What Is GDPR and Why Is It Important?

General Data Protection Regulation, in other words GDPR, is one of the most important issues in recent years. So what is GDPR and why is it so important today? In our article, we have listed in detail what you need to know about GDPR along with these question titles. We can start our article with the definition of GDPR.

What is GDPR?

GDPR has seen as the world's strongest set of data protection rules, which enhance how people can access information about them and places limits on what organisations can do with personal data. The regulation exists as a framework for laws across the continent and replaced the previous 1995 data protection directive. The GDPR's final form came about after more than four years of discussion and negotiations.

GDPR came into force on May 25, 2018. Countries within Europe were given the ability to make their own small changes to suit their own needs. The strength of GDPR has seen it lauded as a progressive approach to how people's personal data should be handled and comparisons have been made with the subsequent California Consumer Privacy Act.

Who Does GDPR Apply To?

At the heart of GDPR is personal data. Broadly this is information that allows a living person to be directly, or indirectly, identified from data that's available. This can be something obvious, such as a person's name, location data, or a clear online username, or it can be something that may be less instantly apparent: IP addresses and cookie identifiers can be considered as personal data.

Under GDPR there's also a few special categories of sensitive personal data that are given greater protections. This personal data includes information about racial or ethic origin, political opinions, religious beliefs, membership of trade unions, genetic and biometric data, health information and data around a person's sex life or orientation.

The crucial thing about what constitutes personal data is that it allows a person to be identified – pseudonymised data can still fall under the definition of personal data. Personal data is so important under GDPR because individuals, organisations, and companies that are either 'controllers' or 'processors' of it are covered by the law.

What Are GDPR's Principles?

At the core of GDPR are seven key principles: These key principles have been designed to guide how people's data can be handled. They don't act as hard rules, but instead as an overarching framework that is designed to layout the broad purposes of GDPR. The principles are largely the same as those that existed under previous data protection laws.

GDPR's Seven Principles: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. In reality, only one of these principles, accountability, is new to data protection rules.

Data Minimisation

The data minimisation principle isn't new, but it continues to be important in an age when we are creating more information than ever. Organisations shouldn't collect more personal information than they need from their users. The principle is designed to ensure organisations don't overreach with the type of data they collect about people.

Integrity and Confidentiality

Over 20 years of being implemented a series of best practices for protecting information emerged, now many of these have been written into the text of GDPR. Personal data must be protected against unauthorised or unlawful processing, as well as accidental loss, destruction or damage.

GDPR doesn't say what good security practices look like. However, proper access controls to information should be put in place, websites should be encrypted, and pseudonymisation is encouraged. If a data breach occurs, data protection regulators will look at a company's information security setup when determining any fines that may be issued.

Accountability

Accountability is the only new principle under GDPR. Accountability can mean documenting how personal data is handled and the steps taken to ensure only people who need to access some information are able to. Accountability can also include training staff in data protection measures and regularly evaluating and data handling processes.

The destruction, loss, alteration, unauthorised disclosure of, or access to people's data has to be reported to a country's data protection regulator where it could have a detrimental impact on those who it is about. This can include, but isn't limited to, financial loss, confidentiality breaches, damage to reputation and more.

For companies that have more than 250 employees, there's a need to have documentation of why people's information is being collected and processed, descriptions of the information that's held, how long it's being kept for and descriptions of technical security measures in place. GDPR's Article 30 lays out that most organisations need to keep records of their data processing, how data is shared and also stored.

In addition, organisations that have regular and systematic monitoring of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer. For many organisations covered by GDPR, this may mean having to hire a new member of staff.

GDPR Rights

While GDPR arguably places he biggest tolls on data controllers and processors, the legislation is designed to help protect the rights of individuals. As such there are eight rights laid out by GDPR. These range from allowing people to have easier access to the data companies hold about them and for it to also be deleted in some scenarios.

What Are GDPR Rights For Individuals?

GDPR rights for individuals are the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and also rights around automated decision making and profiling.

Access to Data

If you want to find out what a company or organisation knows about you, you need a Subject Access Request (SAR). You can't make a request for anyone else's information, although someone, such as a lawyer, can make a request on behalf of another person.

When a person makes a SAR they're legally entitled to be provided with a confirmation that an organisation is processing their personal data, a copy of this personal data, and any other supplementary information that's relevant to the request. A request must be answered within one month.

People have successfully used SARs to find out information technology companies hold about them. SARs can be made either in writing or verbally. It's meaning an organisation has to determine whether what has been asked for is classed as personal data under GDPR. A SAR doesn't have to say it is a SAR and can be made to any person in an organisation. As well as the information that's asked for, an organisation has to provide details of why it was processing the personal information, how the information is being used, and how long it is due to be kept for.

Automated Processing and Data Portability

The GDPR also bolsters a person's rights around automated processing of data. The regulation also gives individuals the power to get their personal data erased in some circumstances. This includes where it is no longer necessary for the purpose it was collected, if consent is withdrawn, there's no legitimate interest, and if it was unlawfully processed.

Data portability is that it should be possible to share information from one service to another.

GDPR Breaches and Fines

One of the biggest, and most talked about, elements of the GDPR has been the ability for regulators to hit businesses who don't comply with huge fines. If an organisation doesn't process an individual's data in the correct way, it can be fined.