Who will GDPR apply to?
The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same with a few enhancements to key areas such the introduction of ‘the Right to be forgotten’, data portability, breach notifications and greater accountability.
If you are a processor, the GDPR will place greater liability on you for example if a breach occurs. Controllers have greater responsibility to ensure contracts with processors are operated correctly.
The GDPR applies to processing carried out by organisations operating within the EU and outside the EU.
The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities. There are further obligations under the Electronic Commerce (EC Directive) Regulations 2002, these specifically deal with online selling and buying activities through eCommerce functionality.