What is the General Data Protection Regulation (GDPR)?
Last updated on April 15th, 2020
The General Data Protection Regulation (GDPR) is a piece of EU legislation introduced on the 25th of May, 2018. It changed the way companies are allowed to collect and process data about citizens within the EU, providing more rights to the consumer and introducing stricter penalties for businesses who fail to comply.
Do companies outside the EU need to comply with GDPR?
Any company that processes data of any EU citizens needs to comply with GDPR, even if the company is located outside of the EU. This means that UK businesses will still need to comply post-Brexit and companies in the the Americas, Asia, Africa, Australia and even Antarctica will need to comply with GDPR if they process the data of any EU citizen.
Why did the EU introduce GDPR?
The GDPR has been four years in the making, and one of the main reasons for its introduction is the changing ways companies are using personal data. Many companies such as Facebook, Google and other social networks swap access to people’s data for use of their services.
GDPR acted as a modernisation of the 1998 Data Protection Act which didn’t account for the new ways companies were utilising personal data. Another driver behind GDPR was to give businesses a simpler, clearer legal environment to operate in.
Who does GDPR apply to?
This new legislation will apply to both “controllers” and “processors” of personal data. A “controller” states how and why personal data is processed. Whereas a “processor” is the one who processes the data. It is the responsibility of the controller to make sure that their processor abides data protection law. However, the processors themselves have a responsibility to maintain records of their processing activity.
What do businesses need to be aware of regarding GDPR?
The GDPR expands the definition of personal data considerably, in line with the types of data organisations collect about individuals.
Organisations must ensure that they process personal data lawfully, transparently and for a specified purpose. Consent from an individual must come in the form of an active opt-in, and there must be a record of how and when an individual gave consent. That individual can withdraw their consent at any time, at which point you must delete the data.
Individuals have the right to ask for access to their data at “reasonable intervals”, and the controller must respond to this request within one month. Controllers can no longer charge individuals for this request unless it becomes excessive or repetitive.
They also have “the right to be forgotten”. Individuals can demand that their data is deleted if it is no longer necessary for the original purpose it was collected. Furthermore, individuals can also demand the erasure of their data if they withdraw consent for data collection or if they object to processing activities.
Controllers must store the personal data is a common format, such as a CSV file, which is easily transferred to another organisation – at the request of the individual. If an individual makes such a request under this rule the controller has one month to comply.
What if I don’t comply with GDPR?
Penalties under the GDPR are much tougher than any data protection regulations we’ve seen before, so, if you haven’t done so already, you will want to prioritise preparations.
If you fail to obtain proper consent, ignore individuals’ rights over their personal data, transfer data to another country or ignore any of the other principles for processing data then your data protection authority could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is higher.
There are also financial penalties for those who fail to report a data breach within the specified time period. If upon discovering a data breach, you do not notify your data protection authority within 72 hours then you could face a fine of up to 2% of your global annual revenue or €10 million, whichever is higher.
Currently, the maximum fine for a data breach, under the Data Protection Act, is £500,000. Although, to date, the highest penalty issued has been £400,000 – which was levied on TalkTalk following their breach in 2016. However, if that breach had occurred under GDPR legislation. That fine would have increase to £59 million – a considerable jump!
This is just meant as a high-level overview of the key point of the new GDPR. Organisations should carry out their own research and seek consultative advice on the steps they need to take to comply.
5 easy ways to streamline your business
Running a business can be difficult, particularly when it goes through a rapid growth phase. As a business owner, you may be feeling overwhelmed, overworked or just not as efficient as you know you could be. To remain competitive, businesses must boost operational efficiency, this is especially true in the SME market where organisations may […]
How cloud can strengthen business continuity
Cloud Computing, and indeed the whole concept of ‘Software-as-a-Service’, is continuing to grow in popularity. Already, these new web-based models of software distribution are completely transforming the way in which companies access and store their business-critical applications and data. With traditional ‘off-the-shelf’ software packages, an application is normally installed on the company’s main server, and […]
In the press: Top tips for insurers to improve cybersecurity
Originally published in Life Insurance International Hacking is becoming a relatively effortless procedure, and this is a major concern for many businesses. Insurance firms, in particular, can potentially be a greater target for cybercriminals. This is due to the large number of capital funds on their systems and the wealth of customer information they hold. According to […]