It’s been four years since GDPR came into effect. The landmark legislation for how personal data is collected and used has caused huge changes for businesses all over the world, but has it been a success? And what does GDPR mean for you and your organisation?
What does GDPR stand for?
GDPR stands for General Data Protection Regulation, which became part of EU law on 25th May 2018. Work started to develop this legislation in 2012 to make ‘Data protection rules that are fit for the digital age’.
Who does GDPR apply to?
GDPR governs how both EU and non-EU companies use and store the personal data of EU citizens. For example, if you are an American-based company but want to store the personal data of someone who lives in Germany, you must comply with GDPR.
What is the difference between GDPR and the Data Protection Act 2018?
The Data Protection Act 2018 (DPA) is the implementation of GDPR into UK law, controlling how the personal data of UK inhabitants is used – this replaced the prior Data Protection Act of 1998. It is essentially the same thing. However, there are some subtle differences between the two, such as child consent – GDPR states that you must be 16 to content to data processing, whereas the age in compliance with DPA is 13. Furthermore, GDPR states you require official authority when processing criminal data, whereas the DPA does not have such rules.
Is UK GDPR the same as EU GDPR?
Following their withdrawal from the European Union, the United Kingdom adopted the UK GDPR to replace EU GDPR. The UK GDPR is fundamentally equivalent to the EU GDPR but altered to accommodate national regions of regulation. UK organisations who do business with EU citizens still need to comply with the EU GDPR the same as any other non-EU country.
The 7 Key Principles of GDPR
Lawfulness, fairness and transparency
Organisations should have a lawful basis for data processing – an organisation must adhere to Article 6 of GDPR for this. Fairness means data should only be used in ways users would expect you to. Transparency goes hand in hand with lawfulness and fairness – you should always be open and honest with how you are processing personal data.
The second principle stipulates that any data collected should be for a specific and legitimate purpose. Data should only ever be processed in the ways it was stated to the user when collected.
Organisations should only collect the smallest amount of data possible from users. Companies should avoid gathering personal data such as home address and contact details if not necessary.
It is the responsibility of organisations to make sure that data is kept up to date, deleted or flagged as incorrect. The aim is to have data that is accurate which is beneficial to both organisation and user.
Per GDPR, organisations mustn’t keep personal data for any longer than is necessary. After this period, they must dispose of the personal data and not doing so may be unlawful.
Integrity and confidentiality (security)
Organisations are responsible for making sure that data collected is secure from threats, such as unauthorised processing, accidental loss or destruction. Action must be taken to ensure security is in place in both the digital and physical realms. Cybersecurity measures like firewalls and anti-virus software are crucial to the safety of personal data. Just as important is physical security – alarms, locks, limiting personnel access to areas where personal information is kept.
Accountability is having evidence to prove that you are following all the rules set out by GDPR. Correct practices must be in place so that documentation is readily available for regulatory bodies.
What is the maximum GDPR fine?
The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover, whichever is greater, for a GDPR breach. The EU GDPR sets a maximum fine of €20 million (about £16.8 million) or 4% of annual global turnover, whichever is greater.
Who has broken GDPR rules?
There have been some seriously hefty fines handed out to high profile companies since the regulations came into effect. The biggest so far being a €746 million fine handed to Amazon in July 2021 by the Luxembourg National Commission for Data Protection for compiling data on its customers and partners. WhatsApp was fined €225 million in September 2021 for breaches of transparency and data subject information obligations under articles 12, 13 and 14 of the GDPR. Another big-name culprit was H&M, which were fined €35.3 million for illegal surveillance of employees.
Has GDPR been successful?
Whilst GDPR is still relatively new, it has proved to be a success when it comes to forcing companies to overhaul personal data use procedures and charging those who break the rules. Furthermore, GDPR has undoubtedly made businesses safer from cybercrime. Many countries around the globe such as Australia, China, Brazil, and Japan have started to look at and change their data protection laws to mirror that of GDPR. The enforcement by regulators has improved over the 4 years as more companies have been caught for infringements, however, they still struggle to keep up with the growing number of cases. One example of which is the Data Protection Commission (DPC), a regulator of GDPR in Ireland – the EMEA home to such tech giants as Google, Facebook and Apple. The DPC warned it was “acutely strained” causing prolonged delays in investigations.
How can SEP2 help your organisation avoid GDPR infringements?
As Cyber Security Specialists, SEP2 can consult on and implement the most advanced cyber security solutions currently on the market to keep businesses safe from all manner of data breaches. Whether you need a Next-Generation Firewall (NGFW), a Secure Web Gateway (SWG) or a Cloud Access Security Broker (CASB) – we are cyber security specialists and know how to protect your organisation.
If you wish to discuss the solutions we offer, please contact us for more information.