What is GDPR exactly?

What is GDPR exactly?

Kosha Doshi:-

GDPR can be considered as the world’s strongest set of data protection rules, which enhance how people can access information about them and places limits on what organisations can do with personal data. The full text of GDPR is an unwieldy beast, which contains 99 individual articles.

The regulation exists as a framework for laws across the continent and replaced the previous 1995 data protection directive. The GDPR’s final form came about after more than four years of discussion and negotiations – it was adopted by both the European Parliament and European Council in April 2016.

Theunderpinning regulation and directive were published at the end of that month.

GDPR came into force on May 25, 2018. Countries within Europe were given the ability to make their own small changes to suit their own needs. Within the UK this flexibility led to the creation of the Data Protection Act (2018), which superseded the previous 1998 Data Protection Act.

The strength of GDPR has seen it lauded as a progressive approach to how people’s personal data should be handled and comparisons have been made with the subsequent California Consumer Privacy Act.

Who does GDPR apply to?

At the heart of GDPR is personal data. Broadly this is information that allows a living person to be directly, or indirectly, identified from data that’s available. This can be something obvious, such as a person’s name, location data, or a clear online username, or it can be something that may be less instantly apparent: IP addresses and cookie identifiers can be considered as personal data.

Under GDPR there’s also a few special categories of sensitive personal data that are given greater protections. This personal data includes information about racial or ethic origin, political opinions, religious beliefs, membership of trade unions, genetic and biometric data, health information and data around a person’s sex life or orientation.
The crucial thing about what constitutes personal data is that it allows a person to be identified – pseudonymised data can still fall under the definition of personal data. Personal data is so important under GDPR because individuals, organisations, and companies that are either ‘controllers’ or ‘processors’ of it are covered by the law.

“Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data,”

the UK’s data protection regulator, the Information Commissioner’s Office (ICO) says. It’s also possible that there are joint controllers of personal data, where two or more groups determine how data is handled. “Processors act on behalf of, and only on the instructions of, the relevant controller,” the ICO says. Controllers have stricter obligations under GDPR than processors.

Although coming from the EU, GDPR can also apply to businesses that are based outside the region. If a business in the US, for instance, does business in the EU then GDPR can apply and also if it is a controller of EU citizens.

What are GDPR’s key principles?

At the core of GDPR are seven key principles – they’re laid out in Article 5 of the legislation – which have been designed to guide how people’s data can be handled. They don’t act as hard rules, but instead as an overarching framework that is designed to layout the broad purposes of GDPR. The principles are largely the same as those that existed under previous data protection laws.
GDPR’s seven principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. In reality, only one of these principles – accountability – is new to data protection rules. In the UK all the other principles are similar to those that existed under the 1998 Data Protection Act.

The ICO’s guide to GDPR gives a full run-down of the principles, such as Data minimization & Integrity and confidentiality (security)

What are my GDPR rights?

While GDPR arguably places he biggest tolls on data controllers and processors, the legislation is designed to help protect the rights of individuals. As such there are eight rights laid out by GDPR. These range from allowing people to have easier access to the data companies hold about them and for it to also be deleted in some scenarios.

The full GDPR rights for individuals are: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and also rights around automated decision making and profiling. Access to your data & Automated processing, erasure and data portability

GDPR breaches and fines 

One of the biggest, and most talked about, elements of the GDPR has been the ability for regulators to hit businesses who don’t comply with huge fines. If an organisation doesn’t process an individual’s data in the correct way, it can be fined. If it requires and doesn’t have a data protection officer, it can be fined. If there’s a security breach, it can be fined.

In the UK, these monetary penalties are decided by the ICO and any money regained is rerouted back through the Treasury. GDPR says that smaller offences can result in fines of up to €10 million or two per cent of a firm’s global turnover (whichever is greater). The biggest GDPR breaches can be met with more serious consequences: fines of up to €20 million or four per cent of a firm’s global turnover (whichever is greater). Under the previous data protection regime, the ICO could only issue fines of up to £500,000.

Before GDPR was implemented there was much speculation that data protection regulators would hit companies found in the breach of the legislation with huge fines. This hasn’t happened. Data protection investigations can be lengthy and complex – if they’re wrong, they can be challenged through the courts.

One of the biggest fines under GDPR to date has been against Google: the French data protection regulator, the National Data Protection Commission (CNIL), fined the company €50 million (£43m). CNIL said the fine was issued for two main reasons: Google not providing enough information to users about how it uses the data that it gets from 20 different services and also not getting proper consent for processing user data.