On May 25, 2018, it took years of preparation in Europe to finalize and reform the data protection legal framework and enforce it. The mutually agreed General Data Protection Regulation (GDPR) has now been in place for around two years and has modernized the laws that protect the personal information of individuals.
GDPR has replaced previous data protection rules across Europe that were almost two decades old, some of them were first being drafted in the 1990s. Since then, our data-heavy lifestyles have emerged, with people routinely sharing their personal information freely online.
The EU stated that the GDPR was designed to "harmonise" data privacy laws across all of its members, besides, providing greater protection and rights to individuals. The GDPR was also created to alter how businesses and other organisations can handle the information of third parties that interact with them. However, whoever breaches this set of rules shall be liable to large fines and reputational damage under this regulation.
The regulation has introduced big changes that were built on previous data protection principles. As a result, it has led many people in the data protection world, including UK information commissioner Elizabeth Denham, to liken GDPR to evolution, rather than a complete overhaul of rights. For businesses that were already complying with pre-GDPR rules the regulation should have been a "step change", Denham said.
Despite a pre-GDPR transition period taking place, which has given businesses and organisations the time to change their policies, there has still been plenty of confusion around the rules. Here's our guide to what GDPR really means.
What is GDPR exactly?
GDPR can be considered as the world's strongest set of data protection rules, which enhance how people can access information about them and set limits on processing and handling personal data by any organisation or person. The full text of GDPR is an unwieldy beast, which contains 99 individual articles.
The regulation exists as a framework for laws across the continent and replaced the previous 1995 data protection directive. The GDPR's final form came after more than four years of discussion and negotiations. It was adopted by both the European Parliament and European Council in April 2016. The underpinning regulation and directive were published at the end of that month.
GDPR came into force on May 25, 2018. Countries within Europe were given the ability to make their own minor changes to suit their own needs. Within the UK, this flexibility led to the creation of the Data Protection Act (2018), which superseded the previous 1998 Data Protection Act.
The strength of GDPR has seen it lauded as a progressive approach to how people's personal data should be handled and comparisons have been made with the subsequent California Consumer Privacy Act.
GDPR breaches and fines
One of the biggest, and most talked about, elements of the GDPR has been the ability for regulators to impose penalties on businesses that don't comply with the rules. So, if an organisation doesn't process an individual's data in the correct way, if it doesn't have a data protection officer, or committed a security breach; it will be fined.
In the UK, these monetary penalties are decided by the Information Commissioner's Office ( ICO ) and any money regained is rerouted back through the Treasury. Within the GDPR provisions, it is stated that whoever commits minor offences will be liable to a fine of up to €10 million or two percent of a firm's global turnover, whichever is greater. The biggest GDPR breaches involve more serious consequences, e.g., fines of up to €20 million or four percent of a firm's global turnover, whichever is greater. Under the previous data protection regime, the ICO could only issue fines of up to £500,000.
Before GDPR was implemented there was much speculation that data protection regulators would strike the breaching companies with huge fines. But this hasn't happened in fact.
One of the biggest fines under GDPR to date has been against Google: the French data protection regulator, the National Data Protection Commission (CNIL), fined the company €50 million (£43m). CNIL said the fine was issued for two main reasons: Google not providing enough information to users about how it uses the data that it gets from 20 different services and also not getting proper consent for processing user data.
There have also been fines against La Liga's app that spied on people who downloaded it, and also penalties imposed on Bulgaria’s DSK Bank for accidentally disclosing customer details and schools who tracked pupils.
However, the biggest fines could come from the UK. The ICO has issued a "notice of intent" to both British Airways and Marriott Hotel for breaching GDPR. It was mooted BA would be fined with an amount of £183m, while the hotel would be fined with an amount of £99m. However, as both of these are notices of intent, they aren't official fines so nothing has been paid by either company. In fact, both the firms are challenging the ICO's notices.
