Yesterday I wrote a blog about how the UK and the Irish regulators are being more lenient if you need more time to respond to requests under the GDPR. If you don’t know anything about those requests, that blog didn’t enlighten you. There are eight individual rights set forth in the GDPR. Seven of these rights are subject to the time limitations discussed in yesterday’s blog. Each of those eight rights will be the subject of its own blog in the next several weeks. The purpose of today’s blog is to introduce you to the jargon used in the GDPR so when you read the blogs about the individual rights in the GDPR, you’ll understand the terminology.
The GDPR uses many legal, compliance, regulator, jargon-heavy terms. It is hard to explain what the GDPR says without giving you a dictionary to define some of these terms. You may say “Just use plain English!” But in the following cases there just aren’t plain English substitutes for these terms. So, where necessary, the GDPR terms will be used with links back to this blog to remind you what these terms mean.
The GDPR applies to “personal data.” The term “personal data” means any information relating to an identified or identifiable natural person. An “identifiable natural person” means one who can be identified, directly or indirectly, by reference to an identifier (e.g. name, identification number). In these blogs, this natural person is going to be referred to as an “individual.” A less “formal” term is being used to help you navigate.
The GDPR applies to the “processing” of “personal data.” “Processing” means any operation or set of operations which is performed on personal data or sets of personal data (e.g. use, erasure, destruction).
The types of businesses and individuals that “process” “personal data” are “controllers,” “processors,” and “third parties.” A “controller” determines, alone or jointly with others, the purposes and means of the “processing” of “personal data.” A “processor” “processes” “personal data” on behalf of the “controller.” A “third party,” under direct authority of the “controller” or “processor,” is authorized to “process” “personal data.”
How does this apply to you as a small or medium size enterprise (SME)? If you process personal data, you can be either a controller or a processor or a third party depending on whether you determine how the personal data is processed, you process the personal data on behalf of the controller, or you have the authority from the controller or the processor to process the personal data.
This blog is the first in a series of blogs that will explain, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation.
Next blog: What types of individual rights are there under the GDPR?