The General Data Protection Regulation (GDPR) comes in to effect on 25 May 2018. It will replace the current European legislation (the Data Protection Directive) and the UK equivalent - the Data Protection Act 1998 (DPA). It will affect all companies that handle EU citizens’ personal data, even if the company is not based in the EU.
GDPR aims to make the rules for data collection and processing (where it goes, what it’s used for, and who else has access to it) consistent across the UK and the EU, and will ensure that personal data held by organisations is kept secure and only used for the purpose it was collected. While it is primarily intended to protect consumers, it will obviously pose a real cost to those businesses that need to update their compliance.
What counts as personal data?
The GDPR’s definition of ‘personal data’ is much more detailed than the current DPA. According to the GDPR, personal data is;
“any information relating to an identified or identifiable person”
This more detailed update reflects changes and advances in technology as to how organisations collect and record information about people. Personal data could include (but is not limited to);
Name, address and unique identifying numbers;
Demographics—such as age, gender, or income;
Behavioural data — web search history, purchase history etc;
Social data—Social media friends list, email content and address book, etc;
Sensor data—biometrics, health tracking apps and devices etc;