The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. Both data processors and controllers will face further obligations imposed on them.
The definition of 'Personal Data' is expanded under the GDPR. Under The Data Protections Act 'personal data' requested under a SAR for example is set out information 'capable of identifying' those who make the request but is the definition found in The ICO Guidance provides caveats and contradictory statements which blur the meaning.
The GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people. Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).
"The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world," said Mr Hancock MP in a statement.
"It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit," he added.
Proposals included in the bill will:
- make it simpler for people to withdraw consent for their personal data to be used
- let people ask for data to be deleted
- require firms to obtain "explicit" consent when they process sensitive personal data
- expand personal data to include IP addresses, DNA and small text files known as cookies
- let people get hold of the information organisations hold on them much more freely
- make re-identifying people from anonymised or pseudonymised data a criminal offence
- This places a strong burden on firms to protect data and allows for significant fines if they fail to protect information or suffer a breach.