General Data Protection Regulation Questions and Answers
There are a number of questions that are being asked of Clayton Security from social media sites and inevitably, due to the nature of the regulation and its intricacies, the answers exceed the number of characters
available on the site. Therefore, I am answering them here and referring back to this page. If you have questions, feel free to submit them through the Contact us link below and we will do our best to answer them here.

Questions submtted via Linked-In

What's your angle? I hear the difficulty lies in employee data since the initial focus was on social media and cloud systems. Where does medical data stand? 

You are right to focus on employee data since most experts will tell you it is exempt. The GDPR makes some exemptions for companies with fewer than 250 employees but as soon as you hit the 250th employee these exemptions do not apply. 
However, there are some caveats to the exemption in the GDPR. First of all there is consent to process data. A company can claim that they have consent due to the need for the performance of a contract; the employee contract (Article 7). But there needs to be a clause in the employee contract that states this. Of course there is the need to ensure that it is in plain English and covers all processing activities carried out and so perhaps a better way is to have a consent document that needs to be signed. 
Then there is the processing of special categories of personal data or “sensitive data” (Article 9, b & h). These are exempt (there is no mention regarding the fewer than 250 employees provision and so there is an inconsistency there), but the door is left open for individual Member States to regulate further and negate this exemption. This does not mean that the penalties under GDPR would apply; in this case it is up to the member state. 
There is also the requirement of keep in records of processing activities (Article 30) which is again exempt under the provision for fewer than 250 employees. 
As for social media, there is no mention of it either in the articles or in the recitals and so it is conjecture to whether the initial focus was to do with it. Of course it has an impact on social media not least the provision for the right to be forgotten properly known as the right to erasure in Article 17. 
Finally there is the question about medical records which come under the special category (Article 9). First of all, medical records only become sensitive if they are associated with an identity of a living natural person. It should be noted here that association should be taken in the wider sense in that, if the identity can be known by collating data from disparate sources, then it becomes personal data. An example is where data of someone is suffering from a rare condition is associated with the other data that is freely available such as a charity drive for a named person. The linking could be as simple as the hospital where they are being treated. 
Otherwise, the processing of medical records, as a special category, is prohibited (Article 9) with 10 exemptions (paragraph 2 items a to j). Again the door is left open for member states to introduce their own laws with respect to the processing of genetic data, biometric data or data concerning health. 
This is a long answer, but to take your first question, what’s my angle? Well the GDPR is an intricate regulation, some might say draconian, others might say Machiavellian. My view is that we will only know if we have interpreted it correctly when the first companies are taken to court and judgements are handed down. Until then it is belts and braces, and hope for the best but prepare for the worst. 


Contact us                                                                                                     Date updated 01/08/17
To change the appearance of the page, edit the styles of the corresponding elements (in most cases by using the "Main Frame" Style Zone).  
To change the menu’s links: edit, copy-paste, or delete the Link Elements within. 
To hide an element without deleting it, use its property Visible.
To "activate" displaying of an arrow, use its property "Visible"