And Other Data Protection Questions

What is GDPR?

The General Data Protection Regulation is a piece of legislation that became enforceable in 2018 following several years of planning and development. It is European-wide and applied to all 28 European Union countries at the time of it becoming enforceable.

As with other European countries, the UK adopted the GDPR in the form of its own law (with minor changes), with the Data Protection Act (DPA) 2018 replacing the previous DPA 1998.

With the objective of addressing several decades of technological progress and many changes to the way in which data was being used by the late 2010’s, the General Data Protection Regulation places greater obligations and responsibilities upon organisation handling personal data.

Who Does GDPR Apply To?

To answer the question: who does GDPR apply to? we must first understand what it applies to.

The GDPR applies to ‘personal data’. Technically defined as any information related to an identifiable person who can be “directly or indirectly identified in particular by reference to an identifier”.

Many types of information can constitute ‘personal data’, from a person’s home address to internet browsing history. It is vital that if your organisation is collecting, processing or handling personal data, that the principles and controls of the General Data Protection Regulation are adhered to.

Does the GDPR Only Apply to EU-based Organisation?

GDPR applies to any and all businesses and organisations which are responsible for handling personal data in the European Union (and the UK) as well as any organisation using data that was collected within participating states.

Meaning, should an organisation based in, for example Singapore, collect data from users based in France, that data should be treated with the same standards of protection as an organisation based in Germany.

As well as this, GDPR also applies to organisation outside of the EU that offer goods or service to individuals in the EU.

What About Transferring Data Out of the EU?

Originally included in the 8th principle of the UK’s Data Protection Act 1998, but now included as one of the seven principles of the DPA 2018 and the GDPR, the transfer of personal data is also regulated.

Detailed in the 5th chapter of the GDPR, any personal information collected on EU citizens (or anyone inside the EU), should only be transferred outside of this region on the basis that the state receiving the data is compliant with the principles and practices of GDPR to a level deemed sufficient.

Designed to give the fullest protection possible to personal data within the EU etc., the General Data Protection Act does provide the ability to transfer said data outside of the EU, providing that the personal data is properly pseudonymised; meaning it can no longer be used to identify any individual, and thus no longer meets the definition of ‘personal data’.

Who is Responsible for Enforcement of the GDPR?

As with the way in which the GDPR was implemented in nation states, participating countries also have their own authorities who are responsible for enforcement.

For example, the Data Protection Authority (DPA) in Cyprus is the Commissioner for Personal Data Protection, in Hungary it is the Hungarian National Authority for Data Protection and Freedom of Information, and in the UK it is the Information Commissioner’s Office (ICO).

Standing as an independent body, the ICO’s role includes not only promoting the openness of public bodies and upholding information rights, but also upholding the data privacy rights of individuals.

As such, the Information Commissioner’s Office has the ability to hand out bigger than ever fines for those found to be non-compliant with data protection standards.

What Kind of Fines are Possible Under GDPR?

In the case of the United Kingdom, the maximum possible fine under the Data Protection Act 1998 was a relatively small sum of £500,000. Though since 2018, the same authority (the ICO) is now capable of handing out fines equal to 20 million Euros, or 4% of global annual turnover from the previous year (whichever is bigger).