What is GDPR? Everything you need to know, from requirements to fines
Does your organisation comply with the toughest ever set of data protection rules?
What is the GDPR?
The General Data Protection Regulation, the GDPR, or simply, GDPR, strengthens the data rights of EU residents and harmonises data protection law across all member states, making it identical.
It increases the potential fines organisations face for misusing data, and makes it easier for people to discover what information organisations have on them. In essence, it seeks to bring more transparency to people about what data organisations collect, and what those organisations use it for, as well as enabling people to prevent unnecessary data collection.
Why was the GDPR drafted?
While many of the GDPR’s rules are similar to those defined in the EU’s Data Protection Directive 1995 (which was enshrined in UK law as the Data Protection Act 1998), the older directive was created before the age of social media, and before the internet had properly transformed the way we work and live.
Almost all of us have enjoyed the use of ‘free’ services from the likes of Google, Facebook and Twitter in exchange for a wide range of personal information – from names and email addresses, to political leanings and sexual orientations. Confusing terms and conditions and passive opt-out tick boxes made it harder for people to understand what exactly they were agreeing to give these tech giants.
The potential consequences of this widely-defined remit for personal data was demonstrated by Facebook’s Cambridge Analytica scandal, where a third party app saw millions of users’ profile data scraped, allegedly to influence the outcome of the 2016 US election.
A separate aim of GDPR is to make it easier and cheaper for companies to comply with data protection rules. The EU’s 1995 directive allowed member states to interpret the rules as they saw fit when they turned it into local legislation. The nature of GDPR as a regulation, and not a directive, means it applies directly without needing to be turned into law, creating fewer variations in interpretation between member states. The EU believes this will collectively save companies €2.3 billion a year.
When did GDPR come into effect?
The GDPR has applied to organisations across the world since 25 May 2018. Because GDPR is a regulation, not a directive, the UK did not need to draw up new legislation – instead, it applied automatically.
Who does the GDPR apply to?
In short, GDPR applies to almost every organisation. If you control or process personal data relating to EU residents – whether they’re customers or your own staff – you now have to do so in a way that complies with GDPR.
Organisations don’t have to be based in the EU to be bound by GDPR. They only need to be processing or holding data on EU residents in order for GDPR to apply to them.
Depending on your role in collecting or processing that data, the regulation will view you as either a data controller or a data processor.
One method by which firms based outside of the EU have avoided any GDPR preparation is through installing location filters which block traffic from the EU. This also means no data is collected from EU citizens, however, and GDPR need not be complied with. Prominent sites to engage in this practice include the LA Times.
What are data controllers and data processors?
A data controller defines the terms (how and why) of data processing but does not necessarily carry out these activities themselves. That means they might contract a third party to collect and process data – telling them how to do it, and stating what purpose they are doing it for.
A data processor is the third party that performs the actual data collection and data processing.
Do we need a data protection officer?
Any public body carrying out data processing needs to employ a data protection officer, as do companies whose core activities involve data processing that requires they regularly monitor individuals “on a large scale”, according to the GDPR legislation, though public bodies are at an advantage, in that several can share the same data protection officer. Organisations should give the contact details of this person to their data protection authority.
The data protection officer’s job is to inform and advise the organisation about meeting GDPR requirements, and monitoring compliance. They’ll also act as the data protection authority’s primary point of contact, and will be expected to cooperate with the authority.
Contact us if you need assistance: firstname.lastname@example.org