In January 2012, the European Commission set out plans for data protection reform across the European Union in order to make Europe 'fit for the digital age'. Almost four years later, an agreement was reached on what that involved and how it will be enforced.
One of the key components of the reforms is the introduction of the General Data Protection Regulation (GDPR). This new EU framework applies to organizations in all member-states and has implications for businesses and individuals across Europe, and beyond.
"The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information," said Andrus Ansip, vice-president for the Digital Single Market, speaking when the reforms were agreed in December 2015.
GDPR stands for General Data Protection Regulation. It's the core of Europe's digital privacy legislation. At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
The reforms are designed to reflect the world we're living in now and bring laws and obligations - including those around personal data, privacy, and consent - across Europe up to speed for the internet-connected age.
Fundamentally, almost every aspect of our lives revolves around data. From social media companies to banks, retailers, and governments - almost every service we use involves the collection and analysis of our personal data. Your name, address, credit card number, and more all collected, analyzed, and, perhaps most importantly, stored by organizations.
GDPR can be considered as the world's strongest set of data protection rules, which enhances how people can access information about them and places limits on what organizations can do with personal data. The full text of GDPR is an unwieldy beast, which contains 99 individual articles.
The regulation exists as a framework for laws across the continent and replaced the previous 1995 data protection directive. The GDPR's final form came about after more than four years of discussion and negotiations – it was adopted by both the European Parliament and European Council in April 2016. The underpinning regulation and directive were published at the end of that month.
GDPR came into force on May 25, 2018. Countries within Europe were given the ability to make their own small changes to suit their own needs. Within the UK this flexibility led to the creation of the Data Protection Act (2018), which superseded the previous 1998 Data Protection Act.
The strength of GDPR has seen it lauded as a progressive approach to how people's personal data should be handled and comparisons have been made with the subsequent California Consumer Privacy Act.
At the heart of GDPR is personal data. Broadly this is information that allows a living person to be directly, or indirectly, identified from data that's available. This can be something obvious, such as a person's name, location data, or a clear online username, or it can be something that may be less instantly apparent: IP addresses and cookie identifiers can be considered as personal data.
Under GDPR there are also a few special categories of sensitive personal data that are given greater protection. This personal data includes information about racial or ethnic origin, political opinions, religious beliefs, membership of trade unions, genetic and biometric data, health information, and data around a person's sex life or orientation.
The crucial thing about what constitutes personal data is that it allows a person to be identified – pseudonymized data can still fall under the definition of personal data. Personal data is so important under GDPR because individuals, organizations, and companies that are either 'controllers' or 'processors' of it are covered by the law.
"Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data," the UK's data protection regulator, the Information Commissioner's Office (ICO) says. It's also possible that there are joint controllers of personal data, where two or more groups determine how data is handled. "Processors act on behalf of, and only on the instructions of, the relevant controller," the ICO says. Controllers have stricter obligations under GDPR than processors.
Although coming from the EU, GDPR can also apply to businesses that are based outside the region. If a business in the US, for instance, does business in the EU then GDPR can apply and also if it is a controller of EU citizens.
At the core of GDPR are seven key principles – they're laid out in Article 5 of the legislation – which has been designed to guide how people's data can be handled. They don't act as hard rules, but instead as an overarching framework that is designed to lay out the broad purposes of GDPR. The principles are largely the same as those that existed under previous data protection laws.
GDPR's seven principles are lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality (security); and accountability. In reality, only one of these principles – accountability – is new to data protection rules. In the UK all the other principles are similar to those that existed under the 1998 Data Protection Act.
The ICO's guide to GDPR gives a full run-down of the principles, but we're only going to highlight a couple of them here.
The data minimization principle isn't new, but it continues to be important in an age when we are creating more information than ever. Organizations shouldn't collect more personal information than they need from their users. "You should identify the minimum amount of personal data you need to fulfill your purpose," the ICO says. "You should hold that much information, but no more."
The principle is designed to ensure organizations don't overreach with the type of data they collect about people. For instance, it's very unlikely that an online retailer would need to collect people's political opinions when they sign-up to the retailer's email mailing list to be notified when sales are taking place.
Under 1998's data protection laws, security was the seventh principle outlined. Over 20 years of being implemented a series of best practices for protecting information emerged, now many of these have been written into the text of GDPR.
Personal data must be protected against "unauthorized or unlawful processing," as well as accidental loss, destruction or damage. In plain English, this means that appropriate information security protections must be put in place to make sure information isn't accessed by hackers or accidentally leaked as part of a data breach.
GDPR doesn't say what good security practices look like, as it's different for every organization. A bank will have to protect the information in a more robust way than your local dentist may need to. However, broadly, proper access controls to information should be put in place, websites should be encrypted, and pseudonymization is encouraged.
Accountability is the only new principle under GDPR – it was added to ensure companies can prove they are working to comply with the other principles that form the regulation. At it simplest, accountability can mean documenting how personal data is handled and the steps taken to ensure only people who need to access some information are able to. Accountability can also include training staff in data protection measures and regularly evaluating and data handling processes.
The "destruction, loss, alteration, unauthorized disclosure of, or access to" people's data has to be reported to a country's data protection regulator where it could have a detrimental impact on those who it is about. This can include but isn't limited to, financial loss, confidentiality breaches, damage to reputation, and more. In the UK, the ICO has to be informed of a data breach 72 hours after an organization finds out about it. An organization also needs to tell the people the breach impacts.
For companies that have more than 250 employees, there's a need to have documentation of why people's information is being collected and processed, descriptions of the information that's held, how long it's being kept for, and descriptions of technical security measures in place. GDPR's Article 30 lays out that most organizations need to keep records of their data processing, how data is shared, and also stored.
Additionally, organizations that have "regular and systematic monitoring" of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO). For many organizations covered by GDPR, this may mean having to hire a new member of staff – although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR, and be a point of contact for employees and customers.
The accountability principle can also be crucial if an organization is being investigated for potentially breaching one of GDPR's principles. Having an accurate record of all systems in place, how information is processed, and the steps are taken to mitigate errors will help an organization to prove to regulators that it takes its GDPR obligations seriously.
While GDPR arguably places the biggest tolls on data controllers and processors, the legislation is designed to help protect the rights of individuals. As such there are eight rights laid out by GDPR. These range from allowing people to have easier access to the data companies hold about them and for it to also be deleted in some scenarios.
The full GDPR rights for individuals are the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and also rights around automated decision making and profiling.
As with the GDPR principles, we're only going into detail on some of the rights here. More can be found on the ICO's website.
If you want to find out what a company or organization knows about you, you need a Subject Access Request (SAR). Previously, these requests cost £10 but GDPR scraps the cost and makes it free to ask for your information. You can't make a request for anyone else's information, although someone, such as a lawyer, can make a request on behalf of another person.
When a person makes a SAR they're legally entitled to be provided with a confirmation that an organization is processing their personal data, a copy of this personal data (unless exemptions apply), and any other supplementary information that's relevant to the request. A request must be answered within one month.
The GDPR also bolsters a person's rights around the automated processing of data. The ICO says individuals "have the right not to be subject to a decision" if it is automatic and it produces a significant effect on a person. There are certain exceptions but generally, people must be provided with an explanation of a decision made about them.
The regulation also gives individuals the power to get their personal data erased in some circumstances. This includes where it is no longer necessary for the purpose it was collected, if consent is withdrawn, there's no legitimate interest, and if it was unlawfully processed.
Data portability has been one of GDPR's big buzzwords – but it's one that has seen some of the least action. The theory is that it should be possible to share information from one service to another. One of the best examples of data sharing is Facebook's ability to automatically transfer your photos to a Google Photos account. This was created by the Data Transfer Project which includes Apple, Google, Facebook, Twitter, and Microsoft.
One of the biggest, and most talked about, elements of the GDPR has been the ability for regulators to hit businesses that don't comply with huge fines. If an organization doesn't process an individual's data in the correct way, it can be fined. If it requires and doesn't have a data protection officer, it can be fined. If there's a security breach, it can be fined.
In the UK, these monetary penalties are decided by the ICO, and any money regained is rerouted back through the Treasury. GDPR says that smaller offenses can result in fines of up to €10 million or two percent of a firm's global turnover (whichever is greater). The biggest GDPR breaches can be met with more serious consequences: fines of up to €20 million or four percent of a firm's global turnover (whichever is greater). Under the previous data protection regime, the ICO could only issue fines of up to £500,000.
Before GDPR was implemented there was much speculation that data protection regulators would hit companies found in the breach of the legislation with huge fines. This hasn't happened. Data protection investigations can be lengthy and complex – if they're wrong, they can be challenged through the courts.
One of the biggest fines under GDPR to date has been against Google: the French data protection regulator, the National Data Protection Commission (CNIL), fined the company €50 million (£43m). CNIL said the fine was issued for two main reasons: Google not providing enough information to users about how it uses the data that it gets from 20 different services and also not getting proper consent for processing user data.