And Other Data Protection Questions
What is GDPR?
The General Data Protection Regulation is a piece of legislation that became enforceable in 2018 following several years of planning and development. It is European-wide and applied to all 28 European Union countries at the time of it becoming enforceable.
As with other European countries, the UK adopted the GDPR in the form of its own law (with minor changes), with the Data Protection Act (DPA) 2018 replacing the previous DPA 1998.
With the objective of addressing several decades of technological progress and many changes to the way in which data was being used by the late 2010’s, the General Data Protection Regulation places greater obligations and responsibilities upon organisation handling personal data.
Who Does GDPR Apply To?
To answer the question: who does GDPR apply to? we must first understand what it applies to.
The GDPR applies to ‘personal data’. Technically defined as any information related to an identifiable person who can be “directly or indirectly identified in particular by reference to an identifier”.
Many types of information can constitute ‘personal data’, from a person’s home address to internet browsing history. It is vital that if your organisation is collecting, processing or handling personal data, that the principles and controls of the General Data Protection Regulation are adhered to.
Does the GDPR Only Apply to EU-based Organisation?
GDPR applies to any and all businesses and organisations which are responsible for handling personal data in the European Union (and the UK) as well as any organisation using data that was collected within participating states.
Meaning, should an organisation based in, for example Singapore, collect data from users based in France, that data should be treated with the same standards of protection as an organisation based in Germany.
As well as this, GDPR also applies to organisation outside of the EU that offer goods or service to individuals in the EU.
What About Transferring Data Out of the EU?
Originally included in the 8th principle of the UK’s Data Protection Act 1998, but now included as one of the seven principles of the DPA 2018 and the GDPR, the transfer of personal data is also regulated.
Detailed in the 5th chapter of the GDPR, any personal information collected on EU citizens (or anyone inside the EU), should only be transferred outside of this region on the basis that the state receiving the data is compliant with the principles and practices of GDPR to a level deemed sufficient.
Designed to give the fullest protection possible to personal data within the EU etc., the General Data Protection Act does provide the ability to transfer said data outside of the EU, providing that the personal data is properly pseudonymised; meaning it can no longer be used to identify any individual, and thus no longer meets the definition of ‘personal data’.
Who is Responsible for Enforcement of the GDPR?
As with the way in which the GDPR was implemented in nation states, participating countries also have their own authorities who are responsible for enforcement.
For example, the Data Protection Authority (DPA) in Cyprus is the Commissioner for Personal Data Protection, in Hungary it is the Hungarian National Authority for Data Protection and Freedom of Information, and in the UK it is the Information Commissioner’s Office (ICO).
Standing as an independent body, the ICO’s role includes not only promoting the openness of public bodies and upholding information rights, but also upholding the data privacy rights of individuals.
As such, the Information Commissioner’s Office has the ability to hand out bigger than ever fines for those found to be non-compliant with data protection standards.
What Kind of Fines are Possible Under GDPR?
In the case of the United Kingdom, the maximum possible fine under the Data Protection Act 1998 was a relatively small sum of £500,000. Though since 2018, the same authority (the ICO) is now capable of handing out fines equal to 20 million Euros, or 4% of global annual turnover from the previous year (whichever is bigger).
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Does GDPR Cover Paper Records? Paper Records and Data Protection Law blog by Information Security Awareness Training provider Hut Six Security.
How Secure is My Organisation? Knowing where you are, before knowing where to begin. Blog by Information Security Awareness solution Hut Six Security.
How Does Ransomware get on your Computer? Chances are that in the last few years you've heard the term "ransomware". Blog by Hut Six Security.
How to Audit Your Business for GDPR Compliance with a GDPR Business audit. Hut Six Security guest blog by https://reciprocitylabs.com/.
What is a Breach of Data Protection? The Data Protection Act - Personal Data Breaches, Reporting and Consequences. Blog by Hut Six Security
University of California Ransomware Attack: a $1.1.4m ransom has been paid following a ransomware attack on University of California's School of Medicine.
What is the Purpose of the Data Protection Act? Blog by information security awareness training solution provider Hut Six Security.
Top 3 Remote Work Security Lessons: remote work security blog by information security awareness provider Hut Six Security.
Who Regulates the Data Protection Act? Data Protection Blog by Information Security Awareness Training provider Hut Six Security
NHS phishing attack sees email accounts compromised as part of an attack targeting a wide range of organisations Blog by Hut Six Security.