How GDPR Relates to you Personally

Does GDPR Apply to Individuals? The General Data Protection Regulation, which was made enforceable in May of 2018, is a broad and comprehensive piece of legislation designed to protect the personal information and data of individuals, to place more stringent responsibilities upon organisations who handle personal data, and to address the rapidly evolving role that data plays in our increasingly technology dependant world.

Introduced in 2016 and made enforceable two years later, the GDPR was incorporated into the individual legal systems across European Union countries, including the UK, and applies to not only businesses and organisations operating within this zone, but to all entities which are responsible for handling and using personal data collected within these areas.

In the UK, for example, the GDPR was incorporated in the form of the Data Protection Act 2018, which replaced the preceding Data Protection Act of 1998.

What is Personal Data? Key Definition

Before we answer how GDPR applies to individuals, we must first define the key term of ‘personal data’. According to enforcement bodies, personal data is information that relates to an identified or identifiable individual.

Though this may be as simple as a full names, address or phone number, personal data can also take the form of other identifiers such as an IP address or browsing data.

How Does GDPR Apply to Individuals?

If you are operating a business or organisation which is handling personal data then you are obliged to comply with all of the rules under the GDPR, including the seven principles of GDPR, and to operate in a manner consistent and upholding of the eight individual rights.

Under the GDPR, there are several exemptions to rights and obligations, including though not limited to, personal or household activities, law enforcement and national security.

Read More: What are the Eight Principles of the Data Protection Act?

In relation to the GDPR’s application to individuals, the GDPR and Data Protection Act do set out exemptions from some of the rights and obligations in some circumstances, though whether an exemption is applicable to you, often depends on the reason for processing personal data.

In the case of personal or household activities, the Information Commissioner’s Office in the UK outlines the exemption as being the processing of personal data in the course of a ‘purely’ personal or household activity, with “no connection to a professional or commercial activity”.

Meaning that if you were only to use personal data, such as an address or name, for writing to friends or family, GDPR in this case would not be applicable to the given individual.

Read More: Who Enforces the Data Protection Act?

As noted, the applicability of GDPR is often dependant upon the purpose of processing, and though there are clear examples of how GDPR would not apply to an individual, there are possible edge cases to be found, such as the running of a blog.

Exemptions and How They Apply to Individuals

Though a blog may not be an overt commercial enterprise, if personal data, such as email addresses or names are being collected, and dependant on the purpose of the blog and any processes applied to the personal data, it is possible that you may be beholden to the rules of GDPR.

Read More: How Many Data Protection Principles are There?

Given the relative newness of the GDPR, there is not yet a substantial body of precedents, and the legislation leaves enough grey area that it would be difficult to predict how a court may decide to interpret the legislation.

When considering how GDPR applies to individuals, it is also important to understand that, as the ICO notes, enforcement bodies will consider if an exemption is applicable on a ‘case-by-case’ basis.

Fines Under GDPR

Having hopefully answered how GDPR applies to individuals, it is also worth taking a moment to appreciate to potential costs of failing to comply to data protection legislation.

Under the GDPR, businesses and organisations now face greater than ever fines for failing to comply, with enforcement bodies now capable of handing out fines equivalent to 20m Euros or 4% of the total annual turnover of a business, whichever is greater.

Data Protection Act Exemptions

If you’d like to understand more about how exemptions in the GDPR apply to individuals and to other activities, you can find our comprehensive piece on DPA exemptions here.