The General Data Protection Regulation (GDPR) is a new European Union (EU) regulation that gives individuals greater rights over their personal data. The GDPR tells organizations how they are allowed to collect and use personal data, and how they must protect it.

A short guide to the GDPR

GDPR timeline: The GDPR was released in May 2016 and the deadline for organizations to comply was May 25, 2018.

GDPR scope: The GDPR covers personal data, which is any information ‘concerning an identified or identifiable natural person’. This extends to a very wide range of information, including transactional documents; online identifiers such as IP addresses; and manual filing systems as well as databases. The regulation does not apply to data processing activities for law enforcement, national security purposes or purely for personal or household use.

What it replaces: The GDPR replaces the 1995 European Data Protection Directive (95/46/EC).

Purpose: The GDPR aims to provide a strong framework to protect personal data as a fundamental human right while enabling the free flow of data both within the EU and internationally in order to foster economic growth.

Who it affects: The GDPR applies to any organization processing the personal data of EU residents, regardless of whether the organization is located within the EU or outside.

Read about our solutions for GDPR compliance


Important changes:

Accountability and governance
Organizations must adopt measures to demonstrate compliance with GDPR principles, such as documenting data processing activities and restricting the amount of personal data they collect to the absolute minimum required. 

New financial penalties
Non-compliance with the GDPR can lead to fines of up to €20M or four per cent of annual worldwide turnover, whichever is greater. 

Tougher restrictions on data processing
You may only process personal data if you have a valid lawful basis for doing so, such as informed consent (not pre-ticked boxes), or a 'legitimate interest'.  

Breach notification
Organizations must report data breaches to the relevant supervisory authorities within 72 hours if the breach is likely to put at risk the rights and freedoms of individuals. 

Greater rights for individuals
These include the right to access their data free of charge and without delay; the right to have errors corrected ('rectification'); the right to have their data erased; the right to have it transferred to a different service provider in a 'structured, machine readable format' ('data portability'); and the right to be informed about how their data is used.

In September 2017 we surveyed 1,000 UK consumers to gather their views on data privacy and the General Data Protection Regulation.