Who is affected by the changes?
It is probably you.
EU General Data Protection Regulation (GDPR) applies to all organisations recognised by law and established in the EU.
This means it applies to Data ‘controllers’ and ‘processors’ in the public, private and third sector:
- Companies, partnerships and sole traders
- Clubs and societies
- Charities and voluntary organisations
It also applies to those outside the EU who are offering goods or services to EU citizens. It will apply to the processing of all personal data.
The definitions are broadly the same as under the old UK Data Protection Act (1998) which has been replaced by the UK Data Protection Act 2018, e.g. the controller determines how and why personal data is processed and the processor acts on the controller’s behalf.
There are some exemptions under the existing new Data Protection Act (2018). Decisions on exempted organisations are taken on a case by case basis.
If you were subject to the old UK Data Protection Act (1998) it is likely that you will also be subject to the GDPR.
Data Controller or Data Processor?
Understanding your role is key to assessing the risk to your business and the steps you need to take to be compliant.
- If you are a Data Processor, GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities.
- However, if you are a Data Controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations
You can find out more about these differences and what you are required to do, through our online training here.
If you need help with becoming GDPR compliant, contact us and we’ll be delighted to help.
Or take the ICO self assessment test here.