On May 25, 2018, years of preparation ended. Across Europe, long-planned data protection reforms started to be enforced. The mutually agreed General Data Protection Regulation (GDPR) has now been in place for around two years and has modernised the laws that protect the personal information of individuals.
GDPR has replaced previous data protection rules across Europe that were almost two decades old – with some of them first being drafted in the 1990s. Since then our data-heavy lifestyles have emerged, with people routinely sharing their personal information freely online.
The EU's says GDPR was designed to "harmonise" data privacy laws across all of its members countries as well as providing greater protection and rights to individuals. GDPR was also created to alter how businesses and other organisations can handle the information of those that interact with them. There's the potential for large fines and reputational damage for those found in breach of the rules.
The regulation has introduced big changes but builds on previous data protection principles. As a result, it has led to many people in the data protection world, including UK information commissioner Elizabeth Denham, to liken GDPR to an evolution, rather than a complete overhaul of rights. For businesses which were already complying with pre-GDPR rules the regulation should have been a "step change," Denham has said.
Despite a pre-GDPR transition period taking place, which allowed businesses and organisations time to change their policies, there has still been plenty of confusion around the rules. Here's our guide to what GDPR really means.
What is GDPR exactly?
GDPR can be considered as the world's strongest set of data protection rules, which enhance how people can access information about them and places limits on what organisations can do with personal data. The full text of GDPR is an unwieldy beast, which contains 99 individual articles.
The regulation exists as a framework for laws across the continent and replaced the previous 1995 data protection directive. The GDPR's final form came about after more than four years of discussion and negotiations – it was adopted by both the European Parliament and European Council in April 2016. The underpinning regulation and directive were published at the end of that month.
GDPR came into force on May 25, 2018. Countries within Europe were given the ability to make their own small changes to suit their own needs. Within the UK this flexibility led to the creation of the Data Protection Act (2018), which superseded the previous 1998 Data Protection Act.
The strength of GDPR has seen it lauded as a progressive approach to how people's personal data should be handled and comparisons have been made with the subsequent California Consumer Privacy Act.
Who does GDPR apply to?
At the heart of GDPR is personal data. Broadly this is information that allows a living person to be directly, or indirectly, identified from data that's available. This can be something obvious, such as a person's name, location data, or a clear online username, or it can be something that may be less instantly apparent: IP addresses and cookie identifiers can be considered as personal data.
Under GDPR there's also a few special categories of sensitive personal data that are given greater protections. This personal data includes information about racial or ethic origin, political opinions, religious beliefs, membership of trade unions, genetic and biometric data, health information and data around a person's sex life or orientation.
The crucial thing about what constitutes personal data is that it allows a person to be identified – pseudonymised data can still fall under the definition of personal data. Personal data is so important under GDPR because individuals, organisations, and companies that are either 'controllers' or 'processors' of it are covered by the law.
"Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data," the UK's data protection regulator, the Information Commissioner's Office (ICO) says. It's also possible that there are joint controllers of personal data, where two or more groups determine how data is handled. "Processors act on behalf of, and only on the instructions of, the relevant controller," the ICO says. Controllers have stricter obligations under GDPR than processors.
Although coming from the EU, GDPR can also apply to businesses that are based outside the region. If a business in the US, for instance, does business in the EU then GDPR can apply and also if it is a controller of EU citizens.
What are GDPR's key principles?
At the core of GDPR are seven key principles – they're laid out in Article 5 of the legislation – which have been designed to guide how people's data can be handled. They don't act as hard rules, but instead as an overarching framework that is designed to layout the broad purposes of GDPR. The principles are largely the same as those that existed under previous data protection laws.
GDPR's seven principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. In reality, only one of these principles – accountability – is new to data protection rules. In the UK all the other principles are similar to those that existed under the 1998 Data Protection Act.
The ICO's guide to GDPR gives a full run-down of the principles, but we're only going to highlight a couple of them here.
The data minimisation principle isn't new, but it continues to be important in an age when we are creating more information than ever. Organisations shouldn't collect more personal information than they need from their users. "You should identify the minimum amount of personal data you need to fulfil your purpose," the ICO says. "You should hold that much information, but no more."
The principle is designed to ensure organisations don't overreach with the type of data they collect about people. For instance, it's very unlikely that an online retailer would need to collect people's political opinions when they sign-up to the retailer's email mailing list to be notified when sales are taking place.
Integrity and confidentiality (security)
Under 1998's data protection laws, security was the seventh principle outlined. Over 20 years of being implemented a series of best practices for protecting information emerged, now many of these have been written into the text of GDPR.
Personal data must be protected against "unauthorised or unlawful processing," as well as accidental loss, destruction or damage. In plain English this means that appropriate information security protections must be put in place to make sure information isn't accessed by hackers or accidentally leaked as part of a data breach.
GDPR doesn't say what good security practices look like, as it's different for every organisation. A bank will have to protect information in a more robust way than your local dentist may need to. However, broadly, proper access controls to information should be put in place, websites should be encrypted, and pseudonymisation is encouraged.
"Your cybersecurity measures need to be appropriate to the size and use of your network and information systems," the ICO says. If a data breach occurs, data protection regulators will look at a company's information security setup when determining any fines that may be issued. Cathay Pacific Airways was fined £500,000, under pre-GDPR laws, for exposing 111,578 of its UK customers' personal information. It was said the airline had "basic security inadequacies" within its setup.
Accountability is the only new principle under GDPR – it was added to ensure companies can prove they are working to comply with the other principles that form the regulation. At it simplest, accountability can mean documenting how personal data is handled and the steps taken to ensure only people who need to access some information are able to. Accountability can also include training staff in data protection measures and regularly evaluating and data handling processes.
The "destruction, loss, alteration, unauthorised disclosure of, or access to" people's data has to be reported to a country's data protection regulator where it could have a detrimental impact on those who it is about. This can include, but isn't limited to, financial loss, confidentiality breaches, damage to reputation and more. In the UK, the ICO has to be informed of a data breach 72 hours after an organisation finds out about it. An organisation also needs to tell the people the breach impacts.
For companies that have more than 250 employees, there's a need to have documentation of why people's information is being collected and processed, descriptions of the information that's held, how long it's being kept for and descriptions of technical security measures in place. GDPR's Article 30 lays out that most organisations need to keep records of their data processing, how data is shared and also stored.
Additionally, organisations that have "regular and systematic monitoring" of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO). For many organisations covered by GDPR, this may mean having to hire a new member of staff – although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers.
The accountability principle can also be crucial if an organisation is being investigated for potentially breaching one of GDPR's principles. Having an accurate record of all systems in place, how information is processed and the steps taken to mitigate errors will help an organisation to prove to regulators that it takes its GDPR obligations seriously.
What are my GDPR rights?
While GDPR arguably places he biggest tolls on data controllers and processors, the legislation is designed to help protect the rights of individuals. As such there are eight rights laid out by GDPR. These range from allowing people to have easier access to the data companies hold about them and for it to also be deleted in some scenarios.
The full GDPR rights for individuals are: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and also rights around automated decision making and profiling.
As with the GDPR principles, we're only going into detail on some of the rights here. More can be found on the ICO's website.
Access to your data
If you want to find out what a company or organisation knows about you, you need a Subject Access Request (SAR). Previously, these requests cost £10 but GDPR scraps the cost and makes it free to ask for your information. You can't make a request for anyone else's information, although someone, such as a lawyer, can make a request on behalf of another person.
When a person makes a SAR they're legally entitled to be provided with a confirmation that an organisation is processing their personal data, a copy of this personal data (unless exemptions apply), and any other supplementary information that's relevant to the request. A request must be answered within one month.
People have successfully used SARs to find out information technology companies hold about them. Tinder sent one person 800 pages of information about their use of its app, including education details, the age-rank of the people they were interested in and the location of where every match happened. Other uses have revealed levels of spending on FIFA and every click made while shopping on Amazon's website.
SARs can be made either in writing or verbally – meaning an organisation has to determine whether what has been asked for is classed as personal data under GDPR. A SAR doesn't have to say it is a SAR and can be made to any person in an organisation – they can even be sent through social media, although email will be the most common format for most people. As well as the information that's asked for, an organisation has to provide details of why it was processing the personal information, how the information is being used, and how long it is due to be kept for.
Many big tech companies have their own data portals where it's possible to download some of your information from. For instance, Facebook lets its users download all their old images, posts and pokes, while Twitter and Google also allow information associated with accounts be accessed without needing to make a SAR. In some instances these ways to access information may not contain everything a person wants. If a Subject Access Request is made and doesn't return the results the maker wanted, they can be appealed to the ICO.
Automated processing, erasure and data portability
The GDPR also bolsters a person's rights around automated processing of data. The ICO says individuals "have the right not to be subject to a decision" if it is automatic and it produces a significant effect on a person. There are certain exceptions but generally people must be provided with an explanation of a decision made about them.
The regulation also gives individuals the power to get their personal data erased in some circumstances. This includes where it is no longer necessary for the purpose it was collected, if consent is withdrawn, there's no legitimate interest, and if it was unlawfully processed.
Data portability has been one of GDPR's big buzzwords – but it's one that has seen some of the least action. The theory is that it should be possible to share information from one service to another. One of the best examples of data sharing is Facebook's ability to automatically transfer your photos to a Google Photos account. This was created by the Data Transfer Project which includes Apple, Google, Facebook, Twitter and Microsoft.
GDPR breaches and fines
One of the biggest, and most talked about, elements of the GDPR has been the ability for regulators to hit businesses who don't comply with huge fines. If an organisation doesn't process an individual's data in the correct way, it can be fined. If it requires and doesn't have a data protection officer, it can be fined. If there's a security breach, it can be fined.
In the UK, these monetary penalties are decided by the ICO and any money regained is rerouted back through the Treasury. GDPR says that smaller offences can result in fines of up to €10 million or two per cent of a firm's global turnover (whichever is greater). The biggest GDPR breaches can be met with more serious consequences: fines of up to €20 million or four per cent of a firm's global turnover (whichever is greater). Under the previous data protection regime, the ICO could only issue fines of up to £500,000.
Before GDPR was implemented there was much speculation that data protection regulators would hit companies found in the breach of the legislation with huge fines. This hasn't happened. Data protection investigations can be lengthy and complex – if they're wrong, they can be challenged through the courts.
One of the biggest fines under GDPR to date has been against Google: the French data protection regulator, the National Data Protection Commission (CNIL), fined the company €50 million (£43m). CNIL said the fine was issued for two main reasons: Google not providing enough information to users about how it uses the data that it gets from 20 different services and also not getting proper consent for processing user data.
There have also been fines against La Liga's app that spied on people who downloaded it, Bulgaria’s DSK Bank for accidentally disclosing customer details and schools who tracked pupils.
However, the biggest fines could come from the UK. The ICO has issued a "notice of intent" to both airline British Airways and hotel chain Marriott for breaching GDPR. It was mooted BA would be fined £183m, while the hotel company would be fined £99m. However, as both of these are notices of intent, they aren't official fines and nothing has been paid by either company. In fact, both the firms are challenging the ICO's notices.
This article was originally published in 2017, ahead of GDPR's implementation but has since been updated to contain the latest information
Matt Burgess is WIRED's deputy digital editor. He tweets from @mattburgess1
More great stories from WIRED
😓 Does alcohol kill coronavirus? The biggest myths, busted
💩 Gender neutral toilets are a massive failure (so far)
🏙️ A huge Airbnb scam is taking over London