Skip to main content
Get in touch
en de

Solutions Overview

Platform overview

Platform overview

To help you take control of your training, Sponge's cutting-edge learning management platform is designed to make learning easy and drive behavioural change.

Learn more

About Overview

We’re hiring!

We have exciting new roles available. Join our growing team and begin an unforgettable journey.

Learn more

Looking for something?

Home / Resources / Introduction to the GDPR

Introduction to the GDPR

Date:

It’s been 19 years since the Data Protection Act was introduced, and the European Union has set out to give it a makeover with some tough new rules on how businesses should store and use personal data. Fortunately, Sponge have digested the new regulation and we’re going to break it down into manageable chunks, showing you how it will apply to your business.

The General Data Protection Regulation (GDPR) is the new and improved legal framework devised by the European Union to help safeguard people’s rights when it comes to their personal data. It’s set to take over from the current Data Protection Act (DPA), applying to all of Europe instead of just the UK.

You may be thinking... But Brexit? The UK government have confirmed that regardless of how the negotiations go the new laws will still apply to us.

You’ll need to make sure that your processes when handling personal data are compliant, otherwise you’ll be looking at

not a small number! 

Who does the GDPR apply to?

There’s two main labels used within the GDPR, ‘Controllers’ and ‘Processors’. Controllers are businesses (or even individual people) that collect personal data and decide how it should be used. For example, you’d be a controller if you:

  • Collect someone’s name and address when they purchase a product from your online shop so that you can ship the item to them.
  • Collect someone’s email address when they’re signing up for your subscription-based web app.
  • Collect someone’s contact details when they’re making a booking on your website.

Processors, on the other hand, don’t actually collect any data for themselves. Processors are chosen by the controller to handle processing of the personal data. Processing has a lengthy description, but covers actions such as viewing, altering or deleting data.

If you work with any personal data that you didn’t directly collect and you’ve been given a task that uses this data, you’re likely considered to be a processor.

It’s not only about collecting data from the web. When you check in to a hotel and they take a copy of your passport, they’re collecting your personal data and are still considered a controller.

What is personal data?

Personal data is any piece of information that could be used to identify a person. This could be their name, their email address, phone number or even their IP address!

There’s also a second type of data that the GDPR talks about; Sensitive personal data. This, again, has a long definition but mainly concerns data that could reveal someone’s racial/ethnic origins, religious beliefs or sexual orientation. Rules around collecting and using sensitive data are a bit tougher, but if you’ve got consent from the person then you’ll likely be fine.

Are you aware that Sponge also offer GDPR compliance training for your employees? 

Request a demo

Summary

This article has been a quick introduction to a long and complicated regulation that will affect many businesses operating in the EU. The next article in this series will focus on the 6 principles of the GDPR and how to start preparing for the changes.