What is General Data Protection Regulation in simple terms?


GDPR – the General Data Protection Regulation – is an incredibly important and wide-ranging piece of legislation and impacts every business.

The GDPR replaces the Data Protection Act of 2018 (DPA 1998) and is essentially the biggest sea-change for data protection in more than two decades.

When did the General Data Protection Regulation (GDPR) come into force?

While the buzz started a few years beforehand, the GDPR actually came into effect on 25 May 2018.

It’s far bigger and broader than the previous DPA which means that GDPR compliance is more complicated.

In the simplest terms, the GDPR is designed to protect personal data linked to individuals. Of all the data protection laws that have been implemented, the GDPR is the first to give data subjects far more rights over the way in which any organisation processes personal data.

For businesses, the GDPR lays out a clear framework for exactly how to ensure that personal data breaches do not happen.

GDPR lays out a clear framework for data controllers to follow

By laying out a framework for the kinds of processes that data controllers must implement, the GDPR means that the chances of a personal data breach are far lower.

GDPR forces organisations of all kinds to create and follow robust processes with which to process data – whether this is particularly sensitive personal data, biometric data, or another of the special categories.

Crucially, the GDPR’s implementation is also designed to protect data subjects’ rights by ensuring consumer data is only ever given over to an organisation with express consent from the individual.

Differences between GDPR and previous data protection law

The major differences between GDPR and older data protection laws (such as the Data Protection Act 2018) surround the definition of personal data and the role of data controllers at a business.

Under GDPR, ‘personal data’ covers far more connected with the data subject than ever before. Furthermore, data processors (this refers to any organisation that processes personal data for another business. Examples include outsourced financial services) are now legally obliged to comply with GDPR. This differs significantly from previous legislation, where they weren’t obliged to do so.

Legal obligations like this vastly change the role of the data processing firm and make it extremely high risk to fail to ensure compliance with the GDPR.

GDPR is more complex and wide-ranging than previous standard contractual clauses designed to avoid a data breach.

Other key differences between older legislation and GDPR

  • Unauthorised disclosure that contravenes a data subject’s data privacy is considered non-compliance under GDPR. When a data processor or any other organisations want to use any information relating to the data subject must obtain explicit consent.

GDPR states that data subjects must opt-in and must be informed in clear and plain language exactly what they are opting for. Previously, the data subject would have to opt-out. In other words, the onus was on individuals to contact the data controllers and ask to be removed from mailing lists and any other processing of their personal data.

Since the GDPR was implemented, organisations must ask for consent from every data subject regarding their use of personal data from the very start.

  • Organisations that are based outside of the European Union, including third countries such as the UK post-Brexit, must comply with the GDPR to offer goods and services within the bloc.

Since the UK left the European Union and is no longer one of the EU member states, the UK GDPR has come into force. So far, this largely mirrors the EU’S GDPR under different supervisory authorities. However, the UK GDPR adds another layer of compliance for businesses inside and outside of the EU.

  • EU residents are protected by the data privacy frameworks outlined in the GDPR, which gives them far more protection from data processing decisions under previous data privacy laws.
  • The General Data Protection Regulation (GDPR) demands that all seven of its major data protection principles are followed by all data controllers. This means that in order to fulfil the data protection compliance needs, they have to report any and all data breaches of personal data within strictly contained timeframes.
  • GDPR lays out a new piece of guidance called the ‘right to be forgotten’. This didn’t exist for personal data under previous laws for EU residents. It’s obviously giving far more protection for individuals for any sensitive personal data or sensitive information they may want control over.
  • Under the General Data Protection Regulation (GDPR), businesses are legally obliged to appoint a data protection officer. Every data protection officer is responsible for ensuring that all of the data protection rules under the GDPR are followed. Furthermore, the data protection officer is obliged to be able to prove that record keeping for personal data follows the right framework and that appropriate data protection impact assessments are delivered to ensure GDPR compliance. Without doing so, the data controller is also responsible for breaching the guidance and, under certain circumstances, could be subject to GDPR fines.
  • Strict rules are now in place for data protection measures and for how data protection officers should organise them. Importantly, failure to ensure GDPR compliance will result in much tougher penalties that any older data protection directive.

Information security is increased under GDPR

Information security is increased under GDPR

The data protection measures under GDPR impact every business at every level. Firms that act as data controllers must have data protection officers in place, and as it impacts cross-business contracts, lots of departments need to be involved.

Furthermore, everyone at the company itself must understand the data protection directive (GDPR) and how it impacts every piece of personal data that the organisation collects and processes.

GDPR compliance will affect every business sector, but there is, of course, more impact for some over others. For example, consumer-facing organisations, any business that trades with other international organisations and e-commerce organisations that rely on utilising massive tracts of personal data.

A closer look at GDPR personal data and what is included in this category

Personal data under the GDPR, according to the directive’s own definition relates to:

“… any information relating to an identified or identifiable natural or legal person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

This personal data definition from the GDPR is rather difficult to understand at first reading. It means, essentially, that if the data gathered identifies one or more persons, then it is subject to GDPR.

The kinds of things that can be considered as identifiers to that person include location data, a cookie or an IP address. This is an important point to understand. Personal data does not have to be identifiable by a name to be covered by GDPR compliance.

When can data controllers process personal data under GDPR?

According to the GDPR, for the processing of personal data to be considered lawful, fair and transparent across EU member states, one of the following criteria must be fulfilled:

  1. The individual has given specific and informed consent.
  2. The processing by the data controller is considered vital to fulfilling a contract with the data subjects.
  3. The processing by data controllers is considered necessary to comply with the data controller’s legal obligation, to protect the vital interests of the person involved, in order to carry out a task that is considered in the public interest or for the legitimate interests of the data controllers. This last point doesn’t apply if it’s overtaken by the rights of the data subjects themselves.

Special categories of personal data and GDPR

Personal data under GDPR also includes various special categories such as sensitive data pertaining to religious beliefs, for example. Other special categories include the data subject’s political beliefs, religious beliefs, membership of trade unions, any biometric or genetic data, data linked to sex life or orientation or to the subject’s physical or mental health.

The personal data can be used again and processed for a brand-new purpose only if the new purpose is considered compatible with the original purpose under which the data was collected. This is subject to appropriate safeguards such as pseudonymised data.

The data protection regulation (GDPR) for businesses

The GDPR has changed the way in which businesses collect and process personal data. It has forced businesses to carefully consider under which lawful basis they want to process data under the General Data Protection Regulation.

Businesses have to now be far more thorough and rigorous in every dealing with personal data and must be fully aware of the kinds of rights data subjects now have under the General Data Protection Regulation.

A closer look at consent under the GDPR

As we’ve explained, consent surrounding personal data is extremely important for GDPR compliance.

If a data protection officer doesn’t follow the GDPR guidelines and establish clear lawful reasons for the data processing, then they will not achieve GDPR compliance.

But what does the GDPR specifically say about consent? The definition is:

“Consent of the data subject means any freely given, specific informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

In plain English, this means that consent is more important under GDPR than under previous data protection rules affecting EU residents. The UK GDPR follows the same definitions surrounding information security as the EU GDPR. This means that for data subjects, the issue of consent is the same.

Automated decision-making and consent under GDPR

The GDPR strengthens the meaning of consent from data subjects compared with older directives. Those involved with data processing must give the data subjects an increased amount of control and choice over the way in which data processing is carried out.

This means that it’s not enough under GDPR to get a single piece of consent for data usage, but that it’s an ongoing issue. Appropriate security must be in place to protect data subjects’ rights. The data controllers must communicate issues of consent using an easily accessible form every time and must constantly monitor compliance with GDPR.

In other words, the consent that data subjects give must be genuine under GDPR. If it is found that consent has not been freely given, then public authorities can restrict processing under certain circumstances.

Furthermore, consent may be deemed invalid by the supervisory authority if there is an imbalance of power between the data subject and the data processor. This would then lead to the consent being deemed non-compliance by the supervisory authority and potential criminal convictions for the organisation.

The Information Commissioner’s Office is clear that consent must be obtained again if the data usage is different to the first time it was obtained. They say that this would mean the consent is “misleading and inherently unfair”.

Information security is key to avoiding a GDPR data breach

Information security is key to avoiding a GDPR data breach

Failing to properly understand the GDPR and the data protection obligations it contains puts businesses at a high risk of non-compliance.

Non-compliance means the possibility of fines or other penalties for breaching GDPR and member state law.

Five years after GDPR was introduced, and with UK GDPR more clearly defined, data protection authorities expect businesses to be fully compliant. GDPR is a more complex and wide-ranging framework than previous data protection laws and, as such, demands much more from the organisation that wants to process a data subject’s personal data.

Read more about the GDPR and how it impacts an organisation or brand’s online reputation here.