The General Data Protection Regulation (GDPR) is a regulation established by the European Union (EU) that strengthens and unifies data protection for individuals within the EU and since the UK’s exit from Europe also the UK. It came into effect on May 25, 2018 and applies to any company that processes the personal data of both UK and EU citizens, regardless of where the company is located. Business owners must comply with GDPR regulations if they collect, store, or use the personal data of EU citizens.
This includes obtaining explicit consent for the collection and use of personal data, ensuring the security of collected data, and promptly reporting data breaches. Penalties for non-compliance can be significant, up to 4% of a company's global revenue or €20 million (whichever is higher).
GDPR applies to any company, regardless of location, that processes the personal data of EU and UK citizens. This includes companies that operate within the EU and UK as well as companies outside of the EU and UK that offer goods or services to EU citizens or monitor their behavior. It applies to any company that processes personal data, including but not limited to:
- Companies that collect personal data through their website or mobile app
- Companies that use personal data for marketing or advertising purposes
- Companies that process personal data for HR or payroll purposes
- Companies that use personal data for R&D or product development purposes
- Companies that use personal data for financial transactions or fraud prevention
In summary, GDPR applies to any company that processes the personal data of EU and UK citizens, and it applies regardless of the company's location.
The General Data Protection Regulation (GDPR) has several key principles, which are as follows:
Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner.
Purpose limitation: Personal data must be collected for specific, explicit, and legitimate purposes and not further processed in a way that is incompatible with those purposes.
Data minimisation: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
Accuracy: Personal data must be accurate and, where necessary, kept up to date.
Storage limitation: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability: The controller is responsible for, and must be able to demonstrate compliance with, the principles listed above.
Data subject rights: GDPR also grants certain rights to data subjects, including the right to access their personal data, the right to have inaccurate personal data rectified or erased, the right to object to the processing of their personal data, and the right to data portability.
These principles must be integrated into the businesses’ processes and systems, and the companies must demonstrate compliance with these principles.
Under the General Data Protection Regulation (GDPR), personal data is defined as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
This definition of personal data is quite broad, and includes a wide range of information, such as:
- Name and contact information (e-mail address, phone number, postal address)
- identification numbers (e.g. national ID, passport number)
- location data (e.g. IP address)
- online identifiers (e.g. cookies, social media handles)
- genetic and biometric data
- economic, cultural and social information
- health data
- any other information that could be used to directly or indirectly identify a person.
It's important to note that GDPR applies not only to personal data that a company holds on its own servers, but also to personal data that it processes on behalf of others, such as data processed by a cloud service provider.
Cookies and the ePrivacy Directive (also known as the EU Cookie Law) are related to the General Data Protection Regulation (GDPR) in that they both pertain to the collection and use of personal data online.
Cookies are small files that are placed on a user's device when they visit a website. They are used to track user behavior and preferences, as well as to personalise the user's experience on the website. GDPR applies to the personal data collected via cookies, and companies must obtain explicit consent from users before placing cookies on their devices.
The ePrivacy Directive is a separate EU regulation that specifically addresses the use of cookies and similar technologies, and it requires websites to obtain informed consent from users before storing or accessing information on their device. The ePrivacy Directive applies in addition to GDPR, but it’s currently under review and it's expected to be replaced by a new ePrivacy Regulation that will be aligned with the GDPR.
In summary, GDPR and the ePrivacy Directive/Regulation both relate to the collection and use of personal data online, with GDPR providing the general framework for data protection and ePrivacy Directive/Regulation providing specific rules on cookies and similar technologies. Companies must comply with both regulations, and must ensure that their cookie consent mechanisms meet the requirements of both GDPR and the ePrivacy Directive/Regulation.
A General Data Protection Regulation (GDPR) breach refers to a failure to comply with any of the regulations set forth in the GDPR, resulting in a violation of the rights of UK and EU citizens.Some examples of GDPR breaches include:
- Failure to obtain explicit consent for the collection or use of personal data
- Failure to provide data subjects with access to their personal data
- Failure to promptly report a data breach to the appropriate authorities
- Failure to implement appropriate security measures to protect personal data
Fines for GDPR breaches can be significant. Under GDPR, there are two tiers of administrative fines that can be imposed for non-compliance:
- Up to €10 million, or 2% of the company's global annual revenue for the preceding financial year (whichever is higher) for less severe breaches such as failure to appoint a Data Protection Officer (DPO) or failure to carry out a data protection impact assessment (DPIA).
- Up to €20 million, or 4% of the company's global annual revenue for the preceding financial year (whichever is higher) for more severe breaches such as failure to obtain valid consent or unauthorised data processing.
In addition to fines, GDPR also allows for other sanctions, such as warning, reprimand, prohibition of processing or limitation of processing, blocking of data and suspension of data flows, and even in some cases, limitation or prohibition of the activity of the controller or processor.
It's important to note that GDPR fines are issued by the Supervisory Authority of the member state where the company has its main establishment or where the violation took place.
And that the fines will be imposed on the company, but also can be imposed on the DPO or the representative of the company.