What You Need to Know About GDPR

Have you wondered what rights you have when it comes to data protection? In recent years, the General Data Protection Regulation has updated what is classed as data protection and privacy. It applies to the UK and to the rest of the European Union and European Economic Area. Let’s take a look at what exactly the GDPR is and what rights you have.

What is the General Data Protection Regulation Really About?

The GDPR is all about the appropriate processing of personal data. When we talk about personal data, we are referring to somebody’s name, address, IP address and even cookies. On occasion, there are going to be times when this information is stored and kept by businesses. The GDPR is able to govern how those businesses use and store your personal data.

This legislation is going to apply to companies that are known as controllers and processors of personal data. This legislation goes into detail about data protection principles that must be followed, as well as the rights that are available for everybody.

The GDPR began back in 2012. Although it did not come into effect until many years later, this is when the European Commission first started to make plans to change legislation. They wanted to ensure that the European Union knew how to adapt into the digital age. It took almost four years to complete. It applies to all organisations that are operating in the European Union. In addition, it is also possible for the GDPR to apply beyond this. For example, if you are a business that is based outside of the European Union, but is offering products or services to customers that are within the European Union, you will need to follow the rules of the GDPR. Otherwise, there will be violations and punishments.

The Key Principles of the GDPR

Article 5 of the legislation makes it clear that there are seven key principles that should be followed by businesses. Think about it as an overarching framework rather than specific rules that have to be followed. The seven key principles are the following:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

For example, let’s take a look at two of these key principles in more detail.

Minimal Storage of Data

Any business should only collect the personal information that is necessary. In other words, customer data should be kept to a minimum and for what is necessary for transactions. The aim of the GDPR is to ensure that organisations do not store endless data on you, such as your political opinions or lifestyle choices.

Integrity and Confidentiality

It is essential that businesses take the appropriate steps to protect customer data. This includes having security protections in place to prevent hackers or other threats from getting hold of sensitive information. Although the GDPR does not specify what security measures should be in place, it will be up to businesses to make sure they are as protected as they can be. For example, some basics include encrypting websites and pseudonymisation of data.

More Protection and Rights for Individuals

Individuals can now enjoy GDPR rights. Compared to previous legislation, there is more protection for individuals, with eight rights that are created by the new legislation. This includes:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights on automated decisions and profiling

The Consequences of Non-Compliance for Businesses

If businesses do not comply with GDPR, this will not be ignored. In fact, you can expect to be hit by huge fines if you do not comply with the regulations. Therefore, making sure that you process an individual’s data in the right way will avoid any bad consequences from happening. Other examples of when a fine will be received is if a business does not have a data protection officer or there is another type of security breach.

The amount of fine that a business receives will be decided by the Information Commissioner’s Office or the ICO in the UK. But it is recommended that small offences can receive fines up to €10 million or two percent of that company’s global turnover. Thus, smaller offences that may not seem that serious are in fact treated very seriously across Europe. Indeed, the penalties are even larger for bigger breaches. Businesses can be subject to fines up to €20 million or four percent of their global turnover.

There is no doubt that the penalties for non-compliance are huge and could really affect businesses. It is interesting to note that under previous legislation, the ICU could only make companies pay up to £500,000 for breaches.