A Guide To GDPR Exemptions
General Data Protection Regulation or GDPR as it is more commonly known has been an important and widely discussed topic in recent years. With GDPR become law in May last year, most businesses had to quickly educate themselves on these new regulations in order to ensure they are compliant. Those who do not meet the regulations that have been set out can face huge fines, and for bigger companies, these can be upwards of $10 million - not something to be taken lightly!
With such high importance being placed on these new regulations, it’s vital that all businesses are aware of what is expected of them. But as with anything, there are some exceptions to the rule. There are some circumstances that provide an exemption from GDPR provisions and you need to have a better understanding of what these exemptions are to ensure your business knows when and what rules they need to follow. This guide from Evalian will recap on what GDPR means, who is exempt and how these exemptions work.
What is GDPR?
General Data Protection Regulations (GDPR) are the new laws surrounding the privacy of personal data. This is an EU legislation which ensures all the private data of EU residents which is being collected by businesses, is kept safe and secure. It also means that they can request access to this informational any time, as well as asking for it to be removed from the database.
Who must comply with GDPR?
While these are EU regulations, any business handling the personal data of EU citizens must comply, no matter which part of the world they are based in. As such, almost all companies will be affected by GDPR in one way or another. These rules are not just for big businesses they apply to businesses of all sizes. It’s a common misconception that smaller businesses or individual traders/professionals don’t have to meet these regulations, but that’s simply not the case. Apart from the occasional exemptions which we will outline below, all businesses must comply with GDPR.
How do exemptions work?
There are only a few exemptions and they depend solely on your purpose for collecting or processing this personal data. You may be exempt from GDPR if following the regulations would prevent or impair your ability to use your data in an intended manner, or if following GDPR could have a negative impact on what you're doing. For example, if following regulations could lead to prejudice in some way then you may be exempt from the GDPR.
However, whatever the reason behind not following these regulations, it’s best not to simply rely on exemptions, as these are often done on a case by case basis. We’ll look at the different reasons for exemptions below, but if you're unsure whether you are exempt or not, it’s always best to seek legal advice before making an assumption.
What are the exemptions to GDPR?
In some circumstances, you may be exempt from GDPR, which means you don't have to comply with some or all of the usual regulations. These exemptions can be broken down into a number of categories, from law enforcement to public interest. We’ve broken them into five categories, giving examples of each to help you get a better understanding of these exemptions and whether they apply to you.
1. Law enforcement
This is the biggest category as there are so many possible exemptions within law enforcement, public protection, and the judicial system. In fact, the processing of data by what is referred to as ‘competent authorities’ such as the police, is outside the scope of GDPR altogether and instead falls to its own separate laws. In most instances of crime, taxation, risk assessment, legal professional privilege, immigration and audit functions the rules of GDPR do not apply.
The same also applies to a large amount of health data. Of course, that doesn't mean any health professional can ignore these regulations at their will. But in the case of serious potential harm, health data processed by the court against individual's wishes, there are some exemptions and those in charge have the right to withhold the data. This also applies to social work, education and child abuse data. Finally, there are a number of regulatory, parliamentary and judiciary exemptions to GDPR. This includes parliamentary privilege, judicial appointments, and legal services.
2. National security
Following on from the exemptions outlined above, personal data can be collected and processed if it is in the interest of safeguarding national security or defense. This could also mean denying access to information depending on the situation, particularly if it’s a conflict of interest or it could cause prejudice in some way.
3. Finance and management
There are some financial and management situations in which individuals or businesses can refuse to share the data. The reason being that sharing this information can create a conflict of interests. Some examples of this could be in a negotiation, insurance claim, a management plan in which an employee faces redundancy, or if sharing this information could have an effect on business activity or the functioning of financial markets.
4. Public interest
In some cases, journalists or researchers might request information or need to collect personal data that doesn't comply with GDPR. This exemption only applies if the person or body collecting the data truly believes that this information is in the public interest and must be shared or published.
5. Domestic use
It might appear obvious, but with so much information out there and a certain level of scaremongering going on, there is a lot of confusion among people about how GDPR applies to their personal life. Using personal data for domestic purposes such as writing a letter to a friend or taking and sharing photos for your own personal enjoyment is fine. You do not need to panic about GDPR simply because you have a few numbers on your address book and have a smartphone full of photos.