Who does the GDPR apply to?
- The GDPR applies to ‘controllers’ and ‘processors’.
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
- However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
- The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
- The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
Relevant provisions in the GDPR - Articles 3, 28-31 and Recitals 22-25, 81-82
What information does the GDPR apply to?
- Personal data
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
- Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9).
The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).
This Guide to the GDPR explains the provisions of the GDPR to help organisations comply with its requirements. It is for those who have day-to-day responsibility for data protection.
This page captures all the monthly highlight and link to what’s new in UK's Guide to the GDPR.
We have published detailed guidance on consent.
We have expanded the page on the right to data portability.
We have expanded the page on Accountability and governance.
We have expanded the page on Security.
We have updated all of the lawful basis pages to include a link to the lawful basis interactive guidance tool.
We have published detailed guidance on DPIAs for consultation. The consultation will end on 13 April 2018. We have also updated the guide page on DPIAs to include the guide level content from the detailed guidance.
We have published detailed guidance on legitimate interests.
We have expanded the pages on:
- Data protection impact assessments
- Data protection officers
- The right to be informed
- The right to erasure
- The right to rectification
- The right to restrict processing
The consultation period for the Article 29 Working party guidelines on consent has now ended and comments are being reviewed. The latest timetable is for the guidelines to be finalised for adoption on 10-11 April.
The consultation period for the Article 29 Working Party guidelines on transparency has now ended.
Following the consultation period, the Article 29 Working Party has adopted final guidelines on Automated individual decision-making and Profiling and personal data breach notification. These have been added to the Guide.
We have published our Guide to the data protection fee.
We have published more detailed guidance on documentation.
We have expanded the page on personal data breaches.
We have published detailed guidance on Children and the GDPR for public consultation. The consultation closes on 28 February 2018.
The sections on Lawful basis for processing and Rights related to automated individual decision making including profiling contain new expanded guidance. We have updated the section on Documentation with additional guidance and documentation templates. We have also added new sections on legitimate interests, special category data and criminal offence data, and updated the section on consent.
The Article 29 Working Party has published the following guidance, which is now included in the Guide.
It is inviting comments on these guidelines until 23 January 2018.
The consultation for the Article 29 Working Party guidelines on breach notification and automated decision-making and profiling ended on 28 November. We are reviewing the comments received together with other members of the Article 29 Working Party and expect the guidelines to be finalised in early 2018.
The Article 29 Working Party has published guidelines on imposing administrative fines.
We have replaced the Overview of the GDPR with the Guide to the GDPR. The Guide currently contains similar content to the Overview, but we have expanded the sections on Consent and Contracts and Liabilities on the basis of the guidance on these topics which we have previously published for consultation.
The Guide to the GDPR is not yet a finished product; it is a framework on which we will build upcoming GDPR guidance and it reflects how future GDPR guidance will be presented. We will be publishing more detailed guidance on some topics and we will link to these from the Guide. We will do the same for guidelines from the Article 29 Working Party.
The Article 29 Working Party has published the following guidance, which is now included in our overview.
The Article 29 Working Party has also adopted guidelines on administrative fines and these are expected to be published soon.
In the Rights related to automated decision making and profiling we have updated the next steps for the ICO.
In the Key areas to consider we have updated the next steps in regard to the ICO’s consent guidance.
The deadline for responses to our draft GDPR guidance on contracts and liabilities for controllers and processors has now passed. We are analysing the feedback and this will feed into the final version.
We have put out for consultation our draft GDPR guidance on contracts and liabilities for controllers and processors.
In the Key areas to consider we have updated the next steps in regard to the ICO’s consent guidance and the Article 29 Working Party’s Europe-wide consent guidelines.
The Article 29 Working Party’s consultation on their guidelines on high risk processing and data protection impact assessments closed on 23 May. We await the adoption of the final version.
We have updated our GDPR 12 steps to take now document.
We have added a Getting ready for GDPR checklist to our self-assessment toolkit.
We have published our profiling discussion paper for feedback.
We have published our draft consent guidance for public consultation.
Article 29 have published the following guidance, which is now included in our overview:
IC _ ICO/UK/PVRJ2018