Who Does GDPR Affect?

Who Does GDPR Affect? Just about everyone!

GDPR, short for the General Data Protection Act, affects everyone in the European Union plus anyone else who has anything to do with an EU citizen’s personal data. GDPR affects anyone who lives in the European Union or anyone who either collects or processes the personal data that belongs to a European Union citizen. Violating the General Data Protection Act comes with some serious fines.

Did that answer your question? I bet not! Let’s break it down a bit and start with defining personal data.

What is Personal Data?

Personal data is any information or details about an individual that can identify or be traced back to that person. Examples of personal data include:

  • a first name combined with a surname
  • street addresses
  • any email addresses that identifies an individual, for example firstname.surname@whateverdomain.com
  • location data from a smartphone
  • an Internet Protocol (IP) address
  • internet cookies
  • a smartphone’s advertising identifier, for example AdID (Android) or IDFA (Apple)
  • medical data that identifies an individual

Data that has been anonymized is not considered personally identifiable. Anonymized data is information that has been securely hashed or randomized through a process that cannot be reversed.

Are children affected by GDPR?

Yes, children are affected by GDPR. There are special circumstances regarding the collection of personal data about children. The age ranges are determined by the individual EU members, however any child between the ages of 13 and 16 years receives special consideration. A person that is 17 years of age can give their own consent. Any organization trying to collect or process personal data from an EU child must obtain the parents’ consent.

Businesses and organizations that function online and even offline, must comply with GDPR standards. GDPR law identifies two groups; collectors and data processors. These roles can include, but are not limited to:

  • staff management
  • payroll administrators
  • anyone who accesses a contacts database containing personal data
  • shredding documents that contain personal data
  • posting a photo of a person on a website
  • storing IP addresses or MAC addresses
  • security video cameras

Disclaimer: I am not a lawyer. The information in this blog post is provided for informational purposes only and may not reflect the current law in your jurisdiction. No information contained in this blog post should be construed as legal advice nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting based on any information included in, or accessible through, this blog post without seeking the appropriate legal or other professional advice on the facts and circumstances at issue from a lawyer licensed in the recipient’s state, country, or other appropriate jurisdiction.