What is GDPR? Everything you need to know

GDPR: What's new

GDPR - latest statistics

 - Less than two thirds (59 per cent) of UK businesses are aware of the implications GDPR will have on their organisation. Roughly three quarters (73 per cent) felt prepared to meet the obligations when it comes to documents and print management (Kyocera, 29/06)

- Just six per cent of UK businesses have prioritised GDPR, compared to 30 per cent in France and 25 per cent in Benelux (Sophos, 15/06

- 20 per cent of EU businesses admit they haven't started preparing for GDPR yet. More than half (52 per cent) of EU businesses don’t know what the impact of GDPR on their organisation will be (IDC, 10/05)

19/07 - FEATURE: Aaron P. Simpson & Adam Smith/Hunton and Williams - The UK’s commitment to the GDPR - Here are four key areas that organisations should consider when establishing their compliance programmes in preparation for GDPR...

19/07 - FEATURE: Eddie Ginja/KYOCERA Document Solutions  - Are printers your biggest GDPR blind spot? - Since it was first proposed in 2012, the EU’s GDPR has been in and out of the headlines. But now, with under a year until it becomes a reality, for organisations of any size, the countdown really is on - and you can’t opt out, ignore it or claim ignorance...

12/07 - FEATURE:  Ravi Pather/eperi GmbH - Reducing scope of GDPR is one way to avoid fines -  Organisations must not forget that if they first and foremost secure the data that goes into the cloud through encryption or tokenisation and remain in control of the encryption keys, the scope of GDPR can be significantly reduced...

10/07 - FEATURE:  Christopher Glynn/ECS - Countdown to GDPR: Seven steps to compliance -  A staggering 25 per cent of businesses are purportedly still not aware of the EU GDPR, but here are seven steps to start your compliance journey today...

10/07 - NEWS: As time ticks away, GDPR awareness stands still - Businesses all over the world still don't know how how they'll be affected by GDPR, a new report has found...

10/07 - FEATURE: David Trossell/Bridgeworks -  GDPR: Protect your data, recover more quickly - You don’t necessarily have to go out to buy new network, storage and IT infrastructure generally to achieve compliance with GDPR...

07/07 - FEATURE: Richard Lack/Gigya - When does no actually mean no? Analysing consent under GDPR - Under GDPR, Consumers will be empowered to say “no” when targeted with irrelevant marketing material. And more importantly, businesses will have to listen....

07/07 - FEATURE: Mark Sangster/eSentire - The GDPR is coming: Are you prepared? -  GDPR is a sweeping new EU privacy regulation that has extensive implications for U.S. firms too. Here’s how to prepare for it…  

05/07 - FEATURE: Thomas Fischer/Digital Guardian - Breaking down the GDPR into a three-step path to compliance - With less than a year to go until the GDPR deadline, businesses struggling with the new legislation can get ahead by adopting a more consistent approach to compliance...

29/06 - NEWS: UK's public sector 'not ready' for GDPR - new findings claim less than two thirds (59 per cent) are aware of the implications GDPR will have on their organisation....

23/06 - NEWS: IBM launches data management tools to help you get ready for GDPR - new services and tools will make it it easier for organisations to comply with GDPR before next year's deadline...

23/06 - NEWS: EU's new privacy rules should be in line with GDPR, telcos warn - upcoming EU rules governing how businesses use data could slow down innovation and growth in the industry...

 22/06 - FEATURE: Charlie Mayes/DAV Development - Acting on data protection - New legislation such as GDPR can be extremely daunting, there is good reason why we must ensure that we comply.

16/06 - FEATURE: Brian Rutledge/Spanning - The global impact of GDPR: Prepare now, avoid potential litigation & fines later - GDPR impact on business is proving to be one of the most talked about global regulations to-date, related to data governance and data privacy...

15/06 - FEATURE: John Morrell, Datameer - Governing big data analytics for GDPR compliance - GDPR changes the way entire organisations interact with personal data, and thus big data analytics. But more than that, it offers an opportunity for enterprises to change the way they approach governance capabilities…

For all our GDPR stories, click here.

(Image: © Image Credit: Flickr / janneke staaks)

What is GDPR?

The General Data Protection Regulation, or GDPR, is one of the most important pieces of legislation ever passed for IT departments.

Approved by the European Union in April 2016 and set to come into force in the UK on May 25th, 2018, GDPR is hugely significant for businesses of all sizes as it will greatly affect how they gather, store, and look after their data.

The key tenets of GDPR concern the privacy rights of everyday users and the data they create online, and look to bring together several existing laws and regulations to harmonise rulings across the European Union. 

Under GDPR, companies will also have to be more up front when collecting the personal data of customers - meaning consent will need to be explicitly given, as well as the gatherers needing to detail the exact purpose that this data will be used for.

This personal data will also need to be encrypted by default as part of a process known as pseudonymisation, meaning that it cannot be linked to a specific person without being accompanied by extra information.

Personal data applies to a wide range of information - effectively anything that could be used to directly or indirectly identify a person online. This could include names, email addresses, images, bank details, posts on social networking websites, medical information, or even a computer IP address.

Users will also have the right to know exactly what details a company or organisation holds about them, and also request that any of this information be deleted if they feel their rights to privacy are being infringed as part of the new “right to erasure”.

Companies that suffer data breaches, whether accidental or as part of a cyber-attack, will need to disclose this event to the relevant within 72 hours of it happening - although there is no requirement to notify users unless instructed.

Any organisation found to not be conforming to the new regulation after the May 25th deadline could face heavy fines, equivalent to four per cent of annual global turnover, or €20 million - whichever is greater.

(Image: © Image source: Shutterstock/Yorkman)


What does GDPR stand for?

GDPR stands for General Data Protection Regulation, also officially known as EU Regulation 2016/679.

Does GDPR replace the DPA?

Yes,  GDPR will replace the UK's existing Data Protection Act, which was first drawn up in 1984.

GDPR is also designed to replace the Data Protection Directive, which initially came into force in 1995, as the EU looks to bring together different regulations and legislation across the continent.

When will GDPR come into force?

GDPR will become enforceable from 25 May 2018, following a two-year transition period.

Being a regulation rather than a directive, GDPR doesn’t require enabling laws to be passed by member states. 

Why is GDPR important?

GDPR is the largest and most comprehensive piece of data regulation ever passed by the European Union, and as mentioned, seeks to unify several pre-existing pieces of legislation.

 Because data protection concerns stretch across national boundaries, the introduction of GDPR seeks not just to regulate data within the EU. It seeks to extend EU data protection law to any organisation holding information on EU citizens, even if that organisation is based outside the EU. 

For businesses, GDPR means keeping a much tighter rein on the data they possess, and should also improve security awareness and protection levels for many. It also affects how companies collect and hold data on individuals such as customers, and governs the export of personal data beyond the EU’s boundaries.

For consumers, GDPR gives them much more clearly defined privacy protection when online. Companies will now have to give explicit notice when asking for personal information, and what they use these details for. Under GDPR, consumers also get a "right to erasure", which is a step up from the current "right to be forgotten", meaning they can apply to have information about them publish online removed.

Who does GDPR apply to? Is my business affected by GDPR?

Short answer - yes. If you are a business that deals with online data in any way, you will need to comply with GDPR before next year’s deadline.

As mentioned before, if you fail to bring your organisation up to speed before May 25th, 2018, the EU rules state that you can be fined up to four per cent of annual global turnover, or €20 Million - whichever is greater.

Businesses will need to be able to demonstrate that they comply with the principles. To do this they’ll need to have documentation in place that shows how they’re processing data, they may also need to appoint a data protection officer.  

Will GDPR apply after Brexit?

The UK’s decision to leave the European Union had thrown GDPR regulation into doubt, as a so-called Brexit would mean the country is no longer part of the EU, and so would not be covered by the ruling - unless it chooses to do so.

The UK Government has indicated it will look to introduce legislation equivalent to GDPR following Brexit - although there has been no official confirmation on exactly what this will be just yet.

For the moment, the EU states that, if you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR irrespective as to whether or not the UK retains the GDPR post-Brexit.

If your business operations are solely contained to the UK, the position is more unclear, as it will depend on what decision the UK government takes in the coming months.

If you are based outside of the European Union, your business could well still need to comply with GDPR. The EU states that the rules will apply to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

Is GDPR retrospective?

No - the European Union adopted the two-year transition period in order to provide businesses with the time needed to ensure they are up to speed with GDPR.

GDPR Resources

- EU GDPR website - a central repository for everything you need to know about GDPR

- EU GDPR FAQs - answers to some of the most pressing GDPR questions

- ICO overview of GDPR - guidance for UK businesses on what GDPR is