The General Data Protection Regulation (GDPR) is a European privacy and data protection law that applies to entities established in the EU or EEA countries and to foreign entities that process personal data of European residents.
The UK has its own retained version of GDPR (UK GDPR) which essentially mirrors the EU version of GDPR.
Table of contents
What is GDPR and what does it mean for your business?
What is the UK GDPR and what is the difference from the EU GDPR?
What are the penalties for GDPR violations?
What are the recent GDPR enforcement cases?
What are the cybersecurity requirements under GDPR?
What are the data breach notification requirements under GDPR?
What is GDPR and what does it mean for your business?
In May 2018, the General Data Protection Regulation (GDPR, EU 2016/679) replaced the 95/46/EC Data Protection Directive, being the first comprehensive and overarching privacy law in the European Union (EU) and the European Economic Area (EEA). It provides individuals with enforceable rights to control how their personal data is processed, used and shared by companies, organizations and the public sector. GDPR is a holistic and complex law, composed of 99 articles and 173 recitals.
Among other things, the GDPR establishes a broad range of privacy rights for individuals (referred as data subjects) that are enumerated in Articles 12-23 of the regulation. Many countries around the globe now follow the foundational privacy principles, privacy-by-design and privacy-by-default philosophy of the GDPR, including PDPA in Singapore, LGPD in Brazil and CCPA in California.
GDPR imposes a wide spectrum of duties upon covered organizations, including robust protection of personal data, data breach disclosure and notification to victims, compliance with individual requests to exercise their privacy rights (e.g. right to be forgotten, right to object to data processing, right for data portability), transparency, fairness and accountability for data processing. Monetary sanctions for non-compliance can be astronomically high (see below). Moreover, fines may be complemented with individual and class action lawsuits, alongside criminal penalties in certain member states.
Who is covered by GDPR?
Virtually all commercial entities and non-profit organizations of any size that process Personally Identifiable Information (PII) of EU residents are covered by the GDPR. Most governmental organizations, with narrow exceptions to law enforcement and national security agencies, are likewise covered by the GDPR regardless of their size, as stated in Article 2 (“Material Scope”) of the GDPR. Furthermore, EU-based entities must always abide by the GDPR even when processing PII of individuals residing abroad or when processing PII outside of the EU.
Article 3 (“Territorial Scope) of the GDPR makes it clear that the law applies extraterritorially: whenever an entity located outside of the EU processes PII of European residents, the entity must fully comply with the GDPR. Those foreign entities that violate the GDPR and ignore subsequent legal ramifications may face a default judgement, subsequent seizure of their assets in the EU and retention of incoming payments from their EU customers.
GDPR also applies to paper-based processing of PII, if such processing is a part of a filing system (e.g. CRM or ERP), as elaborated in the Section 1 of the Article 2.
What is the UK GDPR and what is the difference from the EU GDPR?
Technically speaking, after completion of Brexit on January 1, 2021, the United Kingdom became a third country for the purpose of the EU GDPR applicability and enforcement. But given the GDPR’s extraterritorial reach, UK companies that process PII of EU residents, are still covered by the EU GDPR and have to comply with the regulation in the same manner as prior to the departure from the European Union. On 28 June 2021, the EU approved adequacy decisions for the EU GDPR and the Law Enforcement Directive (LED) – this means data can continue to flow between the UK and EU as it did prior to Brexit, in the majority of circumstances.
After Brexit, the UK retained the EU GDPR within UK law – known as the UK GDPR. The UK GDPR sits alongside the Data Protection Act 2018 (DPA 2018).
The UK GDPR is almost identical to the EU GDPR and has essentially the same principles of data protection as its European sibling. UK-based companies should be familiar both with the UK GDPR and DPA 2018 that jointly regulate data protection and privacy within the UK.
Who enforces GDPR compliance?
According to Article 51 (“Supervisory authority”) of GDPR, all member states (EU/EEA) must establish one or several independent public authorities (referred to as “supervisory authorities”) to monitor and enforce the regulation. Commonly, such authorities are called Data Protection Authorities (DPAs).
Germany has a separate DPA in each of the 16 states (Länder)
In the UK the Information Commissioner’s Office (ICO) enforces the UK GDPR and DPA 2018.
National DPAs receive complaints from aggrieved individuals for violations of their privacy rights under GDPR, independently monitor for violations and enjoy virtually unrestrained investigatory and corrective authority pursuant to Article 58 (“Powers”) of the regulation.
The European Data Protection Board (EDPB) is established by Article 68 (“European Data Protection Board”) and is mainly tasked with producing advisory opinions and guidelines to the member states and bodies of the EU, to ensure a consistent and harmonious application of GDPR across all member states, as defined in the Article 70 (“Tasks of the Board”). The EDPB is composed of heads of the national DPAs and the European Data Protection Supervisor (EDPS). The European Commission (EC) may also participate at Board meetings but without a voting right.
What are the penalties for GDPR violations?
Sections 4 and 5 of Article 83 (“General conditions for imposing administrative fines”) provide that the most serious breaches of the GDPR are punishable by fines of up to 20,000,000 EUR or 4% of the total worldwide annual turnover of the preceding financial year of the offender – whichever is higher.
The maximum fine for less serious breaches, is 10,000,000 EUR or 2% of the total worldwide annual turnover of the preceding financial year of the offender – whichever is higher. This lower tier of maximum fine is imposed by Article 84, paragraph 4 of the GDPR, and relates to breaches of administrative requirements of the legislation.
In addition to harsh fines, aggressively imposed by national DPAs, the individuals, whose privacy rights under GDPR were violated, are entitled to take legal action to obtain financial compensation for material or non-material damage pursuant to Article 82 (“Right to compensation and liability”) of GDPR.
Administrative civil fines with criminal penalties, under their national law, which may even include a custodial sentence. Many EU states, including Austria, France and Germany, have criminal sanctions for intentional mishandling of PII. In 2022 a German court found that a CEO was personally liable for a data privacy breach in the course of hiring a detective to investigate potential criminal acts by a third party.
In the UK, the Data Protection Act 2018 consolidates a variety of criminal sanctions in relation to egregious breaches of data protection rules.
What are the recent GDPR enforcement cases?
As of May 2023, European DPAs issued over 1,500 fines amounting to around 4 billion EUR in total.
The largest fine so far has been a whopping 1.2 billion EUR against Meta by the Irish Data Protection Commission in 2023. This fine largely related to Meta’s transfers of personal data to the US on the basis of standard contractual clauses (SCCs).
Another significant GDPR fine imposed by the Irish Data Protection Commission against Meta the previous year, specifically in relation to Instagram, amounted to 405 million EUR. This involved the social media platform disclosing email addresses and/or phone numbers of children, in contravention of Article 6 of the GDPR relating to the lawfulness of processing personal data.
Another mammoth fine was 746 million EUR imposed against Amazon by the Luxembourg National Commission for Data Protection (CNPD) in 2021. This related to the processing of customer data in relation to targeted advertising, allegedly in breach of the GDPR – although the company has vehemently denied any contravention of the regulation.
Previous substantial fines for insufficient data security or delayed data breach notifications were imposed upon Marriott International and British Airways after they suffered large-scale data breaches.
National DPAs also have the authority to limit or permanently ban PII processing by a covered organization, compel an organization to disclose a data breach, order an organization to implement necessary technical and organizational steps to ensure compliance with GDPR, and oblige an organization to rectify or delete PII in its possession. In minor cases, DPA may also issue a warning or reprimand that will, however, be an aggravating circumstance for future violations of DPA and may trigger higher penalties.
What are the cybersecurity requirements under GDPR?
Article 4 (“Definitions”) of the GDPR creates the notion of “data controller” and “data processor”. In a nutshell, a controller decides how to process PII of data subjects, while a processor merely follows specific processing instructions received from the controller. The same organization may simultaneously be a controller and processor.
Section 1 (f) of Article 5 (“Principles relating to processing of personal data”) sets a broad and comprehensive standard of data protection, stating that PII shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).”
Under GDPR, both controllers and processors must implement mandatory organizational and technical requirements for PII protection outlined in the Article 32 (“Security of processing”). This includes risk assessment, adoption of internal security policies, data protection by design and, data protection by default. GDPR is inspired by a risk-based model of cybersecurity: the more sensitive data an organization handles, the higher security standards it must implement.
Section 1 (b) of Article 32 emphasizes that security is a continuous process mandating “ongoing confidentiality, integrity, availability and resilience of processing systems and services” for data processors and controllers regardless of their size and quantity of PII they process. Some SMEs believe that they are exempt from GDPR’s security requirements, but they are not.
Section 1 (d) of Article 32 highlights the importance of regular security testing by imposing “a process for regular testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.” Additional information can be found in GDPR Recitals 75-79 and 83.
Article 25 (“Data protection by design and by default”) of GDPR imposes general duties and obligations on controllers, such as data minimization and implementation of risk-based security controls proportional to reasonably foreseeable threats.
EDPB guidelines on “Data Breach Notification (01/2021)” expressly suggest the following examples of security controls required to comply with GDPR data protection requirements:
- Implement a proper patch management;
- Perform a systematic website security audit;
- Use appropriate anti-malware detection system;
- Run vulnerability and penetration testing on a regular basis;
- Run systematic IT security audits and vulnerability assessments;
- Disable open cloud services.What are the data breach notification requirements under GDPR
What are the data breach notification requirements under GDPR?
GDPR introduces a mandatory data breach notification regime by virtue of Article 33 (“Notification of a personal data breach to the supervisory authority”). Processors must notify controllers (see above) about any data breaches without undue delay (usually considered to be a matter of hours, not days). Data controllers must notify the relevant DPA as soon as possible but not later than in 72 hours after detection of the breach. Importantly, there is an implied duty to detect breaches and reportable security incidents as swiftly as practical: late detection is no defense and will likely trigger harsh penalties for failure to comply with the data breach notification requirement. There are some narrow exceptions to the notification rule, for example, when all stolen PII data is encrypted with a strong encryption and the key is not compromised. The best practice is, however, to always get in touch with the relevant DPA, most of which have standard data breach notification forms. All data breaches, regardless of whether they are reportable or not, must be recorded internally in a data breach register. Article 34 (“Communication of a personal data breach to the data subject”) of GDPR requires the data controller to inform data subjects whose PII was lost, stolen, exposed, destroyed or otherwise compromised. Section 3 of the same article provides some narrow exceptions but caution should be taken if relying on them.
What are the supply chain security requirements under GDPR?
The EDPB elaborated on the bilateral relationship between data controllers and data processors in the comprehensive guidelines on the “Concepts of Controller and Processor in the GDPR (07/2020)”.
GDPR imposes a wide range of duties related to supply chain and third-party risk management when the third parties process PII of covered data subjects. The main duties of processors, among other things, include the same level of data security and protection as imposed by the Article 32 of the regulation, breach notification duty described above, restriction of PII sub-processing, training and vetting of personnel who have access to the PII, strict compliance with data processing instructions received from the data controller, and secure deletion of PII once the processing contract is terminated. Data controllers must prescribe any duties in a contract with all suppliers who have access to personal data covered by the GDPR.
Article 28 (“Processor”) of the regulation states that: “the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation.” From a data protection viewpoint, it means that the controller is responsible and will likely be held legally liable for bad security practices of its processors and any sub-processors. Aggrieved data subjects may file civil lawsuits both against data controllers and processors.
GDPR Recital 81 underlines security obligations of data processors that must be thoroughly verified and regularly audited by data controllers: “controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organizational measures which will meet the requirements of this regulation, including for the security of processing.” Similarly, data processors are fully liable to data processors and data subjects for the security of any sub-processors.
In practical terms, organizations covered by the GDPR are also required to design and continuously improve a third-party risk management program to minimize threats stemming from supply chain attacks on their data processors (e.g. cloud providers, security and IT vendors, marketing agencies, consulting companies, external call centers). Otherwise, they may end up paying a fortune in fines for someone else’s negligence.
List of authoritative GDPR and UK GDPR resources
Disclaimer: No Legal Advice. The information on this page conveys general information only and does not provide a legal advice. The information on this page may not reflect the most recent legal developments. No action should be taken in reliance on the information on this page. A licensed attorney should be contacted for advice on specific legal issues.