GDPR Explained

It represents the pinnacle of changing global norms around privacy and the use of personal data, as countries around the world have introduced their own frameworks designed to keep pace with the GDPR.

With a broad territorial scope, a suite of detailed requirements and authority for regulators to issue significant fines, organisations that are subject to GDPR face considerable risks. But as other countries follow suit, the GDPR can serve as the springboard for the wider world.

Following Brexit, the UK has a separate data protection regime consisting primarily of the UK GDPR and the Data Protection Act 2018. As it stands currently, the UK GDPR is similar to the EU GDPR.

Since the UK has left the EU, from 1 January 2021 the GDPR no longer applies directly in the UK. However, the GDPR has been retained in UK law with technical amendments to ensure it can function in UK law. This new regime is known as the ‘UK GDPR’ and sits alongside the Data Protection Act 2018.

We have set out some of the highlights of GDPR below. For further information, check out our GDPR Guide.

• Expansive definition of personal data: Personal data is defined widely as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In practice, it includes all data which are or can be assigned to a living person (even if not named).
  
  
• Extra territorial scope: The GDPR applies to organisations in the EU as well as those outside the EU that process personal data in the context of offering goods or services to EU residents or monitoring their behaviour. This means that organisations that do business in the EU could be subject to the GDPR. It also means that companies around the world face a level playing field if they are competing for customers in the EU.
  
  
• Expansive enforcement powers: Organisations could face sanctions such as fines from regulators up to the higher of 4% of the organisation’s worldwide annual revenue or €20 million. A further significant risk is that a regulator could order an organisation to stop using personal data altogether – which could mean deleting all customer lists and effectively ceasing to operate until the organisation comes into compliance. The GDPR also permits individuals to bring actions for compensation.
  
  
• Significant individual rights: Individuals are accorded a number of rights, including the right to obtain a copy of the personal data held about them, the right to request that organisations delete data held about them, the right to opt-out of any processing for direct marketing purposes (including the creation of consumer direct marketing profiles), and the right to “port” data from one provider to a competitor. 
  
  
• Consent: Consent is not always required – is one of a number of available legal bases. Where consent is appropriate, it is subject to a challenging set of conditions. In order to obtain an individual’s consent to use his/her data, an organisation must ensure that the consent is granular, can easily be withdrawn and is not “take it or leave it”. Where possible, it should be avoided, particularly in situations where it would be difficult to ensure the consent is freely-given, such as in employer-employee relationships.
  
  
• Privacy by design and default: Organisations must implement data protection as a core element of the design of any product, service, system, process, etc. that involves the processing of personal data. When considering the design of technical and organisational measures, the GDPR directs controllers to assess the state of the art, cost of implementation, and the nature, scope and reasons for use, together with the different levels of risks posed to individuals’ rights and freedoms by the given use of personal data. Example measures to meet the data minimisation principle referenced in the GDPR include adopting appropriate staff policies and using pseudonymisation. 
  
  
• Accountability: The GDPR requires all organisations to implement a wide range of measures to reduce the risk of their breaching the GDPR and to prove that they take data governance seriously. Accountability measures include appointing a data protection officer (where certain thresholds are met), conducting privacy risk assessments for “high risk” activities and keeping detailed records of processing activities that can be made available to regulators (unless exemptions apply). 
  
  
• Contracts: Organisations need to consider how data protection will be addressed in their contracts with service providers and business partners. In certain cases, there are mandatory terms that must be included.
  
  
• Data breach notification: Personal data breach notification requirements under GDPR apply to organisations regardless of their sector. Notably, the GDPR adopts a low threshold for reporting a personal data breach to competent regulators. Any required report must be made without undue delay and where feasible within 72 hours. This regime applies in addition to data security and breach notification obligations currently required by the EU NIS/Cybersecurity Directive and the forthcoming EU NIS2 Directive and their respective national implementing legislation.
  
  
• Harmonisation across the EU: In taking the form of a regulation, rather than a directive, the GDPR eliminated many of the country-specific requirements that existed previously. However, the GDPR does contain certain derogations and special conditions that mean that there is local variance in some cases (impacting, for example, areas such as life sciences, activities related to journalism/academia and employment). 

To address the significant risks posed by GDPR enforcement, we recommend that organisations understand how they collect, use and store personal data. Only then can an organisation implement tailored solutions.

Addressing the risks posed by the GDPR requires a case-by-case assessment of the friction points for each organisation. There is no one-size-fits-all solution. Get in touch with us to discuss the building blocks for your compliance programme and an introduction to the key concepts.