By Dr Kerry Beynon
But with all the talk about GDPR being the biggest change to data protection legislation in a generation, what will the situation be on 25 May 2018? Here are four key things to bear in mind:
Reference to sensitive personal data is changing – under the GDPR it will be known as special category data.
You cannot process special category personal data unless an exemption applies.
The definition of special category data has been expanded and now expressly includes biometric data and genetic data.
What you may consider to be basic personal data may fall within the scope of special category data if you’re using it specifically for a purpose that is considered to be within a special category.
For example, you may decide that you want to market your goods or services to people of a particular ethnic origin. Surnames can sometimes indicate a person’s ethnic origin, but using names to segment personal data by ethnic origin may mean that your activities are unlawful. Under the GDPR, personal data that reveals racial or ethnic origin is special category data and the processing of this data is prohibited unless an exemption applies.
So, you should consider not only whether the type of personal data that you are processing is defined as special category data, but also whether your purposes for using the personal data brings the data within scope.
For more information on what the GDPR means for your organisation, get in touch with our data protection team
Kerry specialises in data protection, IT/IP and commercial law. Before entering legal practice, she taught IP and contract law at Swansea University and worked for an award-winning project aimed at protecting the IP rights of small to medium sized enterprises. A member of the Chartered Institute of Arbitrators, Kerry is also a solicitor-advocate with higher rights of audience in both the civil and criminal courts. Kerry has passed the Certified EU General Data Protection Regulation Practitioner qualification awarded by IBITGQ and accredited to ISO 17024.