Featured in JEP’s Expert Panel – 14th March 2018
While GDPR considers the nature, scope, context and purpose of your data processing when it comes to assessing the appropriateness of your technical, security and organisational measures, the focus is directed more towards the type of data you are processing and resultant risks to the rights and freedoms of the data subjects therefrom.
For example A30(5) of GDPR provides for exemptions from having to maintain a comprehensive record of processing where you have fewer than 250 employees. However, this exemption does not apply when the data being processed is ‘special category’ data or relates to criminal convictions or offences.
A9 of GDPR states ‘Special category’ data covers race, ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, genetic data, biometric data, health data, person’s sex or sexual orientation.
So under GDPR, it’s the fact that you process a person’s health data that brings you into scope of the full obligations of GDPR in this example. There is still consideration given to the size of your organisation but far more emphasis on how you are managing the security, confidentiality and processing of this high risk ‘special category’ data.