GDPR
What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union (EU) on May 25, 2018, to safeguard EU and EEA citizens’ privacy and personal data. It imposes strict regulations on how organizations collect, process, store, and transfer personal data, giving individuals greater control over their personal information and enhancing data privacy and security.
Overview of GDPR
- Law: General Data Protection Regulation
- Region: European Economic Area
- Signed On: 14-04-2016
- Effective Date: 25-05-2018
- Industry: Companies offer products or services to EU citizens
Personal Data Under the GDPR
The GDPR defines personal data as any information identifying a person directly (name, ID) or indirectly (location data, online identifiers). Even seemingly anonymous data can be personal if it can be re-identified with other information.
Direct Identifiers: Name, address, phone number, email address, identification number (e.g., social security number, passport number). |
Indirect Identifiers: Location data (IP address, GPS coordinates), online identifiers (usernames, cookies), health data, genetic data, biometric data (fingerprints, facial recognition), economic, cultural or social identity information, etc. |
The General Data Protection Regulation (GDPR) comprises several key components that form the foundation of its comprehensive data protection framework. These components include:
- Legal Basis for Processing
- Data Subject Rights
- Accountability and Governance
- Data Protection Principles
- Data Security Measures
- Data Breach Notification
- Cross-Border Data Transfers
- Data Protection Impact Assessments (DPIAs)
- Supervisory Authorities and Enforcement
Data Protection Principle
These principles form the foundation of GDPR, outlining how personal data should be handled:
- Lawfulness, fairness, and transparency: Data processing should adhere to legality, fairness, and transparency for individuals.
- Purpose limitation: Information must be gathered for distinct, clear, lawful intentions.
- Data minimization: Only the minimum personal data necessary for the intended purpose can be collected.
- Accuracy: Data accuracy is paramount, and regular updates are essential where applicable.
- Storage limitation: Data must be kept in a form that permits the identification of data subjects for no longer than necessary for processing purposes.
- Integrity and confidentiality: Appropriate technical and organizational measures must be implemented to protect data from unauthorized or unlawful processing and accidental loss, destruction, or damage.
- Accountability: The organization ensures compliance with all GDPR principles.
Rights Under the GDPR
The General Data Protection Regulation (GDPR) grants individuals several privacy rights to empower them with greater control over their data. These rights include:
- Right to Access: Individuals can obtain confirmation from organizations whether their data is being processed and, if so, to access that data along with relevant information about its processing.
- Right to Rectification: Individuals can request the correction of inaccurate or incomplete personal data held by organizations, ensuring that their information remains up-to-date and accurate.
- Right to Erasure (Right to be Forgotten): Individuals can request data deletion under certain circumstances, such as when the data is no longer necessary for its original purpose or when they withdraw consent.
- Right to Data Portability: Individuals can request the transfer of their data from one organization to another in a structured, commonly used, and machine-readable format, enabling more effortless movement between service providers.
- Right to Restriction of Processing: Individuals have the right to restrict the processing of their data under certain conditions, such as disputing the accuracy of the data or objecting to its processing.
- Right to Object: Individuals can object to data processing for specific purposes, such as direct marketing or processing, based on legitimate interests unless the organization can demonstrate compelling reasons overriding their interests or rights.
- Rights to Automated Decision-Making and Profiling: Individuals have the right to avoid decisions solely based on automated processing or profiling. Exceptions exist when such decisions are necessary for contractual obligations or with explicit consent.
Who Needs to Comply the GDPR?
Though the General Data Protection Regulation (GDPR) applies to a wide range of organizations that process personal data, regardless of their size, location, or sector, it doesn’t apply to everyone. Use cases of its implementation span various industries and sectors, including healthcare, finance and banking, retail and e-commerce, technology and its services, telecommunications, marketing and advertising, education, government and public sector, manufacturing and industry, transportation and logistics, etc. It generally applies to:
- Organizations established in the EU/EEA
- Non-EU organizations processing EU/EEA data.
Exceptions
A few exceptions to GDPR applicability exist, such as processing personal data for personal or household activities. However, these exceptions are narrowly defined, and it’s best to consult legal counsel for specific situations.
Regulatory Risks
GDPR outlines two tiers of fines based on the severity of the violation:
Tier 1: Up to €10 million, or 2% of the global annual revenue of the preceding financial year (whichever is higher), for violations like
- Failure to maintain proper records of processing activities.
- Failure to implement appropriate technical and organizational measures to ensure data security.
- Not appointing a data protection officer when necessary.
- Failure to conduct data protection impact assessments (where required).
- Failure to notify supervisory authorities or data subjects of a data breach.
Tier 2: Up to €20 million, or 4% of the global annual revenue of the preceding financial year (whichever is higher), for more severe violations, including:
- Violations of the core principles of data processing include a lack of legal basis for processing, failure to obtain consent, or processing data beyond the specified purpose.
- Processing of sensitive personal data without appropriate safeguards or consent.
- Failure to comply with data subject rights requests, such as access, rectification, erasure, or data portability.
- Transferring personal data to a third country or international organization without adequate safeguards or legal basis.
- Violating the conditions for obtaining valid consent for data processing.
- Ignoring orders or sanctions imposed by supervisory authorities.
Compliance Authority For GDPR:
The compliance authority for the General Data Protection Regulation (GDPR) primarily rests with the supervisory authorities of each European Union (EU) or European Economic Area (EEA) member state. Examples of supervisory authorities include:
- Information Commissioner’s Office (ICO) – United Kingdom
- French Data Protection Authority (CNIL)
- Data Protection Commission (DPC) in Ireland
- Autoriteit Persoonsgegevens (AP) in the Netherlands
- German Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Additionally, the European Data Protection Board (EDPB) ensures consistent application of the law across the EU/EEA. The EDPB provides guidance, issues opinions and recommendations, and resolves disputes between supervisory authorities.
How to Avoid the GDPR Fines?
Organizations can minimize the risk of hefty fines by taking proactive steps toward GDPR compliance, such as
- Conducting data mapping and gap analysis
- Implementing appropriate technical and security measures like data masking
- Obtaining explicit consent for data processing
- Addressing data subject requests promptly and efficiently
- Reporting data breaches within prescribed timeframes
- Seeking legal counsel for guidance on data privacy regulations
In conclusion, the compliance authority for the General Data Protection Regulation (GDPR) lies in the supervisory authorities of each European Union (EU) or European Economic Area (EEA) member state. These authorities play a crucial role in monitoring and enforcing GDPR compliance within their jurisdictions, ensuring the protection of individuals’ data. While supervisory authorities bear the primary responsibility for enforcement, organizations must also prioritize internal compliance efforts to uphold data protection standards, avoid fines, and maintain stakeholder trust.
FAQ
What is the GDPR?
The European Union (EU) enacted the comprehensive General Data Protection Regulation (GDPR) in 2018. It aims to enhance individuals’ rights regarding their data and harmonize data protection regulations across EU member states.
What are the consequences of GDPR non-compliance?
Penalties may amount to a maximum of €20 million or 4% of the company’s annual worldwide revenue.
What constitutes personal data under the GDPR?
Yes, original data can be recovered using the reverse process.