General Data Protection Regulation (GDPR) from a Legal Point of View
It is important in this “data” era, to protect the personal data of all, everywhere. To fulfill this stand the European Union (EU) took major steps and issued an important regulation (GDPR). The General Data Protection Regulation applies to different types of data processing to be carried by organizations operating within or without the EU. It applies to entities outside the EU, offering goods or services to individuals in the EU.
GDPR is mainly to apply for the protection of personal data, however, there is an exemption as GDPR does not apply to certain activities including certain instances of data processing if they are covered by the law enforcement directives, processing for national security purposes and processing carried out by individuals purely for personal activities. The regulation for more clarity specifies types of exemptions for application whenever required. To streamline the process, GDPR applies to ‘controllers and ‘processors’. The controller is the authorized body to say how and why personal data is processed, whereas, the processor is the body that acts on the controller’s behalf and control. If you happened to be a processor, GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and the processing activities undertaken. As a processor, you have more legal liability if responsible for any breach. Obligations for processors are new requirements under GDPR and they confirm the firm strategy of the EU towards stringent rules to regulate the personal data to curb the huge destructive misuse we are facing. However, controllers are not relieved of their obligations where a processor is involved. GDPR places further obligations on the controllers to ensure that contracts with processors comply with the provisions of the GDPR.
As a general rule, GDPR applies to ‘personal data. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier, an IP address can be personal data. The definition provides for a wide range of personal identifiers as personal data, reflecting changes in technology and the way organizations collect info about persons. This comes as most organizations are keeping HR records, customer lists, or contact details, etc. GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This definition could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymized or key-coded, can fall within the scope of GDPR depending on how difficult to attribute the pseudonym to a particular individual. I believe, the justification behind covering automated and manual filing systems, is to cover all data processing, otherwise, there could be escape room by manual data processing. It is necessary to say, GDPR of the EU gives great boost to protect data and it is good that it has been taken as a benchmark by countries in the region when issuing relevant laws.
by Dr. Abdel Gadir Warsama
Legal Counsel