The GDPR in Context

The General Data Protection Regulation, or GDPR, is a European Union regulation coming into force from 25 May 2018 that governs the use of personal data belonging to EU citizens.

Any person whose data is being processed is known as a “data subject”. This means that, depending on your organisation a data subject may be a customer, an employee, a supplier, a client or even a passer-by. If you are collecting or using data on someone, and you can identify them and relate that data back to them, then they are a data subject and are protected by the GDPR.

As a general rule, if you process any information that can be linked to an identifiable person then you are inside the scope of the regulation. Processing can mean any activity that involves personal data, such as collecting, storing, sharing, updating or deleting the data.

The regulations also apply to both processing in the EU and any organisations based outside the EU who are processing the data of EU citizens.

After 25 May, existing Data Protection laws are superseded by the new regulations. In the UK this means that the Data Protection Act is superseded by a combination the GDPR and the UK Data Bill which supports the implementation of the GDPR.

Organisations need to be ready to follow the new regulations or face the possibility of investigation and possibly fines from their jurisdiction’s regulator. In the UK the regulator is the Information Commissioner's Office (The ICO). You may think an investigation is unlikely, but it only takes one unhappy customer to make a complaint and bring the spotlight onto you.

One of the key areas that has attracted a lot of publicity is the scale of the fines that regulators can levy against organisations who are found to be in breach of the regulations.

Fines under GDPR can reach as high as 20 Million Euros or up to 4% of your global turnover, whichever is greater. This provision is designed to prevent large global corporations, perhaps internet giants, from shrugging off a monetary sum that would barely dent their profits.

Guidance issued by the GDPR working party has attempted to establish the principles for national regulators to act when the regulations have been breached. The guidance is clear that the nature of the breach and the circumstances must be taken into account. In reality, this means that flagrant disregard of the regulations will attract higher levels of corrective action than minor data protection issues or good intentions with poor execution. A range of options exist for the regulators between reprimanding offending organisations through to issuing fines and public censure. It is also clear that, because of a principle of comparison across regulatory regimes, organisations will face similar regulatory regimes across the EU.

In reality the regulatory landscape is going to evolve as the GDPR is implemented and precedents are set.