Introduction to GDPR: A guide to the General Data Protection Regulation for new businesses and start-ups
In 2018, GDPR was integrated into the UK as a law. It is one of the EU laws and regulations, and it gives a lot of people rights on what companies can handle their data. In this introduction to GDPR, we explain what GDPR is, who and what does it apply to, and how you can get started with GDPR compliance.
After the UK exits the European Union, the UK government wants to integrate GDPR into the local UK law. SMEs are not exempt from the GDPR. If your business needs to hold or process personal data relating to an EU resident, then you have to meet GDPR requirements.
This article is part of our Introduction to GDPR, which aims to help you understand the General Data Protection Regulations and your obligations under the law. However, while industry experts have put together our guide, it does not constitute legal advice. If you required definitive legal guidance, we suggest seeking professional legal advice or visiting the most appropriate Data Protection Authority (DPA).
On this page:
Introduction to GDPR: What is the GDPR?
The GDPR is Europe’s new framework for having data protection and privacy legislation. It will take effect in 2018, on the 25th of May, all across the EU member countries, which includes the UK.
What data is subject to GDPR?
GDPR applies to personal data, including sensitive personal data.
- Sensitive personal data includes a citizen’s beliefs (religious or philosophical), ethnic or racial origin, genetic and biometric information, political views, health information, and sex life and sexual orientation. Ths type of data is classified as special category data.
- Personal data covers information relating to a data subject, i.e. an identifiable person, that can be directly, or indirectly, identified using the information. The GDPR doesn’t apply to companies or the deceased.
Read more about the principles under the GDPR data protection.
The GDPR does not regulate anonymous data, where no EU-based individual can be identified directly or indirectly. View definitions under the GDPR.
Who does the GDPR apply to?
GDPR applies to individuals based in the EU, companies, company owners and different sizes of businesses, including soletraders, that store and process data of an EU-based individual.
It also applies to companies residing outside the European Union. If they provide goods and services to EU residents, process or hold their data, or otherwise monitor their behaviour.
What is the GDPR replacing?
The DPA 1998 applied to the UK until the 25th of May of 2018. Since then, the GDPR has taken effect in the UK and other states in the European Union. Moreover, a new DPA 2018 Act came to affect on 25th of May 2018 in the UK.
Who will enforce the GDPR?
in the UK, the ICO is responsible for enforcement of the data protection laws. ICO have the authority to carry out investigations and issue fines, as well as advise organizations on GDPR requirements and compliance.
Difference between the UK Data Protection Act and GDPR
GDPR lets the EU member states implement supplementary and different rules in some areas of data protection. Member states can implement these through national legislation. The UK government has made sure that the DPA Act 2018 replicates the majority of the GDPR as UK law, with variances. Dowload an overview of the Data Protection Act (DPA) 2018 (PDF, 258K).
Difference between data controllers and data processors
The GDPR is applicable to both processors and controllers. It is imperative to understand whether you are a controller or a processor, as the responsibilities vary:
- Data processors – Hold and process the data on behalf of a data controller
- Data controllers – Determine how and why they process personal data
Depending on the circumstances, you can be both a data processor and controller simultaneously.
What does processing mean under the GDPR?
Processing refers to the handling personal information, which includes:
- Keeping, recording, or obtaining data
- altering or organising the data
- consulting, retrieving, or using the data
- disclosing the data to a third party (including publication)
- destroying or erasing the data
Keeping and storing the data, either in hard copy or electronically, is classified as processing of personal data.
Data protection fee
In accordance with existing data protection regulation, and unless exempt, data controllers pay protection fees to the ICO unless all these fees. Depending on their turnover, size, and other factors, they will fall into one of three fee tiers, which range from GBP 40 to GBP 2,900. Find out more about data protection fees that are incurred.
Introduction to GDPR: Key changes
Main changes include:
- Personal data is more broadly defined – Potential identifiers are not just limited to a person’s name, address and email address. Other personal information, such as such as IP addresses, ID numbers, location, which may reveal a person’s identity are now also included in the definition of ‘Personal Data’.
- Higher requirements for lawaful processing of personal data – Processing has to fall inline with one or more of the six legal basis for processing of personal data.
- Increased rights for individuals – Includes to access, rectify and erase data, to data portability, to restrict processing, the right to be informed, to object to processing and, finally, the right not to be subject to automated decision making and profiling.View data rights based on GDPR and dealing with access requests.
- Mandatory requirements to notify of breaches – You need to report any data breach to the ICO if it is probably going to result in a high risks to the freedoms and rights of EU residents. You need to notify the ICO without any delay, and if feasible, within 72 hours after you have become aware of a breach. You also may be required to inform the indviduals which have been affected by the breach. Read more about reporting serious breaches of personal data.
- Suppliers and Processors Liabilities – data processors, as well as controllers, required to comply with a number of specific responsibiltiies, are now directly regulated by GDPR.
- Increased governance and accountability – Under the GDPR, organizations now need to demonstrate that they are compliant with data prtotection principles by keeping a record of the processing operations, conducting data privacy impact assessment, or incorporating data protection whithin their business operations by design.
- Requirement for the appointment of a Data Protection Officer (DPO) – Only applicable to organisations (and public authorities) which regularly process personal or sensitive data on a significant scale. See more here on how to appoint data protection officer.
- Transferring data outside of Europe – Several more stringent rules have been introduced concerning the transfer of data. These are desing to assure that due diligence is conducte, and contractual or safeguarding measures are in put place by data processors and controllers. Read more about the transfer of private data here.
- Greater scope – All organisations that process personal data of EU residents, regardless of where the organisation is in EU, or outside of the EU, is subject to the GDPR.
- Harsher penalties – Potential fines for not complying with rules have been significantly increased. The regulator has the power to issue penalties up to 4 per cent of global turnover, or EUR20M, whichever amount is higher. Read about GDPR fines and law enforcement.
Businesses that already posesse a robust approach to Data Protection should find it straightforward to meet the new requirements.
Introduction to GDPR: How to achieve compliance
The first step towards compliance is to conduct a data audit. This will help you understand and detail the data you hold and process. Our data audit for GDPR can guide you through the process.
Following an audit, you will be in a position to review and improve your existing data protection practices to comply with GDPR. Our GDPR checklist be used to work through the steps required.
What does GDPR mean for your business?
There are more than a few new rules and regulations that are based on former data protection legislation, so there might not be radical changes. However, different parts of the regulations have added extra rights for citizens under European Union and significant new needs for companies that keep processing personal information.
This introduction to GDPR, provides new businesses and startups a quick way to grasp the elements of GDPR quickly. This introduction to GDPR, provides a broad overview of the new rules, its features, its laws, rights on data, privacy notices, breach reporting obligations and penalties.