What is GDPR?
GDPR is the EU’s framework for Data Protection laws.
Introduced in May 2018, the General Data Protection Regulation (GDPR) applies to companies and data within all EU member states with two main goals:
- To give people more visibility and control over how companies use their personal data, with the potential for hefty fines for any businesses who aren’t compliant
- To standardise Data Protection legislation across the EU nations, levelling the legal playing field for all businesses operating within the single market
Prior to GDPR, Data Protection law in Europe was based upon Data Protection directives drawn up in 1995. Since then with the rapid evolution of the internet and a more digital-centric world, data became an extremely valuable commodity- a commodity that many businesses were able to exploit, as personal data effectively became a form of payment to access services such as Google and Facebook.
Through regulations aimed specifically at making data collection and usage more transparent, and restrictions on how long personal data can be kept and who can access it, GDPR attempts to give people back more control over their data and promote more trust in the digital world.
The specifics around the GDPR rules can be complex, but the emphasis is firmly on the business that owns and uses the data (a data controller, in GDPR terms) to make sure that it is handled correctly and the rules are followed.
If a business uses a third party to handle or use the data, such as outsourcing payroll or marketing for example, the third party (a data processor) must keep complete records or how the data was processed but it is still the data controller who is liable for making sure the data processor is abiding by the rules.
In all cases GDPR pertains to EU data, and not just businesses within the EU. This means that even if a data controller or processor is outside of the EU, if they are dealing with EU residents’ data then they are still subject to GDPR laws, and must comply or risk facing severe penalties.