Scope of GDPR
Protecting personal data is the crux of GDPR (General Data Protection Regulation). The definition of personal data is rather broad, encompassing ‘any information relating to an identified or identifiable natural person (data subject)’. The information could be as simple as your name or your IP address.
Handling personal data
GDPR categorises those who handle personal data into two groups – controllers and processors. Controllers determine the purposes of processing personal data, while the processors are responsible for handling the data on behalf of a controller.
The relationship between a controller and a processor can be best illustrated by an example. For instance, if you own a footwear business and you engage a digital agency to run an email marketing campaign for you based on data that include your past customers, you’re the controller while the agency is the processor.
Responsibilities of data controllers and processors
A controller can be a person, a public authority, a company or an agency who determine the purposes of processing personal data and must comply with the ‘data quality principles’ including establishing a lawful process to handle personal data, making sure that the data is accurate and keeping them up-to-date, among others. In addition, Data Security (Rec. 46; Art. 17 (1)) requires a controller to implement appropriate security measures to protect personal data, while Data Protection ‘by design’ and ‘by default’ (Rec. 78; Art. 25) further expands by stating a controller must ensure that data protection principles and appropriate security measures must be addressed right from the planning phase all the way through to the implementation phase of any new product or service.
In the event that the controller appoints a processor, it must be done so in a written agreement which clearly states that legal requirements which shall include but not limited to having the processor return or destroy the personal data at the end of the engagement.
A processor, as the name suggests, is a person or an entity who processes personal data on behalf of a controller. The key obligations of a processor under GDPR extends beyond contractual requirements imposed by data controllers and cover the followings:
- Records of processing activities,
- Compliance with Data Protection Acts,
- Compliance with security breach notification requirements,
- Obligation to appoint a Data Protection Officer,
- Restrictions to engage sub-processors,
- Restrictions to transfer data cross-border.
Lawful basis for processing
Regardless whether you’re a controller or processor, it is critical to keep in mind the lawful basis of processing as set out in Article 6 of the GDPR which states that processing shall be lawful only if and to the extent that at least one of the following applies:
- The data subject has given informed and clear consent for you to process their data for the purposes you have specified.
- The processing is necessary for a contract you have with the data subject or because the data subject has asked you to do so before entering into a contract.
- The processing is necessary for you to comply with the law.
- The processing is necessary to protect vital interests of the data subject, for example to protect the life of the data subject.
- The processing is for public interest or for official functions (and the task has a clear basis in law).
- The processing is necessary for your legitimate interests or such interests of a third party unless the rights of the individual override this.
GDPR outside the EU
It is a misconception that GDPR only applies within the EU. Although it applies to every organisation operating within the EU, it also concerns anyone who is handling the data of EU residents. For this reason, if your organisation offers goods or services to individuals in the EU, or you store data on EU citizens, you need to make sure you are GDPR compliant. If you are an overseas organisation that deals with European partners, you want to be able to reassure them that you are GDPR compliant, as they otherwise may be worried that they could be compromising their own data security.
Cross-border data transfer
Transferring personal data outside the EU to third-party countries or international organisations is restricted under GDPR. This is mainly to prevent anyone from circumventing GDPR by moving data overseas.
Personal data may only be transferred outside of the EU if it is compliant with the conditions specified in Chapter 5 of the GDPR. In short, the Commission will assess if the country or organisation where the data are to be sent is secure. In the absence of this, safeguards may be put in place, or the data may be transferred if there are legally sound reasons to do so.
Consult Blackhawk first
Whether your organisation is operating within or outside the EU, it helps to consider carefully the impact of GDPR and your obligations. At Blackhawk Intelligence, we have a solid reputation and years of experience pertaining to data security in European and overseas operations. With offices in both the UK and Israel, plus a worldwide network of associates, our data security experts can help you and your company with GDPR compliance, no matter where you are based.
To talk to Blackhawk Intelligence about GDPR compliance for your organisation, call us today on +44 (0)20 8108 9317.