GDPR to take effect one year from now

The European Union’s General Data Protection Regulation will take effect one year from now – on 25 May 2018. In this post, two central questions are tackled: Who will be affected by the new rules, and what does the regulation apply to?

Simply put, the GDPR will affect the data of Europe’s 510 million citizens, wherever that data is processed or stored. Organisations and businesses will need to ensure that they have the consent of each and every citizen before processing that data.

The laws in each European country will be the same for everyone, bar certain exceptions, which means that the level of protection will be the same across each EU country. There is no doubt that the EU is raising the bar, possibly raising the standard for global data protection rules. The question is whether organisations and businesses will be GDPR-ready and prepared, one year from now.

Who does the GDPR apply to?

Personal data comes into contact with two broad categories of data handlers: those who decide which personal data should be collected and how it should be processed (known as controllers, Art. 4 (7)), and those who hold or process it (known as processors, Art. 4 (8)). It could well be one and the same individual or entity carrying out both functions, such as:

• A medical professional holding personal data of his/her patients;
• A business collecting data from its clients, and storing them on its servers;
• A marketing company collecting data from consumers, and analysing it in-house for research purposes.

Or it can be separate entities, such as the case of:

• A bank (controller) collecting information about its clients on forms, which it then passes on to a data centre (processor) for cataloguing and storing the information;
• An accounting firm (processor) handling the payroll system of its client companies (controllers);
• A marketing company (processor) analysing consumer data on behalf of client companies (controllers).

The GDPR imposes obligations on both, but the news is that it introduces direct obligations even on data processors. This means that entities who process users’ data on behalf of their clients, such as the example of the bank, the accounting firm, and the marketing company, are equally and directly responsible to the users. Responsibility is therefore shared.

The applicability of the new regulation is far-reaching. First, it invites a change in mentality, especially for data processors, whose legal relationship until now was mainly with data controllers. Processors will now be obliged to comply with rules which were previously applicable only for controllers. The starting point is clear: individuals and organisations need to ask themselves whether (a) they handle personal data of any living person; (b) if they do, in what capacity do they do so.

Second, the European regulation is extending its reach beyond the EU’s shores. Imagine a business based in any country other than in the EU. If that business markets goods or services to users located in the EU, or monitors their behaviour, then the Regulation applies to that business. This means that the GDPR is applicable worldwide in these scenarios, catching within its scope anyone who wants to access the European market, even if no office is established in Europe.

What does the GDPR apply to?

The rules protect individuals with regards to the processing of their personal data. It applies to both the automated processing, and the manual filing of data.

What does ‘personal data’ include? It includes any information by which I can be identified, directly or indirectly. The obvious examples are my name, my identity card or passport number, my driver’s licence, or my physical address. Another common example is the cookie – that small piece of data stored on my device while I am browsing, which is used by websites to ‘remember’ me (Art. 4(1)).

Again, the GDPR introduces new obligations on businesses which are part of the new Internet business models. For online advertisers, cookies which can uniquely be linked to a device or used to identify a user, even in combination with other types of data, constitute personal data, and will therefore result in new obligations for such businesses.

Other examples include my IP address or other identifiers associated with my cellphone or other devices which I may own, as well as factors specific to my physical, physiological, genetic, mental, economic, cultural, or social identity.

There is regular personal data, and then there are ‘special categories’ of personal data – sensitive data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data, and biometric data – to which the Regulation affords additional protection (Art. 9).

Yet, not all personal data falls within the scope of the Regulation. For example, the rules apply to personal data that is processed for scientific research or statistical purposes, but the processing of data relating to criminal convictions and offences, or security measures – which can only by processed by national authorities – is subject to safeguards and derogations under national law (Art. 10). Similarly, the rules do not apply to the personal data of deceased individuals.

Follow our blog for more posts on GDPR provisions and aspects. Are you GDPR-ready? Test your knowledge with our crossword in May’s Geneva Digital Watch newsletter (page 8).