And Other Data Protection Questions
What is GDPR?
The General Data Protection Regulation is a piece of legislation that became enforceable in 2018 following several years of planning and development. It is European-wide and applied to all 28 European Union countries at the time of it becoming enforceable.
As with other European countries, the UK adopted the GDPR in the form of its own law (with minor changes), with the Data Protection Act (DPA) 2018 replacing the previous DPA 1998.
With the objective of addressing several decades of technological progress and many changes to the way in which data was being used by the late 2010’s, the General Data Protection Regulation places greater obligations and responsibilities upon organisation handling personal data.
Who Does GDPR Apply To?
To answer the question: who does GDPR apply to? we must first understand what it applies to.
The GDPR applies to ‘personal data’. Technically defined as any information related to an identifiable person who can be “directly or indirectly identified in particular by reference to an identifier”.
Many types of information can constitute ‘personal data’, from a person’s home address to internet browsing history. It is vital that if your organisation is collecting, processing or handling personal data, that the principles and controls of the General Data Protection Regulation are adhered to.
Ready to start your journey to becoming compliant?
We can help you - let's have a chat.
Does the GDPR Only Apply to EU-based Organisation?
GDPR applies to any and all businesses and organisations which are responsible for handling personal data in the European Union (and the UK) as well as any organisation using data that was collected within participating states.
Meaning, should an organisation based in, for example Singapore, collect data from users based in France, that data should be treated with the same standards of protection as an organisation based in Germany.
As well as this, GDPR also applies to organisation outside of the EU that offer goods or service to individuals in the EU.
What About Transferring Data Out of the EU?
Originally included in the 8th principle of the UK’s Data Protection Act 1998, but now included as one of the seven principles of the DPA 2018 and the GDPR, the transfer of personal data is also regulated.
Detailed in the 5th chapter of the GDPR, any personal information collected on EU citizens (or anyone inside the EU), should only be transferred outside of this region on the basis that the state receiving the data is compliant with the principles and practices of GDPR to a level deemed sufficient.
Designed to give the fullest protection possible to personal data within the EU etc., the General Data Protection Act does provide the ability to transfer said data outside of the EU, providing that the personal data is properly pseudonymised; meaning it can no longer be used to identify any individual, and thus no longer meets the definition of ‘personal data’.
Who is Responsible for Enforcement of the GDPR?
As with the way in which the GDPR was implemented in nation states, participating countries also have their own authorities who are responsible for enforcement.
For example, the Data Protection Authority (DPA) in Cyprus is the Commissioner for Personal Data Protection, in Hungary it is the Hungarian National Authority for Data Protection and Freedom of Information, and in the UK it is the Information Commissioner’s Office (ICO).
Standing as an independent body, the ICO’s role includes not only promoting the openness of public bodies and upholding information rights, but also upholding the data privacy rights of individuals.
As such, the Information Commissioner’s Office has the ability to hand out bigger than ever fines for those found to be non-compliant with data protection standards.
What Kind of Fines are Possible Under GDPR?
In the case of the United Kingdom, the maximum possible fine under the Data Protection Act 1998 was a relatively small sum of £500,000. Though since 2018, the same authority (the ICO) is now capable of handing out fines equal to 20 million Euros, or 4% of global annual turnover from the previous year (whichever is bigger).
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
In this blog post, we explore whether AI chatbots like ChatGPT pose a cybersecurity risk. We delve into the potential vulnerabilities and threats posed by chatbots, and discuss measures that can be taken to mitigate these risks. Read on to discover how you can ensure the security of your organisation's chatbot interactions.
Learn how to obtain Cyber Essentials certification and enhance your organization's cybersecurity posture with our comprehensive guide. Our expert insights will help you navigate the certification process to meet the requirements for Cyber Essentials.
Starting a security awareness training campaign? Here are 5 essential steps to help ensure information security success.
Malicious insider threats can cause massive problems. Here we examine some of the motivations behind attacks and methods of detection organisations can use to reduce risk.
Five of the biggest and most significant data breaches, hacks, and information security attacks of 2022 (so far).
Questions to consider when auditing your business or SME for General Data Protection Regulation (GDPR) compliance.
With human error responsible for many breaches and attacks, we offer some helpful areas for improving employee security compliance.
Essential cyber tips for helping your business or SME improve information and cyber security.
By maintaining compliance for your business you can ensure operational efficiency, reduce financial risk, enhance public trust, engage your employees and realise your mission.
Insights, trends, and statistics from the world of phishing in 2022.