General Data Protection Regulation: What you need to know

The General Data Protection Regulation (GDPR) is the European Union’s new data privacy law that replaces the 1995 Data Protection Directive. It was approved in April 2016 and will be enforced across Europe on May 25, 2018. 

The GDPR aims to protect the personal data of all EU citizens. The EU wants to ensure that people’s data are protected and respected no matter where they live or what company holds their information. Essentially, it is a regulation for regulating companies’ use of personal data across the Union.

It is a regulation where the interests of consumers and data subjects are taken into account. 

It also provides a framework for regulating other businesses that process personal data, such as your credit card company or online travel agency. Here at has some more information about general data protection regulation.

In short, the GDPR is a comprehensive reform of data privacy laws throughout Europe. Companies that fail to adhere to it risk heavy fines and penalties. 

Companies will still be able to collect and use personal information for certain purposes, such as financial services or research, but they will have to gain consent from consumers to do so, explain the reasons why they do so, and provide additional transparency to the public via an annual report on their compliance with this requirement.

Regulation, Gdpr, Data, Protection

Who does the GDPR apply to?

The GDPR will apply to all companies operating in the EU. It will replace the Data Protection Directive (95/46/EC) and all national laws based on it, including the UK’s Data Protection Act 1998. The GDPR also applies to organizations located outside of the EU if they collect, process or store personal data of EU residents. 

The goal is to give all Europeans equal protection under this law, regardless of their country of residence. When companies collect personal data from an individual in an EU member state, that company becomes responsible for that data under this law.

The GDPR is not a new regulation that will be applied to companies that already collect or process EU citizens’ data. It does not establish new rights for individuals, such as the right to delete personal information from companies’ systems. 

It sets out clear rules and penalties for companies that knowingly fail to comply with the law. There is already a web portal, the data protection register, where organizations can register themselves and where individuals can complain against their data being mishandled by organizations.

Who must comply?

All companies that store or process personal data of data subjects in the EU, companies, organizations, or even individuals, are subject to the GDPR. It is not just small businesses that are affected. Companies with fewer than 250 employees are also bound by this regulation. 

If you collect, process, or even merely use personal data of EU citizens in your organization, then you need to be aware of what the GDPR says about your obligations.

This regulation does not apply to any organization that is not located in an EU member state (or for which no business activity takes place in any EU member state). This means that companies based in certain countries, including China and the United States will not be subject to the GDPR.

Data Protection Units

The European Commission is establishing a special body inside each of the EU member states called a Data Protection Office (DPO). These DPOs will work together with national regulators and law enforcement agencies to ensure compliance with the GDPR’s requirements. 

This cooperation between various government authorities will allow for easier investigation and prosecution of cases where individuals report violations of their rights. 

Already, 46 countries have signed up to this program. Every EU member state has at least one DPO, although some have more than others. The United Kingdom has appointed the Information Commissioner’s Office as its DPO.

Processing and Data Retention

The GDPR requires businesses to process data in a lawful, fair, and transparent manner. It states that any personal data collected by a business will be processed lawfully, fairly, and in a transparent manner in relation to individuals. Businesses must limit the collection of personal data to only what is necessary for clear and legitimate purposes that do not override the interests or freedoms of the individual. 

The regulation specifically states that businesses cannot collect personal data unless it is necessary for its legitimate interests, even if an individual agrees, unless it is explicitly permitted by European law or under rules established by law.

Companies must have a legitimate interest in collecting personal data. If this is not the case, the data should be deleted or anonymized before it is collected.

If businesses fail to adhere to these rules, they will be fined between 4% and 20% of their annual revenues. This fine increases if processing operations are carried out by (or on behalf of) an individual whose personal data was not processed in accordance with the GDPR. 

There are also other penalties that can apply, including orders for businesses to immediately cease any breach of the GDPR’s requirements, fines for repeated infringements, and orders for compensation to individuals who suffered harm as a result (e.g., loss of employment or ability to travel).


Leave a Reply

Your email address will not be published. Required fields are marked *