What is GDPR? Everything you need to know about the new EU data laws

(Image credit: Creative comms)

GDPR is now in force, meaning companies of all sizes need to ensure they are compliant with the new data regulations.

But what exactly does GDPR entail? Here's our guide to everything you need to know.

What is GDPR?

The General Data Protection Regulation, or GDPR, (or EU Regulation 2016/679 if you want to be official) is one of the most significant and wide-ranging pieces of legislation passed relating to technology and the internet.

Approved by the European Union in April 2016, and having come into force in the UK on May 25, GDPR  looks to bring together several existing laws and regulations to harmonize rulings across the EU.    

Primarily, it replaces the UK's 1984 Data Protection Act and the EU's Data Protection Directive, which initially came into force in 1995, with new guidelines that are better suited to the modern, technology-dominated world.

The main points of GDPR concern the privacy rights of everyday users and the data they create online, and will affect businesses of all sizes due to their effect on how companies gather, store, and look after their data.

Under GDPR, companies will also need to give explicit notice when collecting the personal data of their customers. This will mean that consent will need to be explicitly given, and that companies will have to detail the exact purpose for which customers' data will be used.

This personal data will also need to be encrypted by default as part of a process known as pseudonymization, meaning that it can't be linked to a specific person without being accompanied by extra information.

Personal data applies to a wide range of information – effectively anything that could be used to directly or indirectly identify a person online. This could include names, email addresses, images, bank details, posts on social networking websites, medical information, or even a computer IP address.

Users will also have the right to know exactly what details a company or organization holds about them, and also request that any of this information be deleted if they feel their rights to privacy are being infringed as part of the new 'right to erasure'.

Companies that suffer data breaches, whether accidental or as part of a cyber-attack, will need to disclose this event to the relevant authorities within 72 hours of it happening, although there's no requirement to notify users unless instructed.

Who does GDPR apply to?

Put simply, if your business offers goods or services to anyone living within the European Union, GDPR will apply to you.  

This means that companies outside Europe will also need to ensure they're compliant with the rules, as they could also be subject to fines if found not to be up to speed.

If you have mailing lists for newsletters or promotions, and some of your prospects or customers are EU citizens, GDPR applies to you. 

Following several near misses, Google has become the first major company to suffer a GDPR fine, after the French data regulator fined it €50m following accusations that users were not sufficiently informed as to how the company collected data to personalise advertising on its search engine.

What do I need to do to be ready for GDPR?

As mentioned above, if you deal with customers within the EU, you'll need to ensure that the way you gather, store and use their data is GDPR-compliant.

For starters, you'll need to identify exactly what data you currently own, and the means by which you acquired it. Many organizations may be unaware of the sheer mountain of information they own on their customers – just as their customers might be unaware how much info they have shared.

All the data will need to be properly secured to ensure it remains protected, so it's definitely worth instigating new policies to limit access to the most precious data to a few key team members. 

You should also be frequently backing up your data, as under GDPR customers are able to request to view exactly what information you have on them at any time.

If your business carries out large-scale data practices, you will also need to appoint a Data Protection Officer (DPO).

A DPO will be able to take responsibility for much of the heavy lifting when it comes to GDPR, including overseeing compliance and data protection.

Lastly, you'll need to ensure that all your employees are clued up about what exactly GDPR means. The rules aren't just the prerogative of the IT department, but could affect everyone in your organization.

What happens if you're not GDPR-ready?

GDPR is a huge deal, and as such the punishments for non-compliance are significant.

Any organisation found to not be conforming to the new regulations after the May 25 deadline could face heavy fines, equivalent to 4% of annual global turnover, or €20 million, whichever is greater. 

It remains to be seen exactly how GDPR will be monitored, and if fines will be handed out to every company large and small, but for now the best course of action is to prepare as fully as you can.

GDPR latest news and advice

GDPR news and analysis

- GDPR sees cookies crumble on EU news sites - Cookie usage fell 22 per cent in the months following GDPR...

- Over 1,000 US news sites still unavailable in EU following GDPR - Don't worry though, EU users, Instapaper is back...

- Facebook's Cambridge Analytica fine could have been even bigger under GDPR - GDPR rules would have meant a billion-pound fine for Facebook...

- 5 unexpected consequences of GDPR - Now GDPR is full force, what are some of the potentially unusual results?

- How to encourage consumers to part with their data now GDPR is here - GDPR is now in force, but how will it affect your customer relationships?

- How will GDPR impact the mobile industry? - Mobile operators are confident that GDPR will be a good thing in their battle against OTT operators...

- GDPR and its impact on e-commerce providers - GDPR will mean big changes for many businesses - how can you make sure your company is ready?

- GDPR and the case for ethical data handling - Looking to finalise your GDPR compliance? Here are some top tips...

- AOMEI's free backup software will keep you on the right side of GDPR - Free and secure for individuals and businesses...

- The role of blockchain in GDPR compliance - Can blockchain be the key to helping your business conquer GDPR?

GDPR Tips

- GDPR: Turning the burden into an opportunity - The GDPR may actually improve the trust in your cloud storage app...

- The GDPR hangover: tips for making a website GDPR compliant - Now the GDPR deadline has passed, how can you make sure your site is up to the new regulations?

- GDPR and website operators – the final checklist - With just days to go, make sure your site is GDPR-ready...

- Turning GDPR into an experience benefit - A guide to how your business can take advantage of GDPR...

- GDPR compliance countdown: the final checklist - Is your organisation fully prepared for the upcoming GDPR?

- How to make a website GDPR compliant - Ensure your site is GDPR-ready with these tips...

- GDPR: Is your website compliant with the new regulation? - Make sure you don't fall foul of the new GDPR rules with this guide...

- GDPR compliance and Blockchain - How are two of the biggest technology issues of today linked?

GDPR information

-  GDPR: The foundation for innovation - How can GDPR help benefit your business?

- New UK data protection laws: everything you need to know for your online life - Taking control of the data flow...

- Changes in European Data Protection Regulation: A look at the GDPR - Overview of the EU initiative to simplify data protection...

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.