How GDPR Relates to you Personally
Does GDPR Apply to Individuals? The General Data Protection Regulation, which was made enforceable in May of 2018, is a broad and comprehensive piece of legislation designed to protect the personal information and data of individuals, to place more stringent responsibilities upon organisations who handle personal data, and to address the rapidly evolving role that data plays in our increasingly technology dependant world.
Introduced in 2016 and made enforceable two years later, the GDPR was incorporated into the individual legal systems across European Union countries, including the UK, and applies to not only businesses and organisations operating within this zone, but to all entities which are responsible for handling and using personal data collected within these areas.
In the UK, for example, the GDPR was incorporated in the form of the Data Protection Act 2018, which replaced the preceding Data Protection Act of 1998.
Ready to start your journey to becoming compliant?
We can help you - let's have a chat.
What is Personal Data? Key Definition
Before we answer how GDPR applies to individuals, we must first define the key term of ‘personal data’. According to enforcement bodies, personal data is information that relates to an identified or identifiable individual.
Though this may be as simple as a full names, address or phone number, personal data can also take the form of other identifiers such as an IP address or browsing data.
How Does GDPR Apply to Individuals?
If you are operating a business or organisation which is handling personal data then you are obliged to comply with all of the rules under the GDPR, including the seven principles of GDPR, and to operate in a manner consistent and upholding of the eight individual rights.
Under the GDPR, there are several exemptions to rights and obligations, including though not limited to, personal or household activities, law enforcement and national security.
In relation to the GDPR’s application to individuals, the GDPR and Data Protection Act do set out exemptions from some of the rights and obligations in some circumstances, though whether an exemption is applicable to you, often depends on the reason for processing personal data.
In the case of personal or household activities, the Information Commissioner’s Office in the UK outlines the exemption as being the processing of personal data in the course of a ‘purely’ personal or household activity, with “no connection to a professional or commercial activity”.
Meaning that if you were only to use personal data, such as an address or name, for writing to friends or family, GDPR in this case would not be applicable to the given individual.
Read More: Who Enforces the Data Protection Act?
As noted, the applicability of GDPR is often dependant upon the purpose of processing, and though there are clear examples of how GDPR would not apply to an individual, there are possible edge cases to be found, such as the running of a blog.
Exemptions and How They Apply to Individuals
Though a blog may not be an overt commercial enterprise, if personal data, such as email addresses or names are being collected, and dependant on the purpose of the blog and any processes applied to the personal data, it is possible that you may be beholden to the rules of GDPR.
Given the relative newness of the GDPR, there is not yet a substantial body of precedents, and the legislation leaves enough grey area that it would be difficult to predict how a court may decide to interpret the legislation.
When considering how GDPR applies to individuals, it is also important to understand that, as the ICO notes, enforcement bodies will consider if an exemption is applicable on a ‘case-by-case’ basis.
Fines Under GDPR
Having hopefully answered how GDPR applies to individuals, it is also worth taking a moment to appreciate to potential costs of failing to comply to data protection legislation.
Under the GDPR, businesses and organisations now face greater than ever fines for failing to comply, with enforcement bodies now capable of handing out fines equivalent to 20m Euros or 4% of the total annual turnover of a business, whichever is greater.
Data Protection Act Exemptions
If you’d like to understand more about how exemptions in the GDPR apply to individuals and to other activities, you can read our comprehensive piece on DPA exemptions.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Does GDPR Cover Paper Records? Paper Records and Data Protection Law blog by Information Security Awareness Training provider Hut Six Security.
How Secure is My Organisation? Knowing where you are, before knowing where to begin. Blog by Information Security Awareness solution Hut Six Security.
How Does Ransomware get on your Computer? Chances are that in the last few years you've heard the term "ransomware". Blog by Hut Six Security.
How to Audit Your Business for GDPR Compliance with a GDPR Business audit. Hut Six Security guest blog by https://reciprocitylabs.com/.
What is a Breach of Data Protection? The Data Protection Act - Personal Data Breaches, Reporting and Consequences. Blog by Hut Six Security
University of California Ransomware Attack: a $1.1.4m ransom has been paid following a ransomware attack on University of California's School of Medicine.
What is the Purpose of the Data Protection Act? Blog by information security awareness training solution provider Hut Six Security.
Top 3 Remote Work Security Lessons: remote work security blog by information security awareness provider Hut Six Security.
Who Regulates the Data Protection Act? Data Protection Blog by Information Security Awareness Training provider Hut Six Security
NHS phishing attack sees email accounts compromised as part of an attack targeting a wide range of organisations Blog by Hut Six Security.