GDPR Compliance
The European General Data Protection Regulation (GDPR) has fundamentally changed how businesses handle data. Introduced in 2018, the regulation requires all companies operating within the EU to follow the data protection act, or else they face heavy fines. GDPR compliance isn’t optional, which means that companies everywhere have had to make substantial reform to adjust to these changes.
Likewise, implementing such a heavy reform meant that that a vast sector of the global economy has naturally experienced some speed bumps. Large companies that handle huge amounts of data have already breached GDPR guidelines which, in turn, costed millions in fines and costs related to fixing the issue.
While the GDPR is a European law, it applies to any company or organisation that makes its website or services available to EU countries. In this article, we will be discussing General Data Protection Regulation compliance in organisations and what the GDPR means. We will also discuss the requirements for GDPR consent, GDPR compliance checklist for US companies, and what is considered personal data under the GDPR.
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is a regulation in European law that concerns the protection and privacy of data in the European Union (EU) and the European Economic Area (EEA). The regulation addresses the transfer of personal data outside the EU and EEA areas. The GDPR primarily aims to give control over to individuals over their own personal data. As well as simplifying the regulatory environment for international business by unifying the regulation within the EU. The GDPR also applies to non-EU companies processing European personal data outside the European Union.
The General Data Protection Regulation aims to prevent companies and organisations from using personal data for their own benefit. Under this regulation, companies and organisations are forbidden from sharing personal data with any third party without the consent of their users.
The European Commission believes that consumer trust is essential to nurturing growth in the digital economy. And trust can be won by giving users of digital services more information and greater control over how their data is used. The GDPR was agreed upon after more than three years of negotiations between various European Union institutions.
GDPR has defined various provisions that makes it compulsory for businesses to protect the personal data and privacy of citizens of the EU and the UK for business transactions taking place within the EU member states, as well the exporting of personal data of the users outside of the EU.
It is important to keep in mind that all 28 member states of the EU must comply with the GDPR. However, the standards have been set quite high, which means businesses need to make efforts to ensure complete compliance. Some of the key privacy and data protection requirements of the GDPR include:
- Requiring the consent of subjects for data processing
- Anonymising collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
The aim of the GDPR can be summarised by the EU’s executive body, the commission:
The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritised. The reform will allow European citizens and businesses to fully benefit from the digital economy.
What does ‘GDPR Compliance’ mean?
General Data Protection Regulation compliance has become obligatory for every business or organisation which gathers, stores or uses the personal data of citizens throughout the European Union. In answering the question as what the meaning of ‘GDPR compliance’ is, we should first begin by explaining the difference between a European Union Directive and a European Union Regulation.
A European Union Direction is a general set of guidelines on which a European Union member country may base their own domestic laws around, with some allowed flexibility. In contrast, an EU regulation is legislation that applies throughout the entire EU, meaning that every country or state within the EU must comply with regulations as they are enforced by law.
The GDPR is an EU Regulation. The 1995 EU Data Protection Directive will be replaced by the GDPR which intends to create a set of standard data protection laws across the European Union. Businesses and companies that operate in several EU member countries will now be obligated to work within a uniform set of rules which resolve issues that were previously impossible to predict when the 1995 Directive was drafted, e.g. data processing in context of “cloud” technology.
What is considered ‘personal data’?
Data is considered personal if it contains any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute as personal data. It should also be noted that the GDPR protects personal data regardless of the technology used for processing data. This means that the regulation applies to both automated and manually processed data.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
Now, when we say GDPR covers the personal data and privacy of users of the EU, it helps to know precisely the kind of data that is covered by the regulations. So, here goes…
- Name, address, email ID and other basic information about the identity of the individual
- IP address, location, cookie data and other miscellaneous information collected online by websites and apps
- Views shared on social media on politics and other topics
- Ethnic or racial data
- Data held in medical files, which could be a symbol that uniquely identifies a person
- Biometric data
- Sexual orientation
- Health records and medical information
Penalties for Non-Compliance
Since the GDPR is as its name suggests, a regulation, it is enforced by law and any EU member states who do not comply with the regulation will be imposed with heavy fines. The maximum fine under the GDPR is up to 4% of the annual global turnover of the organisation or €20 million – whichever is the greater number.
However, not all GDPR violations result in monetary fines. Authorities such as the UK’s Information Commissioner’s Office can take a range of other actions which include:
- Warnings and reprimands;
- Ordering a suspension of data transfers to third parties;
- Ordering the restriction, erasure, or rectification of data; and
- Imposing a ban (temporary or permanent) on data processing.
If a member state violates the GDPR, fines are then administered by individual member state supervisory authorities. The following ten things are to be used to determine the amount of the fine on a non-compliant organisation:
- Nature of infringement: number of people affected, damaged they suffered, duration of infringement, and purpose of processing
- Intention: whether the infringement is intentional or negligent
- Mitigation: actions taken to mitigate damage to data subjects
- Preventative measures: how much technical and organisational preparation the firm had previously implemented to prevent non-compliance
- History: (83.2e) past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines
- Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement
- Data type: what types of data the infringement impacts; see special categories of personal data
- Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party
- Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct
- Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement
The rights of individuals
Organisations and companies which collect, maintain, or uses an individual’s personal data but neglects to first obtain the consent of those individuals, or fails to permanently delete the data of those individuals – are in violation of the GDPR. There are numerous rights that individuals have and must be taken into account by organisations when they establish their GDPR compliance. Here are some examples of rights of individuals:
- The right to view or consult stored personal data.
- The right to correct any errors in their personal data.
- The right to be informed as to how their personal data will be used.
- The right to be informed as to how long their personal data will be stored.
- The right to be informed who their personal data is being shared with.
- The right “to be forgotten” – to have all records of personal data permanently deleted.
- The right to be informed as to the source of their personal data in circumstances where informed consent was not in fact given.
Ensuring GDPR compliance
Read the GDPR
Reading and understanding the GDPR should be the first step any organisation, company, or concerned individual should do in order to understand the GDPR better and ensure preventable mistakes are not made.
Search for best practices
A majority of businesses worldwide are affected by the GDPR, not only those in the EU. If your organisation lacks the knowledge to be GDPR compliant, looking for best practices or to other companies who are GDPR compliant will give your organisation a good head start.
Monitor data closely
The GDPR requires that all data complies with GDPR guidelines. It is important that any company that works with data ensure they have a good plan for how they transfer, process, store and handle data either digitally or physically. This is to prevent breaches and to help with proper reporting in the event of a data breach or cyber security attack.
Consult with legal experts
The GDPR is still a new a regulation. It isn’t expected for every company to fully understand every bit of the legal jargon. That is why it is always a good idea to hire legal experts. They will ensure that every rule in the regulation is understood by the company and that nothing is left unchecked.
