What is the GDPR?

The General Data Protection Regulation (GDPR) is a data privacy regulation which came into force across the European Union (EU) in May 2018. It builds on many existing principles of EU data protection legislation to give individuals more rights and transparency over their personal information.

The GDPR takes into account changes in technology and developments to data use. It enhances individuals’ rights in respect of their data and the obligations on the companies that use individuals’ data and helps individuals better understand what organisations use their data for. It gives individuals the ability to exercise enhanced rights in respect of their data in certain circumstances such as obtaining a copy of, demanding deletion of, or objecting to data use.

Why was the GDPR drafted?

Until GDPR came into force on 25 May 2018, there was just the outdated Data Protection Directive 1995, known as the Data Protection Act 1998 in the UK. The world has changed dramatically since 1995 and new laws were needed to address the modern world of large-scale internet use and social media. Over the last 24-years businesses have become more dependent on the web and there has been a marked rise in the number of web-based companies and social media sites. As such, misuse of the internet is far greater than in 1995.

When did GDPR come into effect?

The GDPR has applied to organisations across the world since 25th May 2018. Because GDPR is a regulation, not a directive, the UK did not need to draw up new legislation – instead, it applied automatically.

Who does the GDPR apply to?

Pretty much every business and organisation must comply with the EU’s data laws, even if they’re based in the US. This is because most companies have at least some data belonging to EU citizens stored on their servers and those to whom the data belongs are protected, not the business.

What counts as personal data under the GDPR?

The EU has substantially expanded the definition of personal data under the GDPR. To reflect the types of data organisations now collect about people, online identifiers such as IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information.

Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.

What's the 'right to be forgotten'?

GDPR makes it clear that people can have their data deleted at any time if it’s not relevant anymore – i.e. the company storing it no longer needs it for the purpose they collected it for.

What are the fines for breaches of GDPR?

Two tiers of fines exist under GDPR:

Firstly, your organisation faces a penalty of up to 2% of their annual turnover, or €10 million, for failing to report a data breach to the ICO within 72 hours of becoming aware of it.

Secondly, there is the fine for a breach of personal data itself. Data breaches under GDPR could be punished by a maximum fine of 4% of your organisation’s annual turnover, or €20 million, whichever is higher.

But what about Brexit?

Despite the vote to leave (‘Brexit’) the Europe Union in June 2016, the UK is still yet to actually legally leave. Therefore, GDPR has taken effect and so the UK must still comply.