What Data does the GDPR apply to?
Like the DPA, the GDPR applies to all ‘Personal Data’. However, the GDPR definition is more detailed and makes it clear that information such as an online identifier – for example an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most organisations, keeping HR records, customers lists, or contact details etc., the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered set of manual records containing personal data.
Personal Data that has been pseudonymised can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive Personal Data
The GDPR refers to sensitive personal data as ‘special categories of personal data’. These categories are broadly the same as those in the DPA, but there are some minor changes.
For example, the special categories specifically include generic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
Children’s Personal Data
The GDPR contains new provisions intended to enhance the protection of children’s personal data.
Privacy Notices for Children
Where services are offered directly to a child, you must ensure that your privacy notice is written in a clear plain way that a child will understand.
Online Services offered to children
The GDPR state that, if consent is your basis for processing the child’s personal data, a child under the age of 16 can’t give that consent themselves and instead consent is required from a person holding ‘parental responsibility’, but note that is does permit member state to provide for a lower age in law as long as it is not below 13.
Parental / guardian consent is not required where the processing is related to preventative or counselling services offered directly to a child.
Read More by following the links below