GDPR applies to any business collecting, using or storing personal data, but what does that mean?
Does it apply to your business?
Personal Data is defined as;
‘Any information relating to an identified or identifiable (directly or indirectly) natural person’ (you might see this referred to as a ‘Data Subject’).
So as an example if you collect, use or keep any details of an individual, it is likely that it will fall into the scope of personal data. Some Examples include (but are not limited to):
Directly Identifiable would be one piece of information which uniquely identifies an individual such as a driving license or passport number. Indirectly identifiable data would generally be information which could be pieced together to identify the person for example:
A Postcode and date of birth could be enough in most cases to identify an individual or something as simple as a name with an address. Email addresses with full names and company names are also common examples.
There are lots of different examples of this and the scope of GDPR is far-reaching so organisations need to be sure that they fully understand what information they have and how they use it.
GDPR also applies to Sensitive Personal Data as;
‘Special Categories of information relating to an identified or identifiable Natural Person (Data Subject). Examples include: Racial or Ethnic Origin, Political Opinions, Religious or Philosophical Beliefs, Trade Union Membership, Genetic data, biometric data, sex life or sexual orientation.
Think about your own business. Do you keep employee details, remember your employees are Data Subjects too. Do you hold or store contact lists or client files with any of this type of information included?
Remember also that details belonging to sole traders can fall into this category as can business email addresses which contain FirstName.LastName@BusinessName. If this is enough to identify an individual and you collect, store and use it then make sure you are protecting that data.