The General Data Protection Regulation (GDPR) came into force on 25 May 2018 to give individuals more control over their own data and impose strict limitations on how organizations can use personal information.
In an era where personal data has massive value to businesses, how this information is collected, stored, processed, and shared is now governed by the core principles of GDPR. Within the European Union, these principles are enforced by data regulators, and within the UK by the ICO (Information Commissioner's Office).
Until GDPR, how businesses use the personal data of their customers was largely unregulated. Data scandals such as the Cambridge Analytica incident showed that companies could, if unchecked, use this information to influence behaviour without the express permission of the person who owns that data.
GDPR helps to clarify how businesses and organizations should collect personal data and where this should be stored, including for businesses trading across national borders. The regulation applies to all businesses operating across each EU Member State, and to any business processing data belonging to an EU citizen.
The regulation also brings much tougher sanctions for those businesses found to have fallen foul of the rules. Relevant data regulators now have the power to fine a business up to €20 million, or 4% of global annual turnover, whichever is higher.
The UK is in a somewhat unique position given its previous relationship with the EU. The UK was developing its own data protection legislation in line with GDPR as part of its commitment as an EU Member State. Following Brexit, the UK continued this work in order to achieve adequacy status with the EU and maintain vital data flows. The result was the Data Protection Act 2018, which became the mechanism through which GDPR was incorporated into UK law - hence why it's often referred to as UK GDPR.
So long as businesses in the UK fully comply with the Data Protection Act 2018, your business will also be fully compliant with GDPR.
Why was GDPR implemented?
Over the course of the last quarter-century, the web and the movement of data has cemented itself as a fixture in the operations of countless businesses. The rise of social media platforms, which host and exhibit vast amounts of personal data, have also called into question the need for a set of data protection laws that are fit-for-purpose in the modern age.
It’s clear why rules such as those outlined with GDPR were required, given how some of the world’s biggest tech companies conduct their business. Several platforms, for many years, have offered services that are free to use but request personal and private data from their users, which are then processed and monetised. People aren’t paying when they use Google’s search engine - but their actions and movements are recorded, and converted into data points. These are seen as being very valuable for third parties and are especially sought-after for purposes such as targeted advertising
In the past, this type of data collection was often masked by unclear tick boxes or opt-in buttons. You might not even remember agreeing to them, and you almost certainly wouldn't have read the associated terms and conditions, but its the reason you receive emails that aren't completely in line with your interests.
Perhaps the most egregious example of data misuse was Facebook's Cambridge Analytica scandal, which dominated news headlines in early 2018. In that case, user data was found to have been improperly shared with a third party app, which then used this to target users with advert campaigns said to influence the outcome of the 2016 US election.
A separate aim of GDPR is to make it easier and cheaper for companies to comply with data protection rules. The EU's 1995 directive allowed member states to interpret the rules as they saw fit when they turned it into local legislation. This meant that data protection laws were inconsistent across the bloc, making data transfers overly cumbersome. The nature of GDPR as a regulation, and not a directive, means it applies directly without needing to be turned into law, creating fewer variations in interpretation between member states. The EU believes GDPR will not only create smooth data flows but also collectively save companies £2.3 billion a year.
When did GDPR come into effect?
GDPR came into effect on 25 May 2018, applying automatically to all member states and any international organisation that deals with customers and clients that are residents of the EU. Because GDPR is a regulation, not a directive, the UK did not need to draw up new legislation instead, it applied automatically.
With the UK now preparing to leave the European Union, the UK has also introduced new data protection legislation under the Data Protection Act 2018. This new act covers certain provisions that are not part of GDPR, such as processing relating to immigration and automatic processing in public bodies. GDPR will be implemented into UK law as part of the European Union (Withdrawl) Act, and will sit alongside the DPA 2018 going forward. This has been necessary in order to demonstrate the UK has robust enough data protection laws in place to protect EU data - needed in order to secure an adequacy agreement with the EU post-Brexit.
Who does the GDPR apply to?
If you don't think you need to respect the GDPR legislation, you're likely to find yourself in hot water sooner or later. Whether your business operates with clients in the EU or outside it, it's vital you respect the rules and make sure you're compliant with regulations.
Pretty much every business must comply with the EU's data laws, even if they're based in the US. This is because most companies have at least some data belonging to EU citizens stored on their servers. In order to process that data, the organisation must comply with GDPR principles.
However, if you truly have no dealings with the EU, you can avoid having to comply using a traffic filter. By blocking any EU traffic to your website, you can make sure that only non-EU traffic is allowed to your website and only those outside Europe can enter their details onto your site.
It obviously a technique only relevant for businesses that do not need contact with EU citizens, such as US-based news sources. The LA Times is one company that has implemented this GDPR avoidance scheme.
What are data controllers and data processors?
Every business operates as either a data controller or data processor, and often both at the same time.
Data controllers
A data controller is responsible for determining how and why data is collected, and for establishing how data should be processed. This means a controller could be any organization, from a high street retailer to a global manufacturing giant to a charity. Although they are ultimately responsible for how the data is handled, they are not necessarily the collector of that data.
Your business' data controller must show that your company has lawfully collected personal data. What 'lawful' means to your business must be defined carefully as it can be interpreted. If your business is unsure, consulting the ICO for clarity is essential to avoid what could be potentially heavy fines.
Unlike older data protection laws, the controller and the processor are jointly liable for financial penalties in case of a data breach or if the processor is found to have handled data illegally.
Data processor
Data processors are any entities that 'process' data on behalf of a data controller. Managed service providers (MSPs) are one of the most common third-party data processors you're likely to encounter, however a data processor can also exist within the same company as a controller.
Data processors have their own compliance requirements, including maintaining robust records of their processing activities, however they are required to only process data within the scope established by the data controller.
It's important to note that what dictates whether an entity is a controller or processing is entirely dependent on the relationship that entity has with the data. In some cases, a business may be a data controller while simultaneously providing data processing services for other companies. Likewise, a data processor can also be a controller for another set of data.
For example, every business is considered a data controller in the context of employee data.
How can I process data under the GDPR?
GDPR states that controllers must make sure it's the case that personal data is processed lawfully, transparently, and for a specific purpose.
That means people must understand why their data is being processed, and how it is being processed, while that processing must abide by GDPR rules.
How do I get consent under the GDPR?
Consent is at the core of the changes in how data is collected. Gone are the days when your company could assume consent to collect and use a customer's data.
Consent must be an active, affirmative action by the data subject. For example, your business can't offer a pre-ticked box for collecting personal data. The owner of that information must physically give their consent, which, in turn, must be recorded by your business.
Individuals have the right to withdraw consent and the right to be forgotten. There can be various reasons for this, but whatever these are, GDPR compels your business to delete this information and inform any other parties that are using this data to also delete the information from their systems.
Consent is generally thought of as being the weakest legal basis for processing data, as consent can be removed at any time and thus grind processing to a halt. Unless your business is involved with media or marketing (or those similar industries where consent is required), consent should be your last option.
What counts as personal data under the GDPR?
The type of data that falls under GDPR has also been expanded. Generally, any data that can identify an individual now comes under GDPR, including data such as IP addresses. Pseudonymized personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.
This includes:
- Names
- Addresses
- An identification number
- Location data
- Anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person
When can people access the data we store on them?
The new data protection laws strengthened one key aspect of the legislation that gives citizens the right to access the data organisations hold. Anybody, under GDPR, can submit a subject access request (SAR) to an organisation. This data controller will then have 30 working days in which to provide a full response.
The provision was already part of UK law under the Data Protection Act 1998, but the time period stood at 40 working days. Failure to comply with the reduced windows also exposes companies to regulatory action under the stricter terms of the GDPR. Twitter, for example, was subject to a GDPR investigation for failing to provide users with the information they requested under this provision. The rule only applies, however, if the requests are deemed reasonable, as there are certain exemptions.
The data protection laws say controllers and processors must identify clearly how users' data is collected, what it's used for, and how it's processed. Any communications outlining this information, moreover, must be in clear and plain English so there's no risk of confusion on the part of users.
Submitting SARs are, in effect, a mechanism individuals can use to express their power under the law, to hold companies to account over how they use their data. It gives them the right to understand how their information is handled, and for what reasons. Customers can also ask for data to be removed, completed or brought up to date at any time if deemed incorrect.
What is the Right to be Forgotten?
GDPR makes it clear that people can have their data deleted at any time if it's not relevant anymore - i.e. the company storing it no longer needs it for the purpose they collected it for. If the data was collected under the consent model, a citizen can withdraw this consent whenever they like. They might do so because they object to how an organisation is processing their information, or simply don't want it collected anymore.
The controller is responsible for telling other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.
How to report a data breach under GDPR
Under GDPR, a data breach constitutes any breach of security that leads to the accidental or unlawful loss, destruction, alteration, disclosure of, or unauthorised access to personal data.
However, only those breaches that are likely to lead to the infringement of the rights and freedoms of individuals are required to be reported to the ICO; organizations are not required to report every incident.
Regardless of the nature of the breach, an organization must take steps to contain it and establish its severity. As part of this process, the company must undertake a risk self-assessment.
If a data processor experiences a breach, it is required to inform the controller as soon as it becomes aware of the incident. Establishing these obligations as part of a contract is important, as both the controller and the processor will be liable for any failure to communicate the details of a data breach.
Affected parties have up to 72 hours to inform the ICO if they believe the breach risks the rights and freedoms of data subjects. Any failure to adhere to this timeframe will need to be justified. Affected parties can call the ICO on 0303 123 1113. They can also report a breach online, but only if they feel they have already dealt with the incident appropriately.
When reporting the breach, the following information must be provided:
- A description of the breach, including (if possible) the approximate number of people affected and the types and volume of personal records involved
- The contact details of the affected organisation's data protection officer, or those of a contact that can provide further information
- A description of the potential consequences of the breach
- A description of the various measures the organisation has taken to deal with and mitigate the effects of the breach
Some of this information may not be available within the 72-hour timeframe, so Article 33(4) allows for affected parties to provide details in phases, provided this is done without undue delay. However, any delay will need to be explained, and the party is still required to inform the ICO of a breach within 72 hours if deemed severe enough.
What are the fines for breaches of GDPR?
GDPR massively increases the ceiling of fines. First of all, your organisation faces a penalty of up to 2% of their annual turnover, or £10 million, for failing to report a data breach to the ICO within 72 hours of becoming aware of it.
That initial contact should outline the nature of the data that's affected, roughly how many people are impacted, what the consequences could mean for them, and what measures you've already actioned or plan to action in response. It's worth noting that the window is a fixed 72 hours after the discovery of an incident, and not 72 working hours, as some companies have been led to believe.
Then there is the fine for a breach of personal data itself. Data breaches under GDPR could be punished by a maximum fine of 4% of your organisation's annual turnover, or £20 million, whichever is higher. In the UK, this translates to £17.5 million.
You can read our article on GDPR fines for more information on this, but the regulation does make clear that fines must be "proportional", therefore you're unlikely to face the most severe penalty if it's a minor breach, or if you can demonstrate you are largely compliant with the legislation. The ICO itself has said it views fines as a "last resort".
GDPR certainly has teeth, as the fines already handed out have been substantial. For example, in 2023, Meta was fined €1.2 billion for not managing data transfer from Europe to the USA. Meta is appealing the fine.
The Luxembourg National Commission for Data Protection (CNDP) issued a €746 million ($888 million) fine to Amazon.com Inc. This fine resulted from 10,000 complaints against Amazon in May 2018 through La Quadrature du Net, a French privacy rights group that promotes and defends fundamental freedoms in the digital world.
In 2023, the ICO fined TikTok Information Technologies UK Limited and TikTok Inc. £12.7 million for mishandling children's data. The company used the personal data of children under 13 without their parent's consent.
In 2024, Amazon France Logistique was fined €32m for excessively monitoring their employees by the French Data Protection Authority (CNIL). The company runs Amazon's warehouses in France, where employees have devices that track their movements. The CNIL concluded that the data collected was often not needed and that the data was poorly managed, with employees not being informed about the video surveillance they were under.
Did Brexit affect GDPR?
Because the UK government only triggered Article 50 in March 2017, which had set in motion the act of leaving the EU within a two-year timeframe, GDPR was actually implemented before the legal consequences of the Brexit vote. The UK was still required to comply, and subsequently enshrined the principles of GDPR into UK law.
What is the best approach for complying with GDPR?
Ultimately, GDPR is about protecting the personal data your company collects, stores, manipulates, transfers, and sells from unlawful use. It aims to put the power back into the hands of the data owners, who must now give your business explicit permission to use their data.
Paying close attention to the main principles of GDPR, assessing how they impact your business, and then making changes to processes should ensure full compliance.
Appointing a data protection officer is usually an excellent first step and will give your company a single point of contact for GDPR compliance.
