- DPO's Blog
GDPR: Everything you need to know
By eleanor blackwood
Tue 23 June 2020
What is GDPR?
GDPR stands for General Data Protection Regulation. It’s an EU (European Union) law, but it affects businesses worldwide to different extents.
The GDPR sets new standards for data protection that:
- Give individuals greater control over their personal data
- Places limits on what organisations can do with personal data.
Personal data is information that allows a person to be directly, or indirectly, identified. Such as a person's name, cookie identifiers, or health information.
When did GDPR come into effect?
- It went into effect on May 25, 2018.
- It is written in a general way to allow countries within Europe to make their own small changes to suit their own needs.
Why was it needed?
In essence, there wasn’t enough regulation around how personal data was being used by companies, and it was open to severe misuse.
New sanctions and regulations were needed to protect individuals’ rights and keep up with the revolutionary ways in which data is mined. Many would argue that further action is still needed.
Personal data has rapidly become a highly valuable resource. This is because it is used for data profiling, making sales and other processes more efficient, to name but a few!
These actions all drastically increase profits. While we can’t know for sure just how much the industry is worth, the World Economic Forum estimates that it supports a trillion-dollar industry.
What does the law actually say?
The GDPR has 7 key principles:
So, to recap:
✔️ Lawfulness, fairness and transparency
✔️ Purpose limitation
✔️ Data minimisation
✔️ Storage limitation
✔️ Integrity and confidentiality
What is considered personal data under GDPR?
Personal data is any information that can identify you. We go into this in more detail on our personal data page, but for now here are the main types below:
Who does GDPR apply to?
GDPR applies to organisations and individuals. Organisations must adhere to GDPR law as outlined above, and individuals have far greater rights over their own personal data.
What is GDPR compliance?
GDPR compliance means complying to General Data Protection Regulation. In this blog post, we've laid out what the 7 principles of GDPR are, and the rights that it grants to individuals. Companies that don't adhere to GDPR, who are non-compliant, can face large fines. We've got a fair bit of advice for companies on how to improve their data practices in our blog.
Does GDPR mean businesses have to behave differently?
Absolutely. The purpose of GDPR is to make data practices fairer, which means giving more rights to individuals over their personal data, and placing restrictions on what companies can do with it.
There are a couple of key implications for businesses:
Businesses who do not comply with the GDPR regulations can be fined. The fines for noncompliance are: Up to $23 million or 4% of annual global turnover. For example, British Airways were fined $230 million in 2018 when the booking details of 500,000 customers were stolen in a cyber attack.
Increased spending on data protection:
For most businesses, the GDPR will require greater compliance spending. Businesses must ensure their operational processes and technology are up to the latest standards and protocols.
An opportunity to build customer trust:
These expenses can result in greater trust and confidence from customers. With personal data usage becoming increasingly seen as negative, with loud media coverage on the bad actions of a few organisations, trust with data is becoming a more valuable asset for businesses.
What does GDPR mean for you?
GDPR gives you as an individual much greater control over their data and secures these 8 rights:
So, the 8 rights mean that you can:
- The right of access means that if you want to find out what data a company holds on you, you cansend a Subject Access Request (SAR) and receive a copy of this data.
- The right to rectification means that you can correct your own personal data if it's wrong or out of date.
- The right to erasure means that you can ask for your personal data to be erased. This is also known as the 'right to be forgotten'.
- The right to restrict processing means that you can limit how a company processes your data, for example deleting some of it rather than all of it.
- The right to data portability means that you can share or transfer your personal data from one service to another for your own purpose e.g. Facebook's ability to transfer your photos to a Google Photos account.
- The right to object means that you can object to your data being used in certain ways, like for marketing purposes.
- Rights of automated individual decision-making, including profiling means that a company needs your explicit consent, a contract, or a legal justification for making a decision about your data without human involvement.
To start sending requests to exercise your rights, try our quick and simple request sender:
How does the GDPR compare to other parts of the world?
According to the International Association for Privacy Professionals, the GDPR is one of the most ‘comprehensive data protection laws in the world to date’.
Although there are many types of privacy legislation in the world, GDPR is most often compared to the California Consumer Privacy Act (CCPA), which is the first big state-wide privacy legislation in the US and came into effect in early 2020. To see how they compare, you can check out our blog.
Overall, the GDPR is an important piece of legislation that protects your rights and gives you the opportunity to have more control over your highly valuable personal data.
We hope that a little of the confusion surrounding the meaning and implications of GDPR is now cleared up! If you have any questions, feel free to tweet us @rightlydata, or get in touch.