em360tech image

GDPR is a set of regulations that almost all organisations must comply with. Data protection is the practice of safeguarding sensitive information from loss, damage, or unauthorised access or misuse. It’s an essential law to abide by, otherwise you may face substantial fines. Here’s our guide on what GDPR is, who it applies to, and the set of regulations organisations must follow.

Defining GDPR

The EU General Data Protection Regulation (GDPR) is a strict privacy law specifying how personal data should be legally processed, including how the data is collected, used, or interacted with. Its purpose is to strengthen the data protection of every user’s personal data.

Before we explain more about GDPR, there are some terms to be aware of in relation to the data protection law, including:

  • Data controllers: The organisations or individuals that determine the purposes and means of processing personal data. Data controllers are responsible for ensuring any data processing activities comply with GDPR.
  • Data processors: These individuals/entities process personal data on behalf of data controllers. They are bound by GDPR and must implement security measures to protect the data.
  • Data subjects: GDPR intends to protect the rights and privacy of individuals, referred to as data subjects. Any individual whose personal data is collected and processed by an organisation falls under the rules of GDPR.

Failure to comply

If your organisation fails to comply with GDPR, you can face substantial fines of up to £17.5 million, or 4% of your company’s global turnover, whichever is higher.

What counts as personal data?

Personal data refers to any data that relates to an identifiable living person. If it’s possible for someone to identify an individual directly from the information you’re processing, you’re dealing with personal data.

The following identifiers are personal data:

  • Full name, address, contact details, biometric data, and date of birth (basic identification information).
  • IP address, location data, and cookie ID (website data).
  • Patient records and medical history (medical-based data).
  • orientation.
  • Bank account details and card numbers (financial-based data).
  • Religious beliefs and political opinions.

It’s information that, when combined with other data, can identify an individual. For instance, a user’s full name and address (even if they’re not processed together) can be used to identify them.

It also applies to personal data that has been encrypted or anonymised, provided the encryption or anonymisation is reversible.

padlock over European Union with the EU flag

When did GDPR come into effect?

GDPR was initially implemented in 2016. The lawmakers gave organisations a two-year grace period to revamp any necessary policies and practices to ensure GDPR compliance. In May 2018, GDPR finally came into action.

Data Protection: A History

Data protection laws in Europe go as far back as 70 years.

1948

The Universal Declaration of Human Rights was implemented, which included the right to privacy as a fundamental right.

1950

The European Convention on Human Rights of 1950 granted European users the right to privacy. This was a significant stepping stone to developing robust data protection laws.

1995

Then came the EU Data Protection Directive that regulated data privacy at a time where the Internet was a relatively new concept. Businesses were not collecting or processing personal data in the volumes we do today. It’s important to note that a “directive” is often a set of goals for countries to achieve, as opposed to “regulations” which are law-enforced rules.

2012

The European Parliament found the Directive wasn’t enough to protect data, especially across borders. Websites were collecting user data at an unprecedented rate, making existing privacy laws insufficient. So, the regulations were drafted, creating the strongest form of legal enforcement in the EU.

2016

GDPR is approved by the EU parliament after four years of discussions.

2018

After the initial two-year grace period, EU GDPR came into effect in May 2018. The regulations replaced the 1995 Data Protection Directive. At the same time, the UK introduced a new Data Protection Act, which sits alongside GDPR.

Who does GDPR apply to?

The European Commission states GDPR applies to:

  • “A company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed.”
  • Or “a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.” E.g. government agencies, non-profit organisations, and private/public companies.”

GDPR affects every company. If you’re a small and medium-sized enterprise (SME), for example, that processes any personal data, you must comply with GDPR. It doesn’t matter if you’re based outside of the EU; if you process any personal data of EU/UK citizens as part of your core business activities, GDPR applies to you.

GDPR logo with EU stars around the padlock

What is GDPR Compliance?

GDPR compliance means organisations must process personal data in a lawful, fair, and transparent manner.

Here are the requirements to help ensure your organisation is GDPR compliant, as set out in the regulations.

1. You have a legal basis for processing data

You must have at least one legal basis for processing data, including one of the following:

  • Explicit consent has been provided by a user for one or more specific purposes.
  • The data processing is necessary for business contracts where the user is a participant or necessary party.
  • Processing is necessary for fulfilling a legal obligation in which the data controller is subject.
  • Processing is necessary for protecting the interests of the user or another person.
  • Processing is vital for carrying out a task in the interest of the public or as contained under the official authority given to the data controller.
  • Processing is necessary for the legitimate interests of the data controller or third party, except when overridden by the best interests/rights and freedoms of the user (particularly when children are involved).

2. Consent

If you rely on receiving consent as the legal basis for processing data, the data controller has to get verifiable content from the user before processing data.

Organisations must be transparent about why they are collecting data and consent must be explicitly and freely given by the user. To comply with GDPR on the basis of consent, the ways you confirm consent must be unambiguous and include a clear “opt-out” action. If a user wishes to withdraw consent, it must be easy to do as it was to give consent originally.

Where children are involved, verifiable consent is necessary from a parent or guardian, unless the service being offered is a preventative or counselling service.

3. User rights

GDPR aims to enhance the rights users have over their personal data, providing greater control and transparency over their information.

The rights:

  • The right to be informed - Organisations must provide information to the user about the data processing activities the organisation carries out. Commonly provided as a privacy notice or policy.
  • The right to access - Users have the right to access the data and information on how their data is being used. If requested by the user, the data controller must provide an overview of the data being processed, a copy of the actual data, and details about the processing.
  • The right to rectification - Users can have their data rectified if it’s inaccurate or incomplete. In the event of rectification, confirmation must be disclosed to all third parties involved in the processing of the data.
  • The right to object - Users have the right to object to an organisation’s processing activities. Users must state their reason for objecting, unless data processing is for direct marketing purposes.
  • The right to data portability - Users can obtain their personal data for the purpose of transferring it from one controller to another, without being prevented from doing so by the data processor. This right applies to personal data only and not genuinely anonymous data.
  • The right to erasure - If data is no longer relevant for its intended original purpose, users can request their data be erased. They can also exercise this right if they have withdrawn content or, in the event of personal data being unlawfully processed.
  • The right to restrict processing - Users can restrict the processing of their data if they’ve contested its accuracy, objected to the processing, the processing is unlawful, or the data is no longer needed.
  • Rights relating to automated decision-making and profiling - Users have the right to not be subjected to a decision if it’s based on automated processing or profiling.

4. Cross-border data transfers

GDPR allows data transfers of EU resident data outside of the European Economic Area (EEA) only when compliant with set conditions. The regulations state that the country or region the data is being transferred to must have an adequate level of personal data protection by EU standards. If considered inadequate, the data transfer may still be allowed under the use of Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

5. Privacy by design & default

To comply with GDPR, data protection should be included from the start of design and development of an organisation's processes and infrastructure. Privacy settings must be set to ‘high’ by default and measures must be put into place to ensure the life cycle of data processing is GDPR compliant.

6. Breach notification

Should your organisation fall victim to a data breach, the data controller has to notify the Supervisory Authority (the independent public authority that monitors the application of data protection law) within 72 hours of knowing about the breach.

Under this requirement, users must also be informed of the breach — within the same 72 hour time frame — unless the data breach was protected by encryption, or if the breach is unlikely to result in a risk to the user’s rights and freedoms.

7. Data protection officers

Appointing a Data Protection Officer (DPO) is mandatory unless you’re a court or other judicial authority acting in a judicial capacity. The DPO assists the data controller or processor in monitoring internal GDPR compliance. The individual overseas data protection strategy and implementation, and is a core part of GDPR.

8. Records of processing activities

GDPR requires both the data controllers and data processors to keep and maintain extensive up-to-date records of the organisation’s data processing activities. These records can be in paper or electronic form.

Extensive records of data processing are required when data processing activities are one of the following:

  • Not occasional.
  • Could result in a risk to the rights and freedoms of individuals.
  • Involve the handling of “special categories of data”.
  • Carried out by an organisation with more than 250 employees.

9. Data protection impact assessment

Data protection impact assessments (DPIA) are a tool used to help organisations identify the most effective way of complying with data protection obligations. It also helps ensure you meet individuals’ expectations of privacy.

You must carry out a DPIA before you process any personal data that is likely to result in high risk to the rights and freedoms of individuals.

What Are the GDPR Regulations?

If you process data, you must do so according to the seven protection and accountability principles outlined in GDPR. These are:

  • Lawfulness, fairness, and transparency: Data processing must be lawful, fair, and transparent to the data subject.
  • Purpose limitation: Data must be processed for legitimate purposes which were explicitly specified to the data subject upon collection.
  • Data minimisation: You should only collect and process as much data as strictly necessary for the purposes specified.
  • Accuracy: You must ensure personal data is accurate and up-to-date
  • Storage limitation: You may only store personal identifying data for as long as strictly necessary for the specified purpose.
  • Integrity and confidentiality: Data processing must ensure appropriate security, integrity, and confidentiality.
  • Accountability: The data controller is responsible for demonstrating GDPR compliance, ensuring all the above principles are met.

How to Ensure Your Organisation is GDPR Compliant

Here’s a GDPR compliance checklist to help ensure your organisation meets GDPR standards and regulations.

  • Understand the data your organisation holds. Where is it stored? Who has access to it?
  • Appoint a Data Protection Officer (DPO).
  • Ensure your website is secure to further protect your user’s data.
  • Create an extensive privacy policy (update policies if this already exists).
  • Get explicit consent for email marketing purposes.
  • Update policies with information about how the site manages personal data.
  • Check website forms include privacy statements and clear opt-out information.
  • Allow users to opt-out easily.
  • Review your data processors and/or third-party services regarding data.
  • Add a cookie banner if your website uses cookies.