What is GDPR compliance? Everything you need to know about new EU data protection policy coming into effect

Martin Coulter
The biggest overhaul of data privacy regulation in the history of the internet comes into force on May 25: PA Wire/PA Images

Europe's General Data Protection Regulation (GDPR) comes into force on Friday.

It has been billed as the biggest shake-up of data privacy laws since the birth of the web.

The new EU law aims to give EU citizens more rights to control over their online information. It has a list of technically demanding requirements, and threatens fines of up to 4 percent of a company's annual revenue for serious infringements.

The law covers companies that collect large amounts of customer data including Facebook and Google. It won't be overseen by a single authority but instead by a patchwork of national and regional watchdogs across the 28-nation bloc.

The UK will have to comply even after it leaves the EU.

What is GDPR?

GDPR stands for General Data Protection Regulation, Europe's new framework for data protection laws – it replaces the previous 1995 data protection directive, upon which current UK law is based.

The Data Protection Act 1998 wasn't written with the contemporary uses of data enabled by the internet and services - such as Facebook and Google - in mind.

According to the EU's GDPR website, the legislation is designed to "harmonise" data privacy laws across Europe as well as give greater protection and rights to individuals.

It includes new rights for people to access the information companies hold about them, obligations for better data management for businesses, and a new regime of fines.

What do businesses need to do differently?

Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA).

If you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from.

However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.

What is 'consent' under the GDPR?

You may have recently received emails from firms asking if you'd be happy to "stay connected" or apps asking that you "review your terms".

That's because, under GDPR, consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs.

Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want.

If your current model for obtaining consent doesn't meet these new rules, you'll have to bring it up to scratch or stop collecting data under that model when the GDPR applies in 2018.

What happens if a business breaks GDPR rules?

The GDPR grants regulators the power to fine businesses that do not comply with it.

In the UK, the Information Commissioner's Office (ICO) would be able to levy fines of up to £8.8m (€10m) or two per cent of a firm's global turnover (whichever is greater).

Those guilty of more serious breaches could face larger fines of up to £17m (€20m) or four per cent of global turnover.

These penalties are significantly higher than the £500,000 charges the ICO is currently able to dole out.