What is GDPR in EU's New Data Protection Law?

The General Data Protection Regulation (GDPR) is the most comprehensive privacy and security law in the world. Despite the fact that it was designed and enacted by the European Union (EU), it imposes duties on enterprises everywhere that target or collects data about EU citizens. The regulation became effective on May 25, 2018. Those that break the GDPR's privacy and security regulations will face severe fines, with penalties ranging in the tens of millions of euros.

The GDPR signals Europe's hard position on data privacy and security when more individuals commit their personal data to cloud services, and data breaches are becoming more common. The rule, which superseded the earlier 1995 data protection directive, serves as a basis for regulations across the continent.

The GDPR was finally enacted by both the European Parliament and the European Council, following more than four years of debate and discussion in April 2016. The underlying regulation and directive were issued at the end of that month.

Europe's countries were granted the option to make minor revisions to fit their own interests. This flexibility led to the introduction of the Data Protection Act (2018) in the United Kingdom, which replaced the previous Data Protection Act of 1998.

Key Principles of GDPR

The GDPR is built on seven fundamental principles outlined in Article 5 of the Act and is intended to regulate how people's data is managed. They don't operate as hard laws but rather as an overall framework for laying out the GDPR's general objectives. The ideas are generally similar to those in prior data protection legislation.

Lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality (security); and accountability are the seven principles of GDPR. Only one of these concepts, accountability, is new to data protection legislation. All of the other principles in the UK are comparable to those in the 1998 Data Protection Act.

Minimization of Data

The data minimization concept isn't new, but it's still relevant in an age when we're producing more data than ever before. Organizations should not gather more personal data from their consumers than they must. According to the ICO,

  • You should establish the least quantity of personal data you require to fulfil your objective.
  • You should be able to retain that much data, but no more.

The idea is intended to guarantee that businesses do not acquire excessive personal data.


Personal information must be safeguarded against 'unauthorized or unlawful processing,' as well as loss, deletion, or damage by accident. In layman's terms, this implies putting sufficient information security safeguards to ensure that information isn't accessed by hackers or mistakenly exposed as part of a data breach. Because appropriate security standards vary depending on the organization, GDPR does not specify what constitutes excellent security practices. A bank will be required to secure data in a more comprehensive manner than your neighbourhood doctor. However, effective information access restrictions should be implemented, secure websites, and encourage pseudonymization.


The sole new concept under GDPR is accountability; it was included to guarantee that businesses can demonstrate that they are trying to comply with the other principles that make up the rule. At its most basic level, accountability might involve recording how personal data is managed, and the actions are taken to guarantee that only those with a need for it have access to it. Training workers in data security measures and regularly assessing and handling data are examples of accountability.

If a company is being investigated for possibly violating one of the GDPR's principles, the accountability principle might be extremely important. An accurate record of the systems in place, how data is handled, and the procedures are taken to reduce mistakes can assist an organization in demonstrating to authorities that it is compliant.

Who Must Comply with GDPR?

The General Data Protection Regulation (GDPR) applies to all enterprises operating in the European Union and enterprises operating outside the EU that provide products or services to EU customers or businesses. As a result, practically every large organization in the world will need to have a GDPR compliance plan. The regulation applies to two separate sorts of data handlers: 'processors' and 'controllers.' Article 4 of the General Data Protection Regulation has definitions for each.

The GDPR's goal is to enforce a common data security regulation on all EU members, removing the need for each member state to establish its own data protection rules and ensuring that laws are consistent across the EU. It is vital to emphasize that, in addition to EU members, any firm that sells products or services to EU inhabitants, regardless of its location, is subject to the rule. As a result, GDPR will affect data protection standards over the world.

Various Regulations of GDPR

Among the GDPR's primary privacy and data protection regulations are −

  • Subjects' permission is required for data processing.
  • To preserve privacy, acquired data is anonymized.
  • Notifying customers of data breaches
  • Managing data movement across borders in a secure manner
  • requires certain businesses to establish a data protection officer to monitor GDPR

Fines and Penalties

Failure to comply with GDPR can result in fines ranging from 10 million euros to 4% of a company's annual global revenue, an amount that could be in the billions of euros for some. The fine amount is established by the severity of the breach and whether the organization was found to have taken security compliance and laws seriously enough. Infringements of data subjects' rights, illegal foreign transfers of personal data, and failing to put processes in place for or disregarding subject access requests for their data can result in a maximum punishment of 20 million euros or 4% of worldwide revenue, whichever is larger.

Updated on: 19-Jul-2022


Kickstart Your Career

Get certified by completing the course

Get Started