We live in an increasingly digital age, which brings a wide range of benefits. At consumer level, it has transformed the way we communicate, travel, manage our finances and so much more. For businesses, it means faster, more efficient processes as well as the ability to store vast amounts of data.
But with that enhanced capability comes great responsibility. Where that data pertains to the personal details of a customer – for example, their name or address – organisations have a duty to ensure that information is carefully safeguarded and does not fall into the wrong hands.
Studies show that more than one in five UK adults (21%) are worried about their data being shared with a third party. Meanwhile, those who hold the highest level of trust in organisations storing their personal information are in the minority. Only 6% feel that way, while 10% are of the opposite view and have no confidence in companies whatsoever.
While those statistics reveal a degree of scepticism about how our data is handled, GDPR was brought in to ensure compliance across the board. But what does GDPR stand for, who does it apply to and how does it work? This is GDPR explained.
GDPR stands for the General Data Protection Regulation. It is a privacy and security law, thought to be one of the most stringent in the world, that was drafted and passed by the European Union (EU).
The GDPR regulations cover a wide scope and there are sizeable fines for anyone found to be in breach of the rules. These punishments are divided into two tiers, depending on their severity:
According to the European Commission, the GDPR regulations apply to “a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed.”
GDPR also applies to any “company established outside the EU that is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.”
The GDPR requirements were first approved in April 2016, although they did not come into force until 25 May 2018.
H2: Some key GDPR definitions
Before we go too much further, let’s run through some of the key terms relating to GDPR and what they mean.
According to the GDPR definition, personal data is any information relating to an individual that means they could be directly or indirectly identified. Examples of personal data include:
Any details relating to someone who has passed away do not count as personal data under GDPR, nor does any information about a company or public authority.
There are seven key GDPR principles laid out as part of the regulation. These are:
Under GDPR requirements, individuals have eight key rights regarding their information and how it is handled. These are as follows:
As with everywhere else, GDPR requirements came into effect in the UK in May 2018. And when the UK officially left the EU at the start of 2021, some queried whether the regulations would still apply.
However, by the time Brexit came to pass, the 2018 Data Protection Act had been designed to mirror GDPR, so there is effectively no difference between UK and European law on this matter. The only difference is that the British government could change its legislation, should it choose to.
In the UK, the body responsible for enforcing GDPR is the Information Commissioner’s Office (ICO). The ICO was set up to uphold information rights in the public interest. Some of the legislation covered by the ICO includes GDPR, the Data Protection Act and the Freedom of Information Act.
H2: What happens if an employee breaches GDPR?
First, if there has been a breach of GDPR, the organisation should inform the ICO within 72 hours. As outlined above, the business could be at risk of being hit with a sizeable fine. However, the consequences for the individual responsible for the breach – if blame could be apportioned in such a way – are less clear-cut.
All organisations should have an appointed Data Protection Officer (DPO) who is responsible for shaping the overall strategy and ensuring GDPR compliance. Another part of the DPO’s role is to make sure there is a protocol in place for dealing with any violation of the regulations.
It’s likely that any consequences will depend on the nature of the offence. If there has been an intentional or severe breach, the person responsible may be dismissed from their job. In less serious cases, the DPO and other decision makers may deem that a reprimand or a disciplinary is sufficient.