At first glance, the GDPR is a law that restricts how organizations collect data. It might seem logical that if you don't collect data, the GDPR doesn't apply to you.
However, the scope of the law is actually much wider than merely collecting data. It also has knock-on effects that mean you must or should take various actions, including having a Privacy Policy, even if you aren't subject to the GDPR.
Here's what you need to know and do.
What Is The GDPR?
The General Data Protection Regulation (GDPR) is a data protection law that restricts how people and organizations use personal data.
The GDPR generally applies if you, the person the data is about, or the data use itself is in a European Union country. Identical or similar rules apply in Iceland, Norway, Lichtenstein and the United Kingdom
The main GDPR rule is that you can only use personal data for specific reasons. The most relevant for businesses are that somebody has explicitly consented to you using their data, or that you need to use it for your normal business operations in a way that people would reasonably expect and that doesn't outweigh their privacy rights.
The GDPR also means you'll need to publish a Privacy Policy, secure the personal data you hold, and handle data access requests where people ask to know what data you hold on them and correct any errors.
What Counts as Personal Data?
You might think the GDPR doesn't apply because you don't class the data you collect as personal. That could be a mistake.
The GDPR definition of personal data is very wide. It's any information:
"relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
The key is that personal data isn't limited to a specific type of information, but rather the fact it relates to an identifiable individual. You might guess that a passport number or a health record was personal data, but here are just a few examples you might not realize can count as personal data:
- Somebody's purchase history at a website.
- An online wishlist at a retail site.
- Whether or not they are in a relationship.
- Their salary.
- How many days of sick leave they have taken.
- Whether they have been in a vehicle collision.
You must be particularly careful about data that can be combined to identify an individual. For example, a cookie that tracks online activity might not be personal data. However, if it contains a reference number that corresponds to their user account, which includes their name and address, the cookie could count as personal data.
The Guardian's Privacy Policy notes that the way somebody uses a site, such as which pages they click on, counts as personal data:
Personal data can also include inferred data. For example, imagine you work for a local left-wing politician. You know that somebody is a member of a trade union, has liked the page of a political party leader on Facebook, and has signed an online petition against welfare cuts.
Using this knowledge, you add them to a list of people likely to volunteer for the local politician in the next election. Including them on this list is inferred data and comes under the GDPR. Adding them to the list, contacting them to see if they will volunteer, or sharing their name with politicians in another area all count as processing this inferred personal data, meaning you must follow the rules.
People often get confused on this topic because they are thinking of sensitive or "special category" data. This is a much more restricted list that covers specific things like government issued numbers or sexual orientation. The rules on using this type of personal data are tighter because the potential for harm if you break the rules is greater.
What If You Don't Collect Data?
People often associate the GDPR with data collection as that's the moment when businesses are most likely to directly consider issues such as consent and Privacy Policies. However, the GDPR doesn't apply solely to data collection. It instead covers data processing.
The GDPR defines processing as:
"any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."
To put that in simple terms, you need to think about GDPR if you:
- Collect personal data.
- Use personal data.
- Pass on personal data (whether you sell it or share it.)
- Alter or destroy personal data.
This means you can't simply ignore the GDPR if you don't actively collect personal data. You must think about any data you use, however you got it. You must also think about any data you get from a third party such as a mailing list or as part of a merger or takeover.
Dodd Accountants' Privacy Policy lists some of the ways it uses personal data:
Rightmove gets personal data from several sources. Its use of this data comes under the GDPR even though it has not directly "collected" the data from the person in question.
How Else Might The GDPR Affect Me?
Let's break down some specific scenarios where you aren't directly subject to the GDPR, but its indirect effects mean you need to be aware of, and follow, its requirements.
Receiving Data Outside The EU
If you receive personal data from a business based in an EU country, the GDPR could affect you even if you are outside the EU. That's because the GDPR says it's only lawful to transfer personal data outside the EU with specific safeguards to make sure it still has the same level of protection.
In some cases, this can be covered by an "adequacy decision" where the EU rules that a particular country's data protection laws already offer this protection. (The United States previously came under this exemption through a ‘Safe Harbor' agreement, but this no longer applies.)
In other cases, the company sending the data must have a legally binding agreement with the company receiving it, guaranteeing it will protect it in the same way as the GDPR. This can be through terms in a contract between two unconnected businesses, or through corporate rules (a formal policy) for two connected businesses such as sister companies or subsidiaries.
This means that the company receiving the data will effectively have to follow the GDPR despite neither collecting the data, nor being directly subject to the GDPR.
The EU's suggested contract terms include a guarantee that the recipient will follow the GDPR rule on keeping data accurate and up to date:
Data Processors
The GDPR distinguishes between data controllers (who decide what data to process and how to do it) and data processors (who process data on behalf of a customer.) This covers a wide range of situations such as overseas call centers or using a third party to process application forms or other documents.
The two sides must have a legally binding "data processing agreement" that says the processing will follow the GDPR. If you're the data processor, you'll need to follow the GDPR even though you didn't collect the data or make any key decisions about its processing.
Cookie Information's data processing agreement means the processor commits to following the GDPR rules on security data:
Acquiring Data
You might acquire data from a third party, for example buying a mailing list from a marketing specialist or taking over another company and getting their customer records. You will still be subject to the GDPR for this data even if you haven't used it for any business activity yet. As soon as you perform any operations on it, including storing it, you are classed as processing it and thus subject to the GDPR.
What If I'm Definitely Not Covered By The GDPR?
Even if your data use is not covered by the GDPR, you may still need to follow some or all of its measures. Even if you don't need to follow the rules, it can be a smart business move to do so. In particular, it may be necessary or beneficial to publish a Privacy Policy.
That's a document detailing what data you collect (or what types), why and how you use it, whether you share it, how long you keep it, and what rights people have to access, correct or remove their data.
Requirements
Many third party service providers require that you publish a Privacy Policy, similar to that required under the GDPR. Examples include:
- Any website that accepts Apple Pay.
- Any website that displays Google advertising that involves cookies.
- Any developer who uses the Meta platform (which lets them access data from sites like Facebook).
- Any app listed in the Shopify store.
Guideblox is clear that its users must have and publish a Privacy Policy, even if it isn't legally required:
Voluntary Publication
Even if you are under no legal requirement to publish a Privacy Policy, it's a smart idea to do so. It will mean you are ready if anything changes and you become subject to the GDPR or similar laws. If you don't collect any personal data, you can make this clear in a Privacy Policy, which may reassure customers and even make you more attractive to potential customers.
GHG Solutions collects virtually no personal data. Its Privacy Policy makes this clear:
If you are producing a Privacy Policy, it's usually best to carry out a data processing or privacy audit. This means putting together details of what personal data you collect, why you use it, how long you keep it, and how you secure it. This can often uncover inconsistencies or incomplete policies, such as not having a clear plan for if and when you will delete personal data or retain it.
Summary
The GDPR is a European Union data law that covers processing personal data. The definition of personal data is particularly wide. Meanwhile "processing" covers any use of the data, not just collecting it.
Even if you aren't directly subject to the GDPR, you may be indirectly required to follow its rules. This could happen if a business in the EU shares data with you; if you process data on somebody else's behalf; or if you acquire data through a merger or takeover.
Even when the GDPR doesn't affect you, you may need or want to follow some of its key measures, particularly auditing your data handling and publishing a Privacy Policy. This may be a requirement of some online services where you handle data and can also be a good way to build trust with customers.
