The General Data Protection Regulation (GDPR) is Europe's new framework for data protection laws. GDPR replaces the previous 1995 data protection directive, which current UK law is based upon.
It introduces tougher fines for non-compliance and breaches and gives us all more say over what companies can do with our data. On top of this, it also makes data protection rules more or less identical throughout the EU.
Why was GDPR drafted in the first place?
The new law has two aims. First, the EU wants to give people more control over how their personal data is used. This is down to the practices of companies like Facebook and Google, who often swap access to their services for users' data.
The current Data Protection Act was enacted before the internet, making it easy to exploit data using new technology. GDPR seeks to address this. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the digital economy.
Second, the EU wants to give businesses a clearer legal environment to operate in. It's estimated that making data protection law identical throughout the single market will save businesses a collective €2.3 billion a year.
When will it apply?
GDPR has applied to all EU member states since 25 May 2018.
Who does it apply to?
According to the EU, 'controllers' and 'processors' of data need to follow GDPR rules. Let's dig into those terms a little.
A data controller is the party responsible for how and why data is processed. This is usually your business itself. A processeser is the party responsible for the actual handling of the data.
Using a third-party contractor for processing your payroll is great example of this. Your business tells the payroll company when wages should be paid, how much each employee should recieve, and if anyone leaves or joins. The payroll company provides the IT system and stores your employees' data. In this situation, your business is the controller and the payroll provider the processor.
Even if controllers and processors are based outside the EU GDPR still applies, so long as they're dealing with data belonging to EU residents.
It's your responsibility as a controller to ensure the processor follows the rules. Meanwhile, processors must keep records of their processing activities. There's a big incentive to do this. Under GDPR, the penalities are much more severe than they were previously.
How can Cyber Essentials help with GDPR?
While your organisation needs more than Cyber Essentials to comply with GDPR, it's a great first step. Cyber Essentials certification is evidence that you have taken steps towards protecting your data from cyber attacks.
Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.