The EU’s General Data Protection Regulation signals a dramatic shakeup in the rules on how companies and other organisations manage individuals’ personal data. The new regulation will come into force on May 25th 2018, replacing the previous 1995 data protection directive. This switch from a directive to a regulation is important because it means the rules cannot be amended or interpreted by national authorities but must be applied in the same way right across the EU’s Single Market. However, the GDPR’s rules will reach well beyond the EU. Any organisation, anywhere in the world, that collects, uses or processes the personal data of anyone based within the EU will be subject to the new data regulations. The GDPR is therefore a European regulation that has global reach and impact: no one can afford to ignore it. Any organisation that collects and handles personal data is designated a “data controller” under GDPR.
A very wide definition of personal data
The GDPR’s aim is to provide stronger protection for personal data that individuals share with organisations of all sorts and to give people more control over how their personal data is used and circulated, including a “right of erasure”, referred to by some as “the right to be forgotten”. Personal data is defined extremely broadly within the regulation: ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”