Under the GDPR, “personal data” is defined as: “Any information related to a natural person or ‘data subject’ that can be used to directly or indirectly identify [them]." This could be:
Their Name A photograph of them Their email or postal address Bank account details Medical information Computer IP address
The GDPR applies if the data controller (i.e. the business or organisation that collects data) or the data processor (ie the business or organisation that processes data for the controller) or the data subject (person to whom the data refers) is based in the EU.
Under the GDPR, controllers must ensure that personal data is processed lawfully, transparently and for a specific purpose, after which – if the data is no longer required – it must be deleted.
The GDPR will apply to all business that store and process the personal data of data subjects living in the EU. So, UK companies collecting or processing personal data must comply with the GDPR, because the UK will not leave the EU until after May 2018. And according to the ICO: “The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.”
Even after the UK leaves the EU, UK firms collecting or processing the personal data of people living in the EU will have to comply with the GDPR.