GDPR Legislates That Private Data Has To Be Respected...Or Else!


The General Data Protection Regulation (GDPR) becomes law in May 2018 and is designed to harmonise data privacy laws across Europe and to provide a data protection framework for the protection of personal data. The GDPR allows individuals to bring private claims against data processors and data controllers that are not compliant with the Regulation. Organisations that are not compliant, can be fined the greater of up to 4% of annual global turnover, or €20m.

The GDPR applies to all organisations processing personal data of European citizens.

All organisations

If your organisation is processing personal data of individuals (“Data Subjects”) who are resident in the EU then the GDPR will apply.  An organisation does not need to be located in the EU for the GDPR to apply.  The GDPR applies to the “processing” of personal data.  The definition of processing is very broad and includes, any operation performed on personal data such as collecting, storing, using, retrieving and transmitting or deleting it. Any database (including email or document storage systems) containing personal data will be in scope, as will any media containing personal data. Any organisation that is processing personal data, regardless of business size or sector, will have to comply with the GDPR.

Define personal data

Personal data is any informaiton relating to an identified or identifiable  ‘natural person’ (a “Data Subject”). It can include information such as a name, a photo, an email address (personal and work), bank details, posts on social networking websites, medical information or even an IP address.

The definition of ‘personal data’ is the same in all Member States.  The provisions of the GDPR are generally consistent  across all Member States.

B2C companies

Any processing of personal data of EU residents is within the remit of the GDPR. In this respect, all organisations B2C, B2B, charities, sporting bodies, political parties etc have to be compliant.

Health data

Health information is treated as sensitive personal data under the GDPR. Organisations processing health data must have a lawful ground to do so, which is most likely to be the explicit consent of the data subject.

Charities and associations

The GDPR applies irrespective of sector or activity. As long as personal data is being processed, and the processor/controller is established in the EU or the processing affects EU data subjects, the GDPR applies.

Data not resident on a company’s systems

If the remote access involves processing the personal data then  it’s within the scope of the GDPR.  The definition of processing is very broad and includes, any operation performed on personal data such as collecting, storing, using, retrieving and transmitting or deleting it.  The support organisation will be subject to the GDPR.

Encryption & security

Encryption is a very important security tool for minimising exposure under GDPR. Article 32(1)(a) sanctions it as an appropriate security technique and if done properly it will significantly minimise the risks and exposure to an organisation in the event of security breach

Mobile data

Personal data is personal data, wherever it’s held. If a mobile device is compromised or stolen and it holds personal data that is in scope under GDPR then a data breach under the GDPR will have occurred.  It doesn’t matter where the device is at the time of the breach.



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Tuesday, 23 July 2019
If you'd like to register, please fill in the username, password and name fields.

Member Login

Business Insights & Tips


Jill Holtz
1901 Points
Tena Glaser
1387 Points
Michael Lane
802 Points
Ron Immink
732 Points
Fionan Murray
719 Points
View Leaderboard