The General Data Protection Regulation (GDPR) is...

The General Data Protection Regulation (GDPR) is Europe’s data privacy and security law covering the protection of individuals’ personal data.

The regulation, widely touted as the most stringent data privacy legislation in the world, came into force in the UK in May 2018 as a replacement for the 1998 Data Protection Act (DPA).

The Data Protection Act (2018) in the UK is the application of GDPR in the country (so in effect they are the same). GDPR is an EU-wide regulation which had to be incorporated into each country’s privacy legislation by a certain deadline, which differed slightly from country to country.

Why would I need this?

Marketers across the world need to be aware of GDPR and whether their business needs to comply. Put simply, regardless of whether or not your business is based in the EU, if you are offering goods or services to EU consumers, or processing the data of these individuals, then GDPR applies to you and your organisation and you must comply with the legislation.

The penalty for not complying with GDPR is high. There are two tiers of fines, with the most serious violations around privacy rights attracting a fine of a maximum €20m or 4% of a company’s global turnover (whichever is higher). Outside of this, individuals affected by a violation are also able to seek compensation.

How does it work?

Personal data is defined as any information related to an individual that can directly or indirectly identify them. Examples include names, email addresses, information about their location, gender, ethnicity, and political opinions, and cookies can come under this banner.

GDPR covers data processing (any action performed on data) on a ‘data subject’ – the individual whose data is processed (for example, your customers). Compliance of GDPR needs to be demonstrated by a data controller (any owner or employee in a business that handles personal data) who decides why and how data is processed.

Special rules within GDPR apply to data processors, who are third parties that process personal data on behalf of a data controller.

GDPR sets out the seven principles for processing the data of individuals as follows:

  1. Lawfulness, fairness and transparency — data must be processed lawfully, fairly and in a transparent manner.
  2. Purpose limitation — data is collected for a specific and legitimate purpose and not further processed or used in a manner that is outside of those purposes or not compatible with them.
  3. Data minimisation — the data collected must only be that which is absolutely necessary for the specified purpose.
  4. Accuracy — Personal data must be kept accurate and up to date.
  5. Storage limitation — Personal data must only be stored for as long as necessary for the purpose specified.
  6. Integrity and confidentiality — Data processing must be done in a way that ensures appropriate security (including protection against unlawful processing or accidental loss or damage), using appropriate tech and organisational measures.
  7. Accountability — The data controller will be responsible for and be able to demonstrate compliance with all of these principles.

Update to data law in the UK

In March 2023, proposed changes to current GDPR/DPA legislation in the UK were introduced to the Government, under the Data Protection and Digital Information (DPDI) Bill.

In principle there is no significant change to accountabilities and responsibilities of individuals and businesses under GDPR, but the Bill does propose amendments aimed at making data laws more “business friendly”. These include definitions of what constitutes legitimate interest for the purpose of data collection for marketing, expanded exemptions to consent for cookies, and extending soft opt-in for email to non-commercial organisations.

At the time of writing, the DPDI Bill is not yet enshrined in law, and the Bill will undergo scrutiny within the EU to ensure that it adequately retains being equivalent to GDPR.

Real world examples

Meta fined €390m after decision that it cannot “force consent” for targeted ads

€746m and counting: the 10 biggest GDPR fines so far

GDPR four years on: is data privacy already out of date?