The ABCs of GDPR

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In general, if you initiated the collection of personal data either directly or indirectly, then your organization is the ‘controller’ and liable under GDPR.  Running a website, collecting customer data for a marketing campaign, interacting with your customers in a structured way, providing downloads in exchange for registration – all of these would be examples of your organization collecting data and acting as a ‘controller’. 

Any information relating to an identified or identifiable natural person (‘data subject’): an identifiable natural person is one who can be identified, directly or indirectly, by a name, an identification number, location data, an online identifier or to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.  If you are a ‘controller’ or ‘processor’ of personal data in an EU country, GDPR will apply to you for any data subject, regardless of their physical location.  If you are a ‘controller’ or ‘processor’ anywhere in the world and you process personal data of a data subject that is a resident in the EU, then GDPR will apply to you. There is no distinction between Business to Consumer (B2C) and Business to Business (B2B) personal data in this respect.

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.  That will cover all IT systems that contain personal data, regardless of whether those systems are on your own site, in a cloud or provided by a processor.

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. If you provide a service or system for your clients that has their customers’ personal data contained in it, then you are a processor and are subject to the law. Examples of this are a market research, marketing agency or a third-party service provider handling customer data on a company’s behalf. A controller will want to work closely with a processor (and may demand not only good GDPR compliance documentation but also liability responsibilities) to ensure they and the processor are compliant with GDPR. The personal data the processor has about their client contacts makes them the ‘controller’ of that data.

Any form of automated processing of personal data consisting of the use of personal data relating to a natural person, in particular to analyse or predict that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.  If you are using any sort of rules like machine learning, advanced analytics or AI in any of your IT systems and if those use personal data, then there is profiling being performed.

A natural or legal person, public authority, agency or another body, to which the personal data is disclosed.

A legal act of the European Union which, on enactment becomes enforceable as law in all member states simultaneously. This is from May 25th, 2018 after a two-year transition period and, unlike a directive, it does not require any enabling legislation to be passed by national governments and is thus directly binding and applicable.  So this is a law that could affect you. Whether your organization is affected by this regulation depends on whether you process ‘personal data’.

The marking of stored personal data with the aim of limiting their processing in the future.  This is a fundamental tenet of the new regulation where you should only collect and use personal data when it is absolutely needed.

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. There are exceptions in Article 9, but in general it is prohibited to process such data. Since it was not forbidden in the past, you may have inadvertently collected and be using such data.