Advoke International

CONNECT
LOG IN

General Data Protection Regulation (GDPR), EU/UK

The EU GDPR (2018) regulates personal data processing across the EU, ensuring transparency, accountability, and strong user rights. The UK GDPR, adapted post-Brexit, aligns with UK laws and applies to UK residents’ data. Both the regulations emphasize compliance, consent, and penalties for violations.

The General Data Protection Regulation (GDPR) is a landmark data protection law enacted by the European Union, effective from May 25, 2018. It is designed to give individuals greater control over their personal data and establish a unified framework for data protection across all EU member states. At its core, GDPR aims to enhance transparency, accountability, and fairness in how organizations collect, process, store, and share personal data.

After the UK’s withdrawal from the EU, the UK adopted its own version of GDPR, known as the UK GDPR, effective from January 1, 2021. While the core principles of the UK GDPR remain aligned with the EU GDPR, it operates under UK law and is supplemented by the UK’s Data Protection Act 2018.

Both regulations emphasize key principles such as data minimization, purpose limitation, and security while granting individuals rights like access, rectification, erasure, and data portability. Businesses targeting individuals in the EU or UK must comply with the respective regulation, regardless of their location.

Key principles of GDPR

  • Lawfulness, Fairness, and Transparency: Organizations must process personal data lawfully, fairly, and transparently. Individuals should understand how and why their data is being used, and organizations must have a valid legal basis for processing.
  • Data Minimisation: Only the minimum amount of personal data necessary for the intended purpose should be collected. Organizations must ensure they are not processing more data than required.
  • Purpose Limitation: Personal data should be collected for specific, explicit, and legitimate purposes and not used in a way that is incompatible with those purposes.
  • Accuracy: Personal data must be accurate and kept up to date. Organizations should take reasonable steps to rectify or delete inaccurate or outdated data without delay.
  • Storage Limitation: Personal data should not be retained longer than necessary for the purpose for which it was collected. Organizations must establish clear retention policies and securely dispose of data that is no longer needed.
  • Accountability: Organizations are responsible for demonstrating compliance with GDPR principles. This includes maintaining proper documentation, implementing appropriate safeguards, and being prepared to show evidence of compliance to regulators.
  • Integrity and Confidentiality (Data Security): Organizations must process personal data securely, using appropriate technical and organizational measures to protect it from unauthorized access, loss, destruction, or damage.

Non-compliance with GDPR can result in significant penalties, including fines of up to €20 million (or £17.5 million for UK GDPR) or 4% of annual global turnover, whichever is higher. Beyond the financial risks, non-compliance can harm an organization’s reputation and erode customer trust.

By aligning with GDPR, businesses not only avoid legal pitfalls but also demonstrate their commitment to respecting privacy and fostering trust in an increasingly data-conscious world.

Related Regulations and Legislations

  • ePrivacy Directive (EU): The ePrivacy Directive (Directive 2002/58/EC), also known as the “Cookie Law”, is a European Union regulation that focuses on privacy and electronic communications. It complements the GDPR by addressing specific issues related to online privacy and the confidentiality of communications.
  • Privacy and Electronic Communications Regulation (UK): The Privacy and Electronic Communications Regulations (PECR) are the UK implementation of the EU’s ePrivacy Directive. They govern the use of electronic communications, including marketing, cookies, and other online tracking technologies, in the UK. While PECR focuses specifically on electronic communications, it works alongside the UK GDPR to protect personal data. For instance, obtaining valid consent for cookies under PECR must meet the stricter consent standards of the UK GDPR.

GDPR Solutions

Advoke International provides comprehensive solutions tailored to support your organization in achieving compliance with the GDPR.

Frequently Answered Questions

What is considered personal data under GDPR?

Personal data refers to any information that can directly or indirectly identify an individual, such as name, email address, phone number, IP address, location data, or even online identifiers like cookies.

What are the penalties for non-compliance with GDPR?

Non-compliance can result in hefty fines. Organizations may face penalties of up to €20 million (or £17.5 million for UK GDPR) or 4% of their annual global turnover, whichever is higher, depending on the severity of the violation.

What rights do individuals have under the GDPR?

The GDPR provides individuals with several key rights, including:

  • Right to be Informed:  The right to know how personal data is being collected, processed, stored and disclosed by an organisation.
  • Right to Access: The ability to view the data an organization holds about them.
  • Right to Rectification: Correct inaccuracies in their personal data.
  • Right to Erasure: Request deletion of their data under certain conditions.
  • Right to Restrict Processing: Limit how their data is used.
  • Right to Data Portability: Transfer their data to another service.
  • Right to Object: Oppose data processing for specific purposes like marketing.
  • Rights Related to Automated Decision-Making and Profiling: Object to decisions made solely through automated processes if they significantly affect them, unless exceptions apply.
  • Right to Withdraw Consent: Revoke their consent for data processing at any time, and organizations must cease processing for that purpose.
  • Right to Lodge a Complaint: File a complaint with a data protection authority if they believe their rights under GDPR have been violated.

Does GDPR only apply to large businesses?

No, GDPR applies to organizations of all sizes, including SMEs and startup businesses, as long as they process the personal data of individuals in the EU or UK.

Do non-EU and non-UK companies need to comply with GDPR?

Yes. If a non-EU or non-UK company offers goods or services to residents of the EU or UK, or monitors their behaviour (e.g., through tracking or analytics), it must comply with GDPR requirements.