General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) explained

We live in an increasingly digital age, which brings a wide range of benefits. At consumer level, it has transformed the way we communicate, travel, manage our finances and so much more. For businesses, it means faster, more efficient processes as well as the ability to store vast amounts of data.

But with that enhanced capability comes great responsibility. Where that data pertains to the personal details of a customer – for example, their name or address – organisations have a duty to ensure that information is carefully safeguarded and does not fall into the wrong hands.

Studies show that more than one in five UK adults (21%) are worried about their data being shared with a third party. Meanwhile, those who hold the highest level of trust in organisations storing their personal information are in the minority. Only 6% feel that way, while 10% are of the opposite view and have no confidence in companies whatsoever.

While those statistics reveal a degree of scepticism about how our data is handled, GDPR was brought in to ensure compliance across the board. But what does GDPR stand for, who does it apply to and how does it work? This is GDPR explained.

What is GDPR?

GDPR stands for the General Data Protection Regulation. It is a privacy and security law, thought to be one of the most stringent in the world, that was drafted and passed by the European Union (EU).

The GDPR regulations cover a wide scope and there are sizeable fines for anyone found to be in breach of the rules. These punishments are divided into two tiers, depending on their severity:

  • Less severe infringements could result in a fine of up to €10 million or 2% of the company’s annual revenue from the previous financial year, whichever is higher.
  • More serious transgressions could result in a fine of up to €20 million or 4% of the company’s annual revenue from the previous financial year, whichever is higher.

Who does GDPR apply to?

According to the European Commission, the GDPR regulations apply to “a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed.”

GDPR also applies to any “company established outside the EU that is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.”

When did GDPR come into force?

The GDPR requirements were first approved in April 2016, although they did not come into force until 25 May 2018.

H2: Some key GDPR definitions

Before we go too much further, let’s run through some of the key terms relating to GDPR and what they mean.

  • Data subject: The person to whom the information relates.
  • Data processing: Essentially any action carried out on the information – including collecting, storing, and deleting.
  • Data controller: The individual who is in charge of how the data is processed.
  • Data processor: This refers to a third party that the controller enlists to process the information on their behalf.

GDPR: What is personal data?

According to the GDPR definition, personal data is any information relating to an individual that means they could be directly or indirectly identified. Examples of personal data include:

  • Name
  • Address
  • Email
  • Gender
  • Ethnicity
  • Religious beliefs
  • Political opinions

Any details relating to someone who has passed away do not count as personal data under GDPR, nor does any information about a company or public authority.

How many principles apply to GDPR?

There are seven key GDPR principles laid out as part of the regulation. These are:

  1. Lawfulness, fairness, and transparency: Personal data must always be processed in line with these three values.
  2. Purpose limitation: Data can only be processed for the legitimate reasons outlined to the subject when it was collected.
  3. Data minimisation: Only data that is necessary for the specified purposes should be collected.
  4. Accuracy: All personal data should be correct and up to date.
  5. Storage limitation: Data should only be held for as long as is required for the specified purpose.
  6. Integrity and confidentiality: Processing of any data should be done in a way that ensures its security.
  7. Accountability: The data controller has a duty to be able to prove GDPR compliance in line with principles one to six

Nucleus Loans:

Apply Now

What are the rights of the data subject?

Under GDPR requirements, individuals have eight key rights regarding their information and how it is handled. These are as follows:

  1. The right to be informed about how their data is being collected and used.
  2. The right to access and be given copies of their personal information.
  3. The right to rectify their data. This could be to correct any inaccuracies or complete any partial information.
  4. The right to erase their personal information.
  5. The right to restrict the processing of their data.
  6. The right to portability, which means the subject can get hold of and reuse their data for their own needs.
  7. The right to object to their data being used in certain circumstances.
  8. The right relating to automated decision-making. This refers to when decisions are made without any human involvement and can include profiling.

Why is GDPR important if the UK is no longer in the EU?

As with everywhere else, GDPR requirements came into effect in the UK in May 2018. And when the UK officially left the EU at the start of 2021, some queried whether the regulations would still apply.

However, by the time Brexit came to pass, the 2018 Data Protection Act had been designed to mirror GDPR, so there is effectively no difference between UK and European law on this matter. The only difference is that the British government could change its legislation, should it choose to.

Who is responsible for enforcing GDPR?

In the UK, the body responsible for enforcing GDPR is the Information Commissioner’s Office (ICO). The ICO was set up to uphold information rights in the public interest. Some of the legislation covered by the ICO includes GDPR, the Data Protection Act and the Freedom of Information Act.

H2: What happens if an employee breaches GDPR?

First, if there has been a breach of GDPR, the organisation should inform the ICO within 72 hours. As outlined above, the business could be at risk of being hit with a sizeable fine. However, the consequences for the individual responsible for the breach – if blame could be apportioned in such a way – are less clear-cut.

All organisations should have an appointed Data Protection Officer (DPO) who is responsible for shaping the overall strategy and ensuring GDPR compliance. Another part of the DPO’s role is to make sure there is a protocol in place for dealing with any violation of the regulations.

It’s likely that any consequences will depend on the nature of the offence. If there has been an intentional or severe breach, the person responsible may be dismissed from their job. In less serious cases, the DPO and other decision makers may deem that a reprimand or a disciplinary is sufficient.

Head over to our Finance Glossary for more explainers and useful guides and if you have any questions about any of our products, please don’t hesitate to get in touch.

Wordpress Social Share Plugin powered by Ultimatelysocial