GDPR is wide-ranging and actively enforced in both the EU and UK. It applies to almost all businesses and organisations that operate in or within the EU and the UK.
All personal data (information about a particular living individual) and its processing (collecting, recording, storing, using, analyzing, combining, disclosing, transmitting, deleting) is subject to GDPR legislation.
GDPR encompasses the following aspects:
Territorial scope: The GDPR applies to the processing of personal data of individuals within the European Union, regardless of whether the processing occurs within the EU or outside its borders. It also applies to the processing of personal data by organizations located outside the EU if they offer goods or services to EU residents or monitor their behavior.
Personal data: The GDPR defines personal data as any information relating to an identified or identifiable individual. It covers a broad range of data, including names, identification numbers, location data, online identifiers, and factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
Data controllers and processors: The GDPR distinguishes between data controllers and data processors. A data controller determines the purposes and means of processing personal data, while a data processor processes personal data on behalf of the data controller. Both controllers and processors have specific responsibilities and obligations under the GDPR.
Principles of lawful processing: The GDPR sets out a number of fundamental principles for lawful processing of personal data. These principles include fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.
Data subject rights: The GDPR grants individuals (data subjects) certain rights over their personal data. These rights include the right to be informed, the right of access, the right to rectification, the right to erasure (right to be forgotten), the right to restrict processing, the right to data portability, the right to object, and rights related to automated decision-making and profiling.
Lawful basis for processing: The GDPR requires that personal data be processed on a lawful basis. It provides several lawful bases for processing, including the data subject's consent, the necessity of processing for the performance of a contract, compliance with legal obligations, protection of vital interests, performance of a task carried out in the public interest or in the exercise of official authority, and legitimate interests pursued by the data controller or a third party.
Data protection impact assessments (DPIAs): The GDPR introduces the requirement for conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities. DPIAs help identify and minimize risks to individuals' privacy and assist organizations in ensuring compliance with the GDPR.
Data breach notification: The GDPR mandates organizations to notify the relevant supervisory authority without undue delay (within 72 hours) in the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms. Data subjects must also be informed of such breaches when there is a high risk to their rights and freedoms.
Supervisory authorities and penalties: The GDPR establishes independent supervisory authorities in each EU member state responsible for enforcing the regulation. These authorities have investigative and corrective powers and can impose fines and penalties for non-compliance. The GDPR allows for significant penalties, with fines of up to €20 million or 4% of the annual global turnover, whichever is higher, for the most serious infringements.
Enforcement: Since GDPR became law in 2018, enforcement has led to significant fines. Recently, these have included Amazon €746/$877M in 2021, WhatsApp €225/$255M in 2021, Google Ireland €90/$102M in 2022, and Facebook €60/$68M in 2022. Fines relating to data breaches that included the potential exposure of personal and payment information have included Ticketmaster £1.25M in 2020, British Airways £20M in 2020, and Marriott International in £18.4M 2020.
The GDPR has far-reaching implications for organizations processing personal data, including requirements for privacy notices, data protection officers (DPOs) in certain cases, cross-border data transfers, and contractual agreements with data processors. Compliance with the GDPR is crucial to protect individuals' privacy rights and avoid potential legal and financial consequences.
For further information, see ico.org.uk, gdpr.eu and enforcementtracker.com