GDPR Applications

And Other Data Protection Questions

The General Data Protection Regulation is a piece of legislation that became enforceable in 2018 following several years of planning and development. It is European-wide and applied to all 28 European Union countries at the time of it becoming enforceable.

As with other European countries, the UK adopted the GDPR in the form of its own law (with minor changes), with the Data Protection Act (DPA) 2018 replacing the previous DPA 1998.

With the objective of addressing several decades of technological progress and many changes to the way in which data was being used by the late 2010’s, the General Data Protection Regulation places greater obligations and responsibilities upon organisation handling personal data.

To answer the question: who does GDPR apply to? we must first understand what it applies to.

The GDPR applies to ‘personal data’. Technically defined as any information related to an identifiable person who can be “directly or indirectly identified in particular by reference to an identifier”.

Many types of information can constitute ‘personal data’, from a person’s home address to internet browsing history. It is vital that if your organisation is collecting, processing or handling personal data, that the principles and controls of the General Data Protection Regulation are adhered to.

Start trial icon

Ready to start your journey to becoming compliant?

We can help you - let's have a chat.

Book a Meeting

GDPR applies to any and all businesses and organisations which are responsible for handling personal data in the European Union (and the UK) as well as any organisation using data that was collected within participating states.

Meaning, should an organisation based in, for example Singapore, collect data from users based in France, that data should be treated with the same standards of protection as an organisation based in Germany.

As well as this, GDPR also applies to organisation outside of the EU that offer goods or service to individuals in the EU.

What About Transferring Data Out of the EU?

Originally included in the 8^th principle of the UK’s Data Protection Act 1998, but now included as one of the seven principles of the DPA 2018 and the GDPR, the transfer of personal data is also regulated.

Detailed in the 5^th chapter of the GDPR, any personal information collected on EU citizens (or anyone inside the EU), should only be transferred outside of this region on the basis that the state receiving the data is compliant with the principles and practices of GDPR to a level deemed sufficient.

Designed to give the fullest protection possible to personal data within the EU etc., the General Data Protection Act does provide the ability to transfer said data outside of the EU, providing that the personal data is properly pseudonymised; meaning it can no longer be used to identify any individual, and thus no longer meets the definition of ‘personal data’.

As with the way in which the GDPR was implemented in nation states, participating countries also have their own authorities who are responsible for enforcement.

For example, the Data Protection Authority (DPA) in Cyprus is the Commissioner for Personal Data Protection, in Hungary it is the Hungarian National Authority for Data Protection and Freedom of Information, and in the UK it is the Information Commissioner’s Office (ICO).

Standing as an independent body, the ICO’s role includes not only promoting the openness of public bodies and upholding information rights, but also upholding the data privacy rights of individuals.

As such, the Information Commissioner’s Office has the ability to hand out bigger than ever fines for those found to be non-compliant with data protection standards.

In the case of the United Kingdom, the maximum possible fine under the Data Protection Act 1998 was a relatively small sum of £500,000. Though since 2018, the same authority (the ICO) is now capable of handing out fines equal to 20 million Euros, or 4% of global annual turnover from the previous year (whichever is bigger).

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.

Free Trial Book a Meeting

Featured

Do AI Chatbots like ChatGPT Pose a Cybersecurity Risk?

Does ChatGPT Pose a Cybersecurity Risk

In this blog post, we explore whether AI chatbots like ChatGPT pose a cybersecurity risk. We delve into the potential vulnerabilities and threats posed by chatbots, and discuss measures that can be taken to mitigate these risks. Read on to discover how you can ensure the security of your organisation's chatbot interactions.