GDPR stands for the General Data Protection Regulation. It began in May 2018 and its purpose is to provide greater rights for citizens in the EU to protect their data being held and used by organisations. GDPR compliance means all businesses must adhere to the rules set out in the GDPR.
Before GDPR came into effect it was possible to misuse personal data without much regulation or real punishment. This has now changed. The backlash against this practice, often referred to as ‘big brother surveillance’, meaning people are watched and manipulated without any control over the process, highlighted the need of a more responsive system of governance and led to the creation of GDPR. Tougher standards were introduced to ensure companies were transparent about these practices and now have to gain permission to capture individuals data. Failure to do and a breach of the rules can result in huge fines. Companies who continue to misuse data can be fined up to 20 million euros or 4% of the companies annual turnover.
Who does the GDPR apply to?
The last 20 years have seen incredible advancements in technology and the ways consumers can access services and goods has changed dramatically. New laws were long overdue to address these developments and regulate use of the internet and social media. Businesses are now hugely dependent on the internet and most have online presences. GDPR was created as a response to this.
Every business which operates inside the EU must be compliant with these regulations. As the UK has been preparing to leave the EU since 2016, the UK has formalised GDPR into new legislation under the Data Protection Act 2018.
The Data Protection Act (DPA) 2018 provides the framework for data protection law in the UK. GDPR and DPA sit alongside one another. The DPA communicates how the GDPR applies in the UK – for example by providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defense, and sets out the Information Commissioner’s functions and powers.
In reality, GDPR compliance means that almost every business is beholden to the EUs data laws even if they are not within the EU. Due to the global nature of the internet is highly likely that most companies will have some data stored from EU citizens and it is the individual data which is protected regardless of where the business that has accessed it is based.
It is possible that a company could have absolutely no dealings with any individual data from EU citizens. In this instance, these businesses could avoid having to comply with GDPR by blocking anybody from the EU accessing their website. This is often used in the US as a tactic for companies to avoid GDPR compliance.