The GDPR came into effect in May 2018, and it was the first major update to European data protection laws in 20 years. It stands for General Data Protection Regulation. Put simply, GDPR gives individual people more control over what organisations do with our personal information, such as names, addresses, birthdays, or health records. It applies to all businesses operating within EU jurisdiction.
In the UK, the GDPR is also supplemented by the 2018 Data Protection Act, which fills in further details not specified by the GDPR. Most other EU countries have a similar act, to build upon the GDPR for their own country’s needs.
The main aim of the law is to promote transparency and accountability, and to give individuals control over their data. This can help companies to build trust with their users and to avoid cyber security attacks.
What do organisations need to do to become GDPR compliant?
There are six data processing principles that organisations must comply with.
Data must be:
- Processed lawfully and in a transparent manner
- Collected for specific, explicit and legitimate purposes
- Relevant and limited to what’s necessary
- Retained only for as long as necessary
- Processed in an appropriate manner to maintain security
There are also only six scenarios in which it is legal to process personal data:
- If it’s necessary to meet contractual obligations
- To comply with legal obligations
- To protect the data subject’s interests
- For tasks in the public interest
- For legitimate interests pursued by the data collector
- If the data subject gives explicit consent (the subject may withdraw consent at any time, and it must be easy for them to do so).
These principles and reasons must be well documented, and the data subject should receive a privacy notice as part of their right to be informed about what is happening with their data.
Data security is an important part of GDPR compliance too. Organisations must have appropriate organisational and technical measures in place to protect personal data, and ensure that any third party organisations that may process this data are secure too. It’s also now mandatory to inform the customers/users if the organisation has suffered a data breach that could have compromised the security and anonymity of their personal data.
If an organisation fails to comply with GDPR, the penalties can be harsh, such as fines of up to 20 million euros or 4% of annual turnover, whichever is higher. Since 2018, several of these fines have been handed out – Marriott Hotels were fined £18 million for failing to keep guest records safe, and Reliance Advisory was fined £250,000 for making 1.1 million marketing calls to consumers without consent.
Why did GDPR need to be introduced?
The EU’s old data privacy laws were written in the early days of the internet, long before smart phones and social media companies started collecting data about our every action. GDPR gives organisations guidelines that put the users back in control of what data is collected about them, how it’s used, and when it’s erased.
Standardising data protection law throughout the EU also has the benefit of giving businesses a clearer legal environment in which to operate. Companies now only need to deal with one law, not dozens when trading across Europe. The EU has estimated that doing away with this excess red tape will save us over 2 billion Euros a year. It will also become cheaper and simpler for businesses outside of the EU to conduct business in Europe.
Primarily, these laws are designed to build trust between organisations and their users, and to help organisations identify any possible risks to data security within the company. The GDPR creates the necessity for companies to ensure that their current systems, policies and procedures are adequate to protect sensitive data and guard against cyber attacks, and to continuously re-evaluate this on an ongoing basis.