What Is GDPR?

The European Commission set out plans for data protection reform in 2012 to make Europe ‘fit for the digital age’. It took almost four years for an agreement to be reached on what was involved and how it would be enforced.

The result? – General Data Protection Regulation (GDPR) which finally came into effect on 25th May 2018. A European union-wide framework applies to organisations in every member-state and impacts not only businesses and individuals across Europe, but globally. Because, if a company touches the personal data of someone residing within the EU, then GDPR applies. Even if that company is based outside of Europe.

Why GDPR?

GDPR is designed to give EU citizens more control over their personal data. It claims to simplify regulations so citizens and businesses in the EU can get maximum benefit from the ‘digital economy’.

Many of the laws and obligations surrounding personal data, privacy and consent were outdated. The latest reforms are designed for the internet-connected world we live in today where nearly every aspect of our lives revolves around the collection and analysis of our personal data. Today’s world is one where governments, banks, social media networks, and mobile apps record; what we buy, what we read, where we go, and what we eat, and this ‘data’ and more is willingly pushed into the public domain by almost 3 billion people worldwide and 85.7% of Europeans who are connected to the internet.

Who Does GDPR Apply To?

GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to individuals or businesses in the EU.

Article 4 of the General Data Protection Regulation identifies two different types of data-handler that the legislation applies to. Data ‘processors’ and Data ‘controllers’.

What Is A Data Controller?

A Data Controller is a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

What is a Data Processor?

A Data Processor is a “person, public authority, agency or other body which processes personal data on behalf of the data controller”.

The UK’s Information Commissioner’s Office, or ICO, is the authority responsible for; registering data controllers, taking action on data protection issues and handling concerns regarding the mishandling of data in the UK, states that “You now have significantly more legal liability if you are responsible for a breach. These obligations for data processors are a new requirement under the GDPR”.

GDPR  makes a data processor responsible for maintaining and processing personal data records, with a much higher level of legal liability in the event of any breaches.

Data Controllers also need to ensure that all contracts with data processors are also compliant with GDPR.

What Does GDPR Mean For You?

GDPR expanded the previous definition of personal data to not only include name, address, and photographs but also things like IP address, biometrics and genetic data. In fact, any piece of data that could, on its own or in combination with other data, be used to uniquely identify an individual. The knock-on effect of this can be seen in Google’s new GA4 analytics platform and the move towards blocking third-party cookies.

What Does GDPR Mean For Businesses?

GDPR is a single set of rules that apply to all companies doing business within EU member states, meaning that the legislation extends outside the borders of Europe itself. Many International organisations based outside of Europe, conducting activities on ‘European soil’ still need to comply.

The European commission hopes to save €2.3 billion annually across Europe, by making it simpler and cheaper for businesses to operate. They also claim GDPR will encourage innovation by persuading companies to build data protection safeguards like data ‘pseudonymization’ into in new products and technologies at the initial development stage, by fostering a ‘data protection by design’ culture.

What Does GDPR Mean For Consumers?

In order to ensure EU citizens can take appropriate measures to prevent any leaked personal data being abused, consumers are given the right to know when their data has been hacked, within 72 hours of the organisation first becoming aware of it. Especially when it is likely to result in a risk to the rights and freedoms of individuals or lead to financial loss, loss of confidentiality, discrimination, economic or social disadvantage, or reputational damage.

Consumers now have more control over how their personal data is processed, with companies and government bodies now being required to explain, in a clear and understandable way, how they intend to use customer information and requiring them to actively opt-in to receive specific emails and texts. Furthermore, consumers should be provided with an easy way of opting out, if they change their minds about their details being on a mailing list.

Do you need a Data Protection Officer?

All organisations need to ensure they have the skills and staff necessary to be compliant with GDPR.

An organisation must appoint a Data Protection Officer or DPO, if it is a public authority, or if it carries out large-scale processing of special categories of data, or large-scale monitoring of individuals such as behaviour tracking.

There are no set criteria on who should be a DPO or what qualifications they should have, but according to the Information Commissioner’s Office, they should have professional experience in data protection law proportionate to what the organisation carries out.

What Are The GDPR Fines And Penalties?

Fines of 10 million euros or up to four per cent of the company’s annual global turnover could be imposed for failure to comply with GDPR, depending on the severity of the breach.

Ignoring subject access requests, unauthorised international transfer of personal data or failure to put procedures in place that result in the infringement of the rights of data subjects could mean a fine of 20 million euros or four per cent of worldwide annual turnover (whichever is greater).

And companies can now be fined half that for mishandling data in other ways. This means fines of 10 million euros or two per cent of worldwide turnover for, failure to report a data breach, failure to build in privacy by design, or not appointing a data protection officer if required to.

The UK, Brexit, and GDPR?

Despite the UK no longer being part of the EU, it doesn’t mean data subjects in the UK will be treated any differently. The UK government said early on that Brexit won’t affect its implementation of GDPR and it was implemented hand in hand with the UK’s own new data protection laws.