GDPR: What it is and what it means

GDPR: What it is and what it means

You may have noticed that there has been an influx of privacy policy updates from various websites and apps recently. The reason behind that is a new European Union (EU) regulation called the General Data Protection Regulation (GDPR), which was formally adopted two years ago today. It comes into effect on 25th May 2018, which is why many companies have been in a scramble recently to update their privacy policies – hence all the notifications you may have been seeing.

We’ve done our best to set out the main points you need to know about this important new regulation.

What is GDPR and how will it affect me?
The purpose of GDPR is to give EU citizens control over their personal data.

The main principle is that personal data should only be processed if certain criteria are met. The three criteria are transparency (the subject should be informed of what is being done), that there is a legitimate purpose for doing so (which must also be explicit, and must not be misused), and there must be proportionality (the purpose of processing the personal data must be relevant and not excessive).


GDPR replaces the earlier 1995 Data Protection Directive, and has been expanded and updated to more accurately deal with today’s technological environment. If you don’t know much about it then you’re not alone, but it’s important to be familiar with it so you understand your rights.

GDPR has a much bigger scope that the 1995 directive. According to the official guidance, “[GDPR] applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location”.

If an organisation is found to be in violation of the new rules, the maximum fine that they can be charged with is 4% of their annual global turnover or €20 million (whichever is greater). That gives a very good incentive for organisations to comply with these new rules to say the least.

What is ‘personal data’?
Personal data is defined by the GDPR as “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person”. This can include your name, email address, date of birth, IP address, bank details, or anything else that could be used to identify you.

What else is important?
GDPR sets out that consent must be clear and explicit, and it must be as easy to withdraw as it is to give. It cannot be bundled in with any other matter, and it must be easy to understand. Put simply, companies can no longer hide consent within lengthy (and unintelligible) terms and conditions, or allow consent to be given by a pre-ticked box.

If there is a breach of your personal data that is likely to result in “a risk for the rights and freedoms of individuals”, the organisation must inform you within 72 hours of becoming aware of it.

Furthermore, as a data subject, you have the right to know what personal data is held about you and what the organisation does with it. You can request an electronic copy of the data held about you from the data controller for free.

You also have the right to be forgotten, in which case the data controller must delete any personal data they hold about you, they must not further distribute the data, and if third parties are processing the data then that must be stopped. GDPR also allows people to opt out of profiling (for example, for marketing purposes).

If an organisation uses an automated process to make a decision about you (for example, whether to give you a job interview, whether to reject a loan application) then under GDPR you have the right to appeal the decision.

What happens if an organisation breaches the rules?
As outlined above, if a company is found in violation of GDPR then they can be charged substantial fines. If you have been the victim of data misuse, you can also seek compensation from the offending organisation for any losses suffered (including distress and reputation). What is more, under GDPR you can now take action against both the organisation who processed the data, as well as the organisation who acted as the data controller.

If you would like to read more about GDPR, check out these links:

Becky Cunningham
First release
Last update

More resources from Becky