Data is more important to our lives than it has ever been. From the online services people use to malls, there are oceans of data that, when improperly managed, could breach people’s privacy and reduce their quality of life.

This is why data protection regulations such as GDPR (General Data Protection Regulation) are so important.

One of the major changes GDPR introduced is found in how websites use popups. If you wonder what the GDPR is and why you see popups concerning your data on websites, this article is for you.

What Is GDPR?

The European Commission first drafted the GDPR in 2016. The regulation became active in 2018, providing rules designed to give EU citizens more control over their personal data. Since then, the GDPR has grown in influence as more countries outside of the EU apply it to their regions.

Principles of GDPR

GDPR aims to ensure that both citizens and businesses can benefit from the digital economy. According to the EU, GDPR is designed to “harmonize” data privacy laws across its member states and provide more data protection and privacy rights to individuals.

The GDPR is based on seven principles, some of which existed in previous data protection rules. The seven principles of GDPR include:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

Controllers and Processors of Data

GDPR is meant to be followed by data controllers and processors. Controllers are organizations that exercise control over the purposes and means of the processing of personal data. GDPR classifies controllers as companies that decide why and how personal data should be processed.

In certain cases, an organization can be considered a joint controller if it jointly determines why and how personal data should be processed together with one or more organizations.

An example of a joint data controller can be found where two companies make a website to sell their products and share client data. Both companies could be classified as joint controllers because of the combined services they offer and the common platform they designed and use.

Processors of data are people or organizations that process personal data for controllers. An example of a processor is a printing company that uses the personal data of a client's customers to make digital marketing material on its instructions.

Under GDPR, controllers and processors have to follow the regulations as failure to follow the rules may lead to them having to pay huge fines or suffering reputational damage. The regulations revolve around how controllers and processors collect and use personal data.

Personal Data

Data that used to identify an individual constitutes personal data under the GDPR. Often, personal data comes in the form of an online identifier or with special characteristics that express physical, psychological, genetic, mental, commercial, cultural, or social identity.

Personal data is a key element of GDPR. This is because GDPR only applies to the use of personal data. Under existing legislation, the types of data that may be classified as personal data include:

  • Name
  • Identification number
  • Location
  • Address
  • Credit card number
  • Account data
  • Number plate
  • Customer number

Special Categories of Personal Data

The standards of protection for special categories of personal data are much higher than the standards for general personal data. Special categories of data include:

  • Genetic data
  • Biometric data
  • Health data
  • Political opinions
  • Religious or ideological convictions
  • Trade union membership
  • Personal data which reveals racial and ethnic origins

GDPR places a lot of emphasis on transparency. For this reason, it requires website operators to get consent from users to use their protected data.

Whenever you visit a website, a cookie file may be saved on your device. This file contains information about the website and you. The website may use the information to tailor the experience to you, using the information it has saved about you.

Information in a cookie file may include personally identifiable information likely protected under GDPR. Consequently, websites have to get your consent before they collect your data with cookies.

Related: Looking for a Cookie Banner? Add One to Your Site With Termly

Some websites require users to accept all cookies before they can continue using the website. In some cases, users are given more choices over the types of cookies they allow, while other websites opt not to collect information or force users to respond to the cookie banner.

Why Doesn’t GDPR Apply to the UK?

After the UK completed the Brexit transition period (as part of the separation process from the EU), the GDPR no longer applied to the nation. As the UK is no longer part of the EU, GDPR is not directly applicable to the nation. However, the regulation continues to influence data protection in the UK indirectly.

The DPPEC (Data Protection, Privacy, and Electronic Communications) Regulations 2019 was used to apply some of the requirements of GDPR into the UK’s Data Protection Act 2018 (DPA 2018). The UK merged the requirements of the EU GDPR with the DPA 2018 to create a new set of data protection rules, known as the "UK GDPR."

GDPR and Other Regional Regulations

Data privacy laws with similar provisions to GDPR continue to be introduced in different parts of the world. As a result, more regions than ever (especially those in Europe) have local laws and regulations that are GDPR friendly.

Brazil’s Lei Geral de Proteçao de Dados (LGPD) is modeled directly after GDPR. The regulation requires companies that wish to do business in Brazil to comply with its data protection regulations or pay fines. The definition of personal information in the LGPD is similar to the definition in the GDPR. While the GDPR defines personal information as,

Related: Governments Requested Record Amounts of Data in 2020. Should You Be Worried?

In the USA, every state has its own privacy laws. The California Consumer Privacy Act (CCPA) contains the strictest data privacy rules in the USA. A lot of its provisions overlap with GDPR. While the GDPR requires businesses to prompt users on their website to accept cookies and other tracking technologies, the CCPA requires businesses to have a "Do Not Sell My Info" or "Do Not Sell My Personal Information" link.

Even before the introduction of the GDPR, many EU states had regulations with similar rules. In many EU nations, accountability is the only principle that their data protection rules did not previously have before applying GDPR.

Protecting Individual Rights

With 99 individual articles, GDPR is considered to be the strongest set of data protection rules in the world.

When compared against other regional regulations, the reason for this is clear. It builds on pre-existing regulations, adding more rules to protect the rights of individuals. The GDPR has simplified the process of protecting data privacy, so much so that even faceless websites are using popups to get user consent before collecting their data with cookies.