In this episode of the GDPR mini-webinar series, Amar Singh and Chris Payne discuss the topic of applicability.
Download the free accompanying study sheet here.
Amar: Welcome to Cyber Management Alliance’s mini-webinar series on GDPR, General Data Protection Regulation, also known as EU GDPR. The first episode is on applicability and we’re going to dive straight in. Myself, Amar Singh, CEO and founder of Cyber Management Alliance is joined by Chris Payne, Managing Director of Advanced Cyber Solutions. He knows his stuff and so do I and we’re going to discuss this with you so that you learn the main points. I must stress, you must seek professional legal advice. This is for information only and to try to condense GDPR into a series of eight mini-webinars. This is the first one. Welcome. Chris, welcome. Material scope…
Chris: Yes, hello. Thank you, Amar, for the introduction. So, absolutely, material scope. I guess where we really need to start is who does the GDPR apply to? I guess a lot of people would think that it's an obvious question, and obvious answer but we should definitely cover it to make sure that people understand. And the first thing we need to talk about in material scope is, what is exempt, because there’s less things that are exempt from the GDPR than that are included. So, in terms of GDPR, it's not really interested in any personal activities; so, your Christmas card list, your dinner party list, I, I guess maybe your phonebook of friends and family, that kind of activity is not covered under the GDPR. So, people don't have to worry about their personal aspects of life. The GDPR also doesn't apply to any instance of preventing crime, so the GDPR doesn't want to stand in the way of preventing crime and therefore it doesn't apply. And also it doesn't apply in instances of border control so applications of asylum, possibly applications from visas, any kind of border crossing activity is exempt from the GDPR. Outside of those items, everything is included and the way that material scope is defined under the GDPR is that if you are collecting and processing personal information about data subjects who are living, then you need to make sure that you comply with the GDPR. So, there’s a lot terminology there; first thing is personal information, and there is going to be a separate video on this particular subject, but personal information is attributes of the human being that can be used to wholly or partially identify them, such as hair colour, eye colour, height, name, date of birth, things like that.
Chris: Absolutely and also with only specifically interested in the idea of a living person. So, the deceased is not covered under GDPR.
Amar: So, Chris, I’m sure people might be thinking, what is processing over here? What does that entail? Marketing …
Chris: Yes, very, very good question and so, the way it's kind of described in the regulation is processing is any time when personal information is used by an automated system and, and in all honestly it’s just fancy talk for a computer. So, any situation where you're passing personal information through an electronic device, then it’s classed as processing. That could be writing an email, it could be marketing activity, it could be…
Chris: Absolutely. Those are all the instances of the term processing. So, processing is a very, very broad term under the GDPR.
Amar: CRM, Customer Relationship Management, marketing systems, spreadsheets and analytic systems; everything is covered?
Chris: Absolutely, absolutely.
Amar: Ok, thank you; moving on. Another very important topic here, which is territories. People may think that because they are not in the EU, they are not covered. Let's cover this.
Chris: Yes. So, when it comes to the GDPR, there’s only really two distinctions in terms of territories. So, there’s what we call Intra-Territories, or Intra-Territorial Zones, and Extra-Territorial Zones. And I guess maybe the flags make it a little bit obvious as to what we’re talking about here but, if your business is based in an EU or EEA member state, then you’re considered to be Intra-Territorial, you’re inside Europe essentially; and if you're not within one of those member states, then you’re considered to be Extra-Territorial. So, we listed it here as to being the Rest of the World.
Amar: And, the next one obviously covers into, if you are with EU, which is Intra-Territorial, everything applies. So, can you expand this a little bit?
Chris: So, I’ll put a couple of example logos here. So, what we are really talking about when it comes to Intra-Territorial application is, it’s a European regulation so, naturally, it applies to European territories. If your organisation is based in one of those EU member states or EEA member states then you are under obligation to follow the terms of the GDPR, and there can be, maybe, some confusion for multinational companies as to where they’re based. So, what the GDPR says is that if you make the majority of your operational decisions in a particular country, then that's where you are based. So, it's not about possible umbrella companies or where your board happens to reside, it's about where your company creates its organisational control.
Amar: Ok, that's relatively very clear. What about those outside of EU, the Extra-Territorial? Many of them listening in may think they’re not going to be covered by this but I think we know what the answer is.
Chris: Well, I should allude it to the answer is that they absolutely are included in it, but just in a slightly different way, and actually the example companies that I’ve listed here on the screen were some of the heaviest, lobbyers against the regulation because it still applies to them, even if they’re based in California. So, if you are Extra-Territorial and you supply or seek to supply goods or services to a European person, now somebody based in Europe, it’s not necessarily somebody who is a citizen of Europe, you are expected to comply with the GDPR, and that is irrespective of payment. So, if you’re offering a free download to a European citizen and you collect their data and process it, you are bound by GDPR to make sure that you apply GDPR controls to that data that you collecting.
Amar: Even if you’re supplying a free service?
Chris: Absolutely. The regulation is very clear; it says irrespective of payment.
Amar: Excellent. That's a very important point here so, folks listening in, irrespective of whether you are charging or not; but applies to foreign organisations storing the personal information of data subjects that you are offering goods to, or services to. So, I am sure this topic most people are still thinking about and many surprisingly recent statistics show that people think Brexit means, Britain leaving EU means, it may not apply but it does, correct?
Chris: Absolutely correct and I think maybe some of the confusion is around the poor timing of GDPR and the referendum votes. So, the GDPR was released to the member states in May of 2016 and of course we have the referendum in the UK in June of 2016. So, in May, we all believed the GDPR was going to apply to the UK and that became more of a question mark in June because of the conversations that were taking place that we were moving EU legislations from UK. So, we’ve had some progress since then. The first one, which is probably the most important part, is that both central Government and the ICO have said as of September 2016, that because the divorce proceedings for Brexit will take up to two years and possibly even more, some speculate, then once the GDPR is in application, which is May 2018, then the UK will still be a member state of the EU therefore GDPR will apply. That’s the easiest way to answer the question and that's been confirmed by both the central Government and the regulator. The other thing to talk about is the Great Repeal Act. So, there is absolutely a possibility that UK may choose to withdraw from the GDPR, once it has withdrawn from the European Union. However, we can speculate that’s probably not likely to be the case because as we were just discussing, the UK would be considered an Extra-Territorial Zone and therefore you know all of the data that UK companies collect about Europeans, they would be under an obligation to comply to the regulation anyway. You could see that the statistic that we’ve put there, we’ve rounded it off; it’s actually about 44% of UK exports after EU member states. So, there is a significant amount of UK businesses that would be collecting personal data off Europeans and therefore they would be naturally obliged to follow the GDPR anyway.
Amar: So, folks, in or out, this still applies. Do not let it go. Just a polite reminder to everyone, you must seek your own professional legal advice. This is a summary of GDPR in eight mini-series brought to you by Cyber Management Alliance and Advanced Cyber Solutions. And just a recap; if you’re holding a birthday party? No, you don't have to worry too much. If you’re holding a Christmas party or whatever party you’re holding, and you’re inviting people, you’re putting down names and emails, you don't have to worry. But anything other than that, if you’re doing something, if you have a tailor shop or if you have a taxi shop, if you’re processing personal information, if you are not sure, obviously check but if you're doing it for commercial processing or not commercial, you’re offering it free as a business ICO, you must check their website, GDPR will apply. Finally, Chris, what are we going to talk about in the next episode?
Chris: So, the next episode is going to be about collecting personal information. So, we have very lightly touched on the idea of personal information, what it is, in this episode. We’re going to cover that in a lot more detail in episode 2 and we're also going to discuss some of the conditions around collecting it, and how you must format that and sort of things like expiration dates that EU applies well.
Amar: Excellent. Thank you everybody. Cyber Management Alliance’s mini-webinar series on GDPR. See you next time.