The General Data Protection Regulation (GDPR) policy is one of the toughest privacy and security laws in the world. Whilst the legislation was drafted and passed by the European Union (EU) on 25th May 2018, it imposes regulations into organisations worldwide, so long as they collect data or target groups related to the EU. Infringements of GDPR regulations results in significant fines for the violation of privacy and security standards, with penalties potentially reaching up to €20 million.
The GDPR regulations were brought into effect to essentially harmonise data privacy laws across all member countries, in addition to providing much greater data protection rights to individuals in an increasingly technology driven world. The GDPRs 99 article long legislation draws comparisons with the California Consumer Privacy Act in the US. EU GDPR regulations cover a vast array of information, including personal data, data processing (automated or manual), data subjects, such as customers to a website, data controllers and data processors, including third party processors working on behalf of an EU organisation. Personal data represents the greatest restrictions to business operating or looking to expand to Europe, with strict regulations on personal information on membership of trade unions, genetic and biometric data and health information and data amongst those most tightly controlled. In July 2021, Amazon was hit with a €756m fine for a breach in the EUs personal data protection regulations.
Large and small companies also exhibit slight differences when it comes to regulations on personal data privacy. For companies with over 250 employees’, they require to prove documentation of why and how employee data is being collected and processed, in addition to how long that data will be kept, as outlines by Article 30 of the GDPR regulations. For companies with under 250 employees’, they only need to document data activities that are more than a one-off occurrence for the company, are likely to result in a risk to the rights of the data subjects, and involve specific categories of personal data, such as criminal conviction or criminal offence data.
When the GDPR regulation came into effect in the EU in 2018, individual member countries were given the opportunity to provide their own specific regulations alongside GDPR. In the UK, this led to the development and implementation of the Data Protection Act (2018). This regulation, which superseded the previous 1998 Data Protection Act in the UK, restricts how your personal information is being used by organisations, business and governments in UK through complementing the EUs existing GDPR regulations.