Frequently Asked Questions
What is GDPR and why was the GDPR drafted??
The EU’s General Data Protection Regulation (GDPR) is an attempt to bring data protection legislation into line with new, previously unforeseen ways that data is now used.
Currently, the UK relies on the Data Protection Act 1998, but this will be superseded by the new legislation. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
The drivers behind the GDPR are twofold. Firstly, the EU wants to give people more control over how their personal data is used. The current legislation was enacted before the internet and cloud technology created new ways of exploiting data, and the GDPR seeks to address that. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy.
Secondly, the EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market (the EU estimates this will save businesses a collective €2.3 billion a year).
When will the GDPR apply?
The GDPR will apply in all EU member states from 25th May 2018. Because GDPR is a regulation, not a directive, the UK does not need to draw up new legislation – instead, it will apply automatically. While it came into force on 24 May 2016, after all parts of the EU agreed to the final text, businesses and organisations have until 25 May 2018 until the law actually applies to them.
Who does the GDPR apply to?
‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU citizens.
It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act, with potential fines being far greater.