Maxwell Stephens

What I need to know about GDPR?

GDPR is a hot topic right now, with the legislation set to give individuals back control of their personal data. With less than a year to go until it will be enforceable, what do people and businesses need to know?


What is GDPR?


GDPR stands for General Data Protection Regulation, and it was published in January 2012 by the European Commission. It will significantly change the current data protection legislation at a time when we rely more than ever on information technology.


Why was GDPR drafted?


There are two main reasons for the new legislation. First of all, the EU would like to provide people with more control over their own personal data at a time when the digital economy is erupting. Secondly, the EU aims to give businesses a more straightforward legal environment to operate within – data protection law which is unified throughout the EU.


When will it apply?


It will be applicable from 25 May 2018, leaving under a year for businesses to update their policies, procedures, and practices to ensure compliance.


Who does the legislation apply to?


It applies to controllers and processors of data. By definition a controller sets out how and why personal data is processed, with the processor being the party actually processing the data. At a macro level, the legislation itself is far reaching beyond the EU, since it applies to any country handling or contracting with another firm to handle an EU citizen’s personal data.


Personal data must be processed lawfully


It is the responsibility of the controller to ensure personal data is processed lawfully. ‘Lawful’ has a range of meanings:


  • The individual has given consent for their data to be processed.
  • In compliance with a contract or legal obligation.
  • It is in the public interest for the personal data to be processed.
  • It is in the controller’s legitimate interest, for example to prevent fraud.
  • Is essential for the life of the subject.

At a minimum one of these must apply for the data to be lawfully processed.




Consent must be active and may not be granted from not ticking a box, i.e. passively opting out. Controllers have an obligation to record when and how the subject provided consent, which they can withdraw whenever they like.


What is personal data?


The definition has been notably expanded under the GDPR to reflect the breadth of information now collected by organisations. For example online identifiers including IP addresses are now classed as personal data.


When can subjects access data stored on them?


Subjects are permitted to access the personal data at ‘reasonable intervals’ and controllers should respond to the request within one month.


What is the ‘right to be forgotten’?


The right to be forgotten has been in the press quite a lot, particularly in relation to social media sites such as Facebook. If the data is no longer necessary in terms of the purpose for which it was collected, the subject can request that it is deleted.


And if there is a data breach?


The data protection authority must be notified within 72 hours of the organisation becoming aware of it. 3 days is unlikely to be enough time for a full investigation and impact assessment to be conducted, but it is sufficient time to provide an initial alert. Within that time you also need to tell the people that you believe have been affected.


In Summary


This is a game changing piece of legislation which will transform the way in which businesses handle data. The penalties are significant for non-compliance – the greater of up to 20 million Euros or 4% of the global annual turnover. Therefore it is fully expected that businesses will be taking this seriously.


More Posts...