The strength of GDPR has seen it lauded as a progressive approach to how people's personal data should be handled and comparisons have been made with the subsequent California Consumer Privacy Act.
Who does GDPR apply to?
At the heart of GDPR is personal data. Broadly this is information that allows a living person to be directly, or indirectly, identified from data that's available. This can be something obvious,such as a person's name, location data, or a clear online username, or it can be something that may be less instantly apparent: IP addresses and cookie identifiers can be considered as personal data.
Under GDPR there's also a few special categories of sensitive personal data that are given greater protections. This personal data includes information about racial or ethic origin, political opinions, religious beliefs, membership of trade unions, genetic and biometric data, health information and data around a person's sex life or orientation.
The crucial thing about what constitutes personal data is that it allows a person to be identified –pseudonymised data can still fall under the definition of personal data. Personal data is so important under GDPR because individuals, organisations, and companies that are either 'controllers' or 'processors' of it are covered by the law.
"Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data," the UK's data protection regulator, the Information Commissioner's Office (ICO) says. It's also possible that there are joint controllers of personal data, where two or more groups determine how data is handled. "Processors act on behalf of, and only on the instructions of, the relevant controller," the ICO says. Controllers have stricter obligations under GDPR than processors.
Although coming from the EU, GDPR can also apply to businesses that are based outside the region. If a business in the US, for instance, does business in the EU then GDPR can apply and also if it is a controller of EU citizens.
What are GDPR's key principles?
At the core of GDPR are seven key principles – they're laid out in Article 5 of the legislation – which have been designed to guide how people's data can be handled. They don't act as hard rules, but instead as an overarching framework that is designed to layout the broad purposes of GDPR. The principles are largely the same as those that existed under previous data protection laws.
GDPR's seven principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. In reality, only one of these principles – accountability – is new to data protection rules. In the UK all the other principles are similar to those that existed under the 1998 Data Protection Act.
The ICO's guide to GDPR gives a full run-down of the principles, but we're only going to highlight a couple of them here.
Data minimisation
The data minimisation principle isn't new, but it continues to be important in an age when we are creating more information than ever. Organisations shouldn't collect more personal information than they need from their users. "You should identify the minimum amount of personal data you need to fulfil your purpose," the ICO says. "You should hold that much information, but no more."
The principle is designed to ensure organisations don't overreach with the type of data they collect about people. For instance, it's very unlikely that an online retailer would need to collect people's political opinions when they sign-up to the retailer's email mailing list to be notified when sales are taking place.
Integrity and confidentiality (security)
Under 1998's data protection laws, security was the seventh principle outlined. Over 20 years of being implemented a series of best practices for protecting information emerged, now many of these have been written into the text of GDPR.
Personal data must be protected against "unauthorised or unlawful processing," as well as accidental loss, destruction or damage. In plain English this means that appropriate information security protections must be put in place to make sure information isn't accessed by hackers or accidentally leaked as part of a data breach.
