What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is a European law that governs how companies (whether EU- or UK-based or not) use personal data.
Side note: In the EU and UK, personal data means almost anything that could identify a person, not just names, email addresses, addresses and phone numbers, but also device IDs, IP addresses and even some cookie data.
Does the GDPR apply to me?
Yes, if you: (a) are an EU- or UK-based company or have an EU- or UK-based affiliate; or (b) offer goods or services to EU- or UK-based individuals (whether for payment or not); or (c) monitor the behaviour of EU- or UK-based individuals (including via cookies).
This means that even companies providing B2B services to businesses based in the EU, such as hosted data services, data analytics platforms and outsourced business functions may be covered. It is important to remember that the GDPR does not discriminate by sector.
Ok, so what do I have to do to comply with the GDPR?
It really depends on your role in respect of the personal data. If you are a data controller and in charge of deciding what happens to the data, you have numerous obligations; if you are a data processor or sub-processor being told by someone else what to do with that data, you have fewer obligations than data controllers. Regardless of your role, you will need to:
- better inform individuals about what you do with their data;
- account for the data you process (e.g., by keeping clear records on what you do with data); and
- start putting privacy higher up your list, both at the inception of the product or service and throughout its lifecycle (including ensuring adequate security).
What happens if I don’t comply with the GDPR?
If you breach the GDPR you could face fines of up to 20M Euros or 4% of worldwide annual turnover (whichever is greater).