What Is GDPR?

Date First Published: 4th January 2024

Topic: Computer Systems

Subtopic: Legislation & User Data Protection

Article Type: Computer Terms & Definitions

Difficulty: Medium

Difficulty Level: 4/10

CONTENTS

Principles
Rights
Who Does GDPR Apply To?
Difference Between GDPR and The Data Protection Act

Learn about what GDPR is in this article.

Stands for General Data Protection Regulation. GDPR is a European law which protects the personal data of individuals in the EU and introduces rules on how personal data is used by businesses and organisations. It was approved by the EU in April 2016 and went into effect on 25th May 2018.

Information protected by GDPR includes personal data which can be used to identify individuals, including names, identification numbers, location data, online identifiers, factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of people, email addresses, physical addresses, and medical history.

Principles

Businesses and organisations that store personal data have to follow data protection principles. They must ensure that information is:

Used fairly, lawfully, and transparently.
Used for specified, explicit purposes.
Used in a way that is adequate, relevant and limited to only what is necessary.
Accurate and, where necessary, kept up to date.
Kept for no longer than is necessary.
Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.
Not transferred to another country outside the EU, unless the receiving company guarantees the same level of protection as the EU requires.

For more sensitive information which is vulnerable to discrimination, such as political affiliation, religious beliefs, sexual orientation, trade union membership, race, biometrics, and ethnic origin, there is stronger legal protection. Explicit permission is required for storing any special categories of personal data.

Rights

Under GDPR, people have a right to:

Be informed about how their data is being used.
Access personal data.
Stop or restrict the processing of their data.
Have incorrect data updated.
Object to how their data is being processed in certain circumstances.

GDPR makes it more difficult for businesses and organisations to mislead consumers with vague language when they visit their websites. It updated the previous Data Protection Directive to be relevant to modern times and technologies. For example, it also ensures that:

Website visitors must be notified of any personal data collected.
Website visitors explicitly consent to that information-gathering by clicking on a button or some other action.
There is an assessment of the website's data security. Data controllers (businesses and organisations that collect and store user data) and processors should also minimise security risks using encryption.
Website visitors must be notified in a timely way if any of their personal data held by the website is breached. Article 33.1 requires visitors to be informed within 72 hours of when a data breach has been discovered.
Malicious activity in regard to data, such as hacking is banned.
Privacy notices must be updated to website visitors when necessary.

GDPR applies to all businesses and organisations within the EU. This regulation applies regardless of where they are based, meaning that it applies to all businesses and organisations that attract European users. For example, if a US-based company stores data for individuals living in Sweden, it must comply with GDPR regulations.

GDPR applies to all EU organisations that store personal data, including healthcare services, law firms, educational institutions, scientific research firms, and is not limited to IT industries, like ecommerce websites. The regulations only apply to individuals engaged in business transactions and not personal or household activities.

Businesses and organisations that do not comply with the regulations may receive penalties or fines. For severe violations, the fine can be up to 20 million euros or 4% of annual turnover of the preceding financial year, whichever is greater. For less severe violations, the fine can be up to 10 million euros or 2% of the annual turnover of the preceding financial year, whichever is greater.

GDPR and the Data Protection Act are two pieces of legislation that apply to the processing and protection of personal data. GDPR applies to data processing carried out by businesses and organisations within the EU, whilst the Data Protection Act is the UK's implementation of GDPR, which adjusts the regulations to the specific requirements of the UK.