The General Data Protection Regulation (GDPR) is a data protection and privacy regulation that came into action in the European Union (EU) in 2018.
Its main purpose was to replace the Data Protection Directive 95/46/EC in order to establish a more consistent and meticulous framework for data protection and privacy across the EU. In a nutshell, it governs how we (including businesses) are permitted to use, process, and store personal data and an individual’s identifiable information.
GDPR is one of the most important parts of EU privacy and human rights law, and is arguably the toughest regulation of its kind in the world. That’s why it’s so important to understand if and how GDPR applies to your business, because if you’re liable and fail to comply, there can be pretty serious consequences.
Who does GDPR apply to?
GDPR applies to all EU member states and any company or organisation, regardless of its location, which processes the personal data of EU residents.
For instance, if a business based in Tokyo collects personal data from individuals in Spain, the data needs to be treated with the same level of protection as a business based in France.
Personal data includes anything from somebody’s name and address to their internet browsing history and mobile phone location information. Specifically, GDPR rules apply to:
- Data controllers: Those who determine how and why personal data is processed. This includes businesses, government bodies, and non-profit organisations.
- Data processors: Those who process personal data on behalf of data controllers. Common examples include cloud service providers, data analytics firms, and other third-party service providers.
Data controllers and data processors must work closely together on data privacy and protection protocol, each with their own specific responsibilities. Those liable are required to ensure the integration of data protection processes into the design and implementation of their systems, products, and services.
As a business owner, this means you need to take stringent and official measures to protect the privacy, identifiable information, and human rights of your customers, by law.
Does GDPR still apply to UK businesses after Brexit?
Yes, UK businesses still need to comply with GDPR regulations. Even though the data privacy regulation originally became effective in the EU, GDPR does still apply to businesses based in the UK, both pre- and post-Brexit. This is known as UK GDPR, although the UK can now assess the regulation framework independently since leaving the EU.
“The GDPR is retained in domestic law as the UK GDPR, but the UK has the independence to keep the framework under review”. (Source: UK supervisory authority, ICO.)
Controllers and processors based outside the UK are also required to comply with UK GDPR if their operations relate to:
- Offering goods or services to UK-based individuals
- Monitoring the behaviour of UK-based individuals
EU GDPR still applies to the processing of UK controllers who:
- Have establishment in the European Economic Area (EEA)
- Have customers in the EEA
- Monitor individuals in the EEA
However, how these UK-based controllers now interact with European data protection authorities has changed post-Brexit.
How to comply with GDPR rules
GDPR is all about ensuring complete transparency and accountability in your data processing activities – but how? Here’s what you need to do:
- Put strict processes in place that enable businesses and individuals sharing their information to give clear and unambiguous consent for their data to be collected and processed by you.
- Allow users to manage their own data and facilitate them accessing, amending, and erasing their personal information.
- Conduct Data Protection Impact Assessments (DPIAs) when it comes to processing high-risk data or highly classified information.
- Appoint a Data Protection Officer (DPO) to oversee and manage your data protection processes to ensure ongoing compliance. This isn’t mandatory for all businesses but having a dedicated DPO will help you stay on top of the latest updates and legal requirements and react to them promptly.
- Report any data breaches to the necessary authorities and affected individuals within a specified time frame.
- Make sure any technology you’re using meets regulatory compliance standards.
- Ensure all staff collecting, processing, or handling personal data are trained and up to speed with your internal processes and wider GDPR regulations.
GDPR-related penalties
If your business is collecting, processing, or handling personal data and identifiable information, and you meet the GDPR qualifying criteria, it’s crucial that you comply with set regulations. Failure to comply can lead to hefty financial penalties and serious legal consequences.
Financial penalties
GDPR-related fines come in two major brackets – higher or lower – depending on the severity of the non-compliance.
| Breaches under UK GDPR | Breaches under EU GDPR | |
| Low Level | Fines of up to £8.7 million or 2% of annual global turnover – whichever is higher | Fines of up to €10 million or 2% of annual global turnover – whichever is highest |
| Higher Level | Fines of up to £17.5 million or 4% of annual global turnover – the higher of the two | Fines of up to €20 million or 4% of annual global turnover – whichever is highest |
Other repercussions
Fines aren’t always the first consequence for infringements of GDPR law. Supervisory bodies like the ICO can also take other courses of action, such as:
- Official warnings
- Temporary or permanent bans on data processing activities
- Ordering the rectification, restriction, or complete erasure of personal data
- Imposing data transfer suspensions to third countries
So, to protect your cash flow from big hits and to ensure your business can run its operations without disruption, make sure your data protection processes stay watertight.
Looking for more expert business support? Head over to our info hub for more news and helpful resources.
