Guide to the GDPR Regulations & Compliance
Information about the General Data Protection Regulation (GDPR) and explains GDPR compliance.
Welcome to gdpreu.org, a site dedicated to information on the General Data Protection Regulation (GDPR) and GDPR compliance.
Data drives our world. Everything that is shared online is stored somewhere. Whether this is a selfie uploaded to Instagram or a transaction to buy a holiday, your data is taken and processed.
Each company that collects, stores, handles and processes this data is legally responsible for retaining it safely. To keep businesses accountable, new privacy laws came into force globally over the last few years. GDPR is the best known, and while complex in form, the principles of compliance are not difficult to understand.
The European Union (EU) introduced new data protection legislation on 25 May 2018. This law was passed in Europe but affects businesses at a global level and sets a strict new standard for data protection.
Compliance with GDPR refers to the steps companies are obliged to take to follow the legislation. The regulations inform companies of every size on what they are allowed to do with personal information.
For individuals, a strong understanding of GDPR means retaining more control over their online life. For businesses, complying with GDPR means avoiding heavy penalties for not doing so.
Personal data is a broad term that covers any information that can be used in some way to identify an individual. Examples include name, passport number, date of birth, social media posts, geotagging data, health records, religion and political opinions.
A breach under GDPR refers to any incident that causes the loss of personal data. This could be a data hack, such as the Equifax data breach in 2017, which leaked personal data for 146 million consumers. This is just one example of a data breach with severe real-world consequences.
Another involved political consultants Cambridge Analytica secretly giving personal data from 50 million Facebook accounts to the Trump campaign in 2016. This led to Facebook founder Mark Zuckerberg facing two days questioning before Congress.
These are high-level examples of data breaches that led to penalties, including fines. Any company that uses personal information from data subjects living in the European Union is subject to the same legislation that these businesses contravened.
A key difference between the GDPR and the piece of legislation it replaced (Data Protection Directive of 1995) is its scope. GDPR Article 3 says that GDPR applies to data processing by a controller or processor in the EU, even if the processing of the data takes place outside of the EU.
This means that there are two main groups of entities that must comply with the GDPR:
Point number two means that most firms around the world will need to comply with the GDPR.
GDPR fines for not complying with the regulations are whichever is highest from the following:
• 4% of the company’s annual global turnover.
• £18,225,000 (20 million Euros or $23 million).
Penalties and fines are implemented by the authority bodies of each region. For example, in the UK, the ICO is the independent regulatory body for GDPR compliance.
High profile companies that have already been given GDPR penalties include:
Small businesses are held to the exact same standards under GDPR.
There are some exemptions to GDPR. For example, GDPR Article 2(2c) says that it doesn’t apply for data processing by a person at home for personal reasons.