With the implementation of the General Data Protection Regulation (GDPR) a mere 3 months away, it may (or may not) surprise you to learn that 60% of organisations were reported as being not “GDPR ready” at the start of this month. The same report, by software technology firm Senzing, also found that almost 40% of UK-based directors were unsure as to whether they would be GDPR compliant come 25 May.
This is not the first study to reveal a lack of preparation for the GDPR. In January the department for Digital, Culture, Media and Sport urged business and charities to ensure they were compliant by 25 May after it was revealed that up to 50% were unaware of their new obligations.
With these statistics in mind, this is the first in a short series of jargon-busting blog posts to help tackle some of the confusion surrounding the introduction of GDPR. In this post we look at some commonly used terms in the GDPR which deal with the different types of data and those that will be handling the data:
Personal Data – the GDPR has a broader definition of what constitutes personal data than the Data Protection Act 1998, by incorporating reference to personal identifiers such as name, identification numbers, IP address and location. Generally, it means any information or data which relates to a living individual who can be directly or indirectly identified by it.
Sensitive Personal Data –the GDPR has a broader definition of this term than is the case under the Data Protection Act, as it incorporates biometric and genetic data. It is also worth bearing in mind that under the GDPR it is no longer called sensitive personal data but is instead referred to as “special categories of personal data”. Personal Data consisting of political opinions, religious or philosophical beliefs, racial or ethnic origin, or trade union membership, genetic data, biometric data, data regarding health or data concerning a natural person’s sex life or sexual orientation will all be classed as “special category” data under the GDPR.
Data Subject – the person to which Personal Data relates. For example, an employee.
Data Controller – a “person” who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. This will typically be the business entity employing staff and determining the use of their Personal Data.
Data Processor – unlike the Data Protection Act, the GDPR introduces specific responsibilities directly on Data Processors. These are third parties that process data on behalf of the Data Controller, for example, IT service providers and payroll companies. There are also additional requirement introduced under GDPR in relation to what must be contained in contracts with Data Processors.
Keep an eye on our blog for our next GDPR jargon-buster!