Guide to the GDPR Regulations & Compliance

Information about the General Data Protection Regulation (GDPR) and explains GDPR compliance.

The GDPR

Welcome to gdpreu.org, a site dedicated to information on the General Data Protection Regulation (GDPR) and GDPR compliance.

What is the GDPR?

Data drives our world. Everything that is shared online is stored somewhere. Whether this is a selfie uploaded to Instagram or a transaction to buy a holiday, your data is taken and processed.

Each company that collects, stores, handles and processes this data is legally responsible for retaining it safely. To keep businesses accountable, new privacy laws came into force globally over the last few years. GDPR is the best known, and while complex in form, the principles of compliance are not difficult to understand.

What is GDPR compliance?

The European Union (EU) introduced new data protection legislation on 25 May 2018. This law was passed in Europe but affects businesses at a global level and sets a strict new standard for data protection.

Compliance with GDPR refers to the steps companies are obliged to take to follow the legislation. The regulations inform companies of every size on what they are allowed to do with personal information.

For individuals, a strong understanding of GDPR means retaining more control over their online life. For businesses, complying with GDPR means avoiding heavy penalties for not doing so.

What are GDPR breaches?

Personal data is a broad term that covers any information that can be used in some way to identify an individual. Examples include name, passport number, date of birth, social media posts, geotagging data, health records, religion and political opinions.

A breach under GDPR refers to any incident that causes the loss of personal data. This could be a data hack, such as the Equifax data breach in 2017, which leaked personal data for 146 million consumers. This is just one example of a data breach with severe real-world consequences.

Another involved political consultants Cambridge Analytica secretly giving personal data from 50 million Facebook accounts to the Trump campaign in 2016. This led to Facebook founder Mark Zuckerberg facing two days questioning before Congress.

These are high-level examples of data breaches that led to penalties, including fines. Any company that uses personal information from data subjects living in the European Union is subject to the same legislation that these businesses contravened.

What is the GDPR territorial reach?

A key difference between the GDPR and the piece of legislation it replaced (Data Protection Directive of 1995) is its scope. GDPR Article 3 says that GDPR applies to data processing by a controller or processor in the EU, even if the processing of the data takes place outside of the EU.

This means that there are two main groups of entities that must comply with the GDPR:

  1. Companies located within the EU.
  2. Companies located outside of the EU, but they offer goods or services to EU residents (data subjects) or monitor the data of EU residents.

Point number two means that most firms around the world will need to comply with the GDPR.

GDPR fines – what are the penalties?

GDPR fines for not complying with the regulations are whichever is highest from the following:
• 4% of the company’s annual global turnover.
• £18,225,000 (20 million Euros or $23 million).

Penalties and fines are implemented by the authority bodies of each region. For example, in the UK, the ICO is the independent regulatory body for GDPR compliance.

High profile companies that have already been given GDPR penalties include:

  1. Google were fined $57 million for hiding information from users setting up new Android phones, which meant they weren’t in possession of the facts about their private data.
  2. Marriott Hotels were fined $123 million for failing to update a legacy system of a hotel chain they bought (Starwood Hotels). The legacy system was compromised and the personal information of approximately 339 million consumers was revealed.
  3. British Airways were fined $230 million when details of half a million customers were stolen from their booking system.

Small businesses are held to the exact same standards under GDPR.

GDPR exemptions

There are some exemptions to GDPR. For example, GDPR Article 2(2c) says that it doesn’t apply for data processing by a person at home for personal reasons.

Site Links