced the 1995 Data Protection Directive. By 25 May, 2018, all the EU top developed and developing countries had to implement provisions of the GDPR that were mandatory, into their national legislations.
What kind of data does GDPR protect?
A good starting point to identify whether or not you are required to be GDPR-compliant in a certain situation, is:
- to identify whose information you are processing,
- in what capacity,
- for what purpose,
- and what kind of information you are processing.
“1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”[1]
In brief, the above means GDPR protects the ‘personal data’ of ‘natural persons’ residing in the EU.
> Natural Person
‘Natural person’ is anyone who can be identified by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.[2]
GDPR also does not cover processing of personal data by a natural person in the course of a purely personal or household activity.
GDPR does not mandate the protection of a deceased’s personal data, however, some developed countries in the EU (e.g, Denmark) have made provisions to protect deceased’ personal data to a certain extent.
> Personal Data
‘Personal data’ means any information relating to an identified or identifiable natural person. What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors. If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.[3]
Information that identifies an individual, even without a name attached to it, may be personal data if you are processing it to learn something about that individual or if your processing of this information will have an impact on that individual. Records that contain information that is clearly about a specific individual are considered to be “related to” that individual, such as their medical history or criminal records. Records that have information that describes an individual’s activities may also qualify, such as a bank statement. Any data that relate to an identifiable individual is personal data.[4]
> Processing
‘Processing’ means any operation performed on personal data by automated or non-automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.[5]
An exception to GDPR is also processing of personal data for the purpose of crime prevention, investigation, prosecution or execution, by competent authorities.
Controller and Processor
Once you have concluded that you (or your organisation) are in fact processing personal data of EU residents and are covered by GDPR, the next step is to identify whether you are processing it in the capacity of a ‘Controller’ or a ‘Processor’.
The GDPR draws a distinction between a ‘controller’ and a ‘processor’ in order to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility.
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
For example, company A uses a software belonging to another company B to perform payroll related functions. Here, company A is the Controller of the personal data of its employees since it determines the reason for processing the personal data (generating payroll) and means of processing personal data. Company B is the data processor as it processes data on behalf of company A.
For Part II, click here.
For Part III, click here.
[4] https://gdpr.eu/eu-gdpr-personal-data/
[5] Article 4, GDPR
- Dhatri S
About the author: Dhatri is a tech entrpreneur and solicitor (England and Wales) specialising in Data Protection and Employment Law.
