The GDPR Myth
Author Gary Hibberd
The biggest GDPR Myth in my opinion, and there are many, is that it only applies to large organisations, processing large amounts of Personal identifiable information (PII). If you are someone who believes this then it’s time to bust that particular GDPR Myth.
Does GDPR apply to me?
The Information Commissioners Office (ICO) has stated that the new regulations
“…applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.”
Note that the ICO does not specify size or sector. The ICO also goes on to state that the new Regulations apply to Data ‘Controllers’ and ‘Processors’. The definitions are important;
Controllers establish the how and why personal data is used
Processors establish defines the how data will be stored, managed and security
Under the new Regulations there are additional conditions placed on the Processor but it is interesting that the Controller now has specific responsibilities. What this means is that you can’t simply outsource the risks associated to data protection.
For example companies who have outsourced their HR/payroll functions are still the Controller and will have to assess how this data will be collected and for how long.
The location of processing has no baring on the application of the new regulation. GDPR applies to controllers and processors no matter where data is processed. So in simple terms, even if you control or process data outside the UK, if it applies to UK citizens then, you will still need to comply to the Regulations. This means companies like Google and FaceBook will also need to comply with the new Regulations, including gaining ‘Consent’ to hold this information (no doubt through the use of the ‘I Accept’ button!).
Companies that have employee data or personal data must comply with GDPR. Manufactures of rubber widgets are subject to GDPR and companies that only employ people are subject to GDPR.
The new Regulations also apply to YOU, the EU/UK Citizen. You’re going to have additional rights that you can exercise on organisations who hold YOUR data. From your utility provider through to your bank, they will all need to be in touch with you to explain how, why and what data they hold about you. Companies covered by GDPR that suffer a breach could see some significant problems headed their way!
So Remember: You have rights but so do your employees and your customer