Struggling to understand your obligations? Here’s a GDPR overview

GDPR overview, introducing the regulation, what it means for businesses and individuals and GDPR compliance.

GDPR Overview

GDPR is the acronym commonly used for General Data Protection Regulation. Since its implementation in May 2018, it has become a very common acronym. Here’s an overview of this complex piece of legislation.

GDPR overview – who does the regulation affect?

The GDPR unites all data protection legislation across the member states of the European Union. It also includes Switzerland, Norway, Lichtenstein and Ireland. The GDPR gives individuals more rights about their data protection, including what is used by companies, how it’s processed and who has access to it.

When was GDPR introduced?

GDPR was implemented on 25 May 2018 and replaces a former regulation called the Data Protection Directive (DPD) 1995. The regulation was designed to work better for the modern world’s data use and practises, which is very different to the mid-90s.

Companies were first made aware of the impending changes in 2016, when GDPR was formally approved by the European Parliament. However, although the regulations have now been in place since 2018, many companies are still unclear on how it affects them. This means they’re at risk of fines.

How does GDPR compliance affect businesses?

GDPR is in place to monitor data processing by all businesses that target, sell to or communicate with people within the EU. This means GDPR legislation applies to businesses operating within the EU, and to businesses elsewhere in the world that target people in the EU. Under GDPR, any individual who has their data collected and processed by a business entity is called a ‘data subject’.

What are data controllers and data processors?

The company that collects personal data from data subjects is called a ‘data controller’. The company that is employed as a third-party to process that data is called a ‘data processor’. An example of a data processor is a payroll company that is contracted by the data controller to use the data they’ve collected from data subjects and process it for salary payments.

What happens if a company violates the GDPR regulations?

Violating the EU’s GDPR means maximum fines of $23million (20 million Euros) or 4% of the company’s annual global turnover – whichever is higher.

The very first significant penalty fine came in January 2019, just seven months after GDPR came into force. This was Google’s 50 million Euro fine, for hiding information from Android users that related to their data.

Later in 2019, the UK Information Commissioner’s Office (ICO), which implements the GDPR regulation in the UK, fined Marriott Hotels and British Airways for allowing user data to be compromised on a massive scale.

Regulators are now catching up on a backlog of data breaches, which will result in new fines throughout 2020 and beyond.

GDPR compliance – what do businesses have to do?

Every company that targets data subjects in the EU must ensure their data collection systems meet the GDPR requirements.

Companies must take initial steps to become compliant. After this they must integrate the key GDPR principles into their operations at every level.

Data must be collected legally. Users must be full informed about how the company intends to treat the data. Data must then be kept secure and protected from breaches by the company.

Data Protection Officers – what do they do?

To reach GDPR compliance, private companies and public authorities that regularly collect and process large amounts of data must employ a Data Protection Officer (DPO). The person in this position is legally obliged to oversee the company’s data activities. Read more about DPOs here.

Companies that are involved with specific categories of personal data, such as genetic data or biometric data, must also complete the Data Protection Impact Assessment (DPIA).

Every company must find its own path through GDPR compliance. There is no quick guide, as compliance is different for every company.