GDPR is the world's strongest set of data protection rules, improving how people access information about themselves. It is also about limiting what businesses can do with personal data. GDPR's full text has 99 individual articles.

Read on to find out more about GDPR especially if you are a business or company owner! 

A little bit of background on GDPR…

According to Forbes, years of planning about this new regulation finally came to an end on May 25, 2018. Long-planned data protection reforms began to take effect across Europe. 

The mutually agreed-upon General Data Protection Regulation (GDPR) has been in effect for approximately four years and has modernised the laws that protect people’s personal information.

GDPR has replaced previous data protection rules that were almost two decades old across Europe, with some of them first drafted in the 1990s. Our data-heavy lifestyles have evolved since then, with people routinely sharing their personal information freely online.

The seven principles of GDPR are as follows: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability.

What is the scope of GDPR?

Personal data is at the heart of GDPR. In general, this is information that allows a person to be directly or indirectly identified from available data. Personal data can be a person's name, location data, or an online username. It can also be IP addresses and cookie identifiers.

According to the GDPR official website, it also provides additional safeguards for a few special categories of sensitive personal data. This personal data includes racial or ethnic origin information, political opinions, religious beliefs, trade union membership, genetic and biometric data, health information, etc.

Despite its origins in the EU, GDPR can apply to businesses located outside of the EU. If a company in the United States, for example, does business in the EU, GDPR may apply, as well as if the company is a controller of EU citizens.

What are my rights under GDPR?

While GDPR arguably places the greatest responsibility on data controllers and processors, the policy is intended to help protect people’s rights. As a result, GDPR establishes eight rights. These range from allowing people easier access to the data companies hold about them to deleting it in some cases.

Individuals have the following GDPR rights: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and the rights around profiling. This is according to the official website of GDPR. 

What is a privacy notice?

A privacy notice is a public document issued by a company that explains how it processes personal data and how it adheres to data protection principles. Articles 12, 13, and 14 of the GDPR detail how to create a privacy notice, with an emphasis on making it simple to understand and accessible. If you collect data directly from someone, you must provide them with your privacy notice at the time of collection.

It should be noted that the terms "privacy notice" and "privacy policy" do not appear in the GDPR text and are essentially interchangeable. These guidelines apply to any public documents in which your organisation describes its data processing activities to customers and the general public.

According to the GDPR official website, businesses will need to provide people with a GDPR privacy policy that is:

  • in a concise, transparent, intelligible, and easily accessible form
  • written in clear and plain language, particularly for any information addressed specifically to a child
  • delivered in a timely manner
  • provided free of charge.

What are GDPR fines?

One of the most significant and widely discussed aspects of the GDPR has been the ability for regulators to impose fines on businesses that fail to comply. If a business fails to process an individual's data correctly, it may be fined. 

It may also be fined if it requires and does not have a data protection officer. A security breach may result in a fine.

In the United Kingdom, the Information Commissioner’s Office (ICO) decides on monetary penalties, and the amount of money recovered is redirected through the Treasury. 

According to the GDPR official website, minor infractions may result in fines of up to €10 million or 2% of a company's global turnover (whichever is greater). The most serious GDPR violations may result in fines of up to €20 million or four percent of a company's global turnover (whichever is greater). The ICO can only issue fines of up to £500,000 under the previous data protection regime.

In conclusion…

The GDPR was created to give people more control over how their personal data is collected and processed. 

While protecting the data you collect is important for GDPR compliance, the goal is also to help customers make informed decisions about who collects their data and how their data is processed.