GDPR stands for General Data Protection Regulation. It is a comprehensive data protection and privacy regulation implemented by the European Union (EU) on May 25, 2018. The GDPR was designed to strengthen and unify data protection laws within the EU member states and to provide individuals with greater control over their personal data.
Key principles of GDPR include:
- Consent: Individuals must give explicit consent for their personal data to be processed. Consent must be freely given, specific, informed, and unambiguous.
- Data Subject Rights: GDPR grants individuals various rights, including the right to access their personal data, the right to rectify incorrect data, the right to erasure (commonly known as the "right to be forgotten"), and the right to data portability.
- Data Breach Notification: Organisations are required to notify the relevant data protection authorities and affected individuals within 72 hours of discovering a data breach that poses a risk to individuals' rights and freedoms.
- Accountability and Governance: Organisations that collect and process personal data must demonstrate compliance with GDPR. They need to implement appropriate data protection policies, conduct data protection impact assessments for high-risk processing activities, and maintain records of their data processing activities.
- Data Protection Officer (DPO): Some organisations may be required to appoint a Data Protection Officer, responsible for overseeing data protection and GDPR compliance within the organisation.
- Cross-Border Data Transfers: GDPR imposes restrictions on the transfer of personal data outside the EU to countries that do not provide an adequate level of data protection.
- Fines and Penalties: Non-compliance with GDPR can lead to significant fines, depending on the severity of the violation. The fines can be up to 4% of the organisation's global annual revenue or €20 million, whichever is higher.
It's important to note that GDPR not only applies to organisations within the EU but also to any organisation outside the EU that processes the personal data of EU residents. As a result, GDPR has a global impact on businesses and how they handle personal data.
Who Does GDPR Apply To?
GDPR (General Data Protection Regulation) applies to two main categories of entities:
- Data Controllers: A data controller is an entity that determines the purposes, conditions, and means of processing personal data. This could be an organisation or an individual that collects personal data from EU residents for any purpose. Examples of data controllers include businesses, non-profit organisations, and government agencies.
- Data Processors: A data processor is an entity that processes personal data on behalf of the data controller. Data processors could be IT service providers, cloud hosting companies, payment processors, or any third party that handles personal data as instructed by the data controller.
Both data controllers and data processors are subject to the provisions of the GDPR, but they have different responsibilities.
Data Controllers' Responsibilities under GDPR:
- Data controllers are responsible for ensuring that personal data is processed lawfully, fairly, and transparently.
- They must obtain valid consent from individuals for processing their personal data.
- Data controllers must provide individuals with information about how their data is used and their data subject rights.
- They are required to implement appropriate security measures to protect personal data.
- Data controllers are obligated to report data breaches to the relevant authorities and affected individuals.
Data Processors' Responsibilities under GDPR:
- Data processors must process personal data only as instructed by the data controller.
- They have an obligation to implement appropriate security measures to protect the data they process.
- Data processors must assist data controllers in meeting their GDPR obligations, such as providing information for data protection impact assessments and cooperating in case of data breaches.
- They are not allowed to engage sub-processors without the prior consent of the data controller.
It's worth noting that GDPR applies not only to entities located within the EU but also to organisations outside the EU that offer goods or services to EU residents or monitor the behaviour of individuals within the EU. This extraterritorial scope ensures that GDPR has a broad reach and affects companies worldwide that process personal data of EU residents.
What are GDPR’s Key Principals?
GDPR (General Data Protection Regulation) is built upon several key principles that organisations must adhere to when processing the personal data of individuals within the European Union. These principles are designed to ensure the protection of individual's privacy and give them greater control over their personal data. The key principles of GDPR include:
- Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and in a transparent manner. Organisations must have a valid legal basis for processing personal data, and individuals must be informed about how their data will be used in a clear and understandable way.
- Purpose Limitation: Personal data should be collected for specified, explicit, and legitimate purposes. Organisations must not use the data for purposes that are incompatible with the original reasons for collecting it, and they should not retain the data longer than necessary for those purposes.
- Data Minimisation: Organisations should only collect and process personal data that is adequate, relevant, and limited to what is necessary for the intended purpose. Unnecessary or excessive data should not be collected.
- Accuracy: Personal data must be accurate and, where necessary, kept up to date. Organisations should take reasonable steps to ensure that inaccurate data is rectified or erased without delay.~
- Storage Limitation: Personal data should be kept in a form that allows identification of individuals for no longer than is necessary for the purposes for which the data is processed. Storage limitations help prevent the use of personal data for prolonged periods when it is no longer needed.
- Integrity and Confidentiality: Organisations must implement appropriate security measures to protect personal data from unauthorised access, disclosure, alteration, or destruction. This principle ensures the confidentiality and integrity of the data.
- Accountability: Organisations are responsible for demonstrating compliance with GDPR. They must maintain records of their data processing activities and be able to show that they are handling personal data in accordance with the regulation.
- Lawful Basis for Processing: Organisations must have a valid legal basis for processing personal data. The lawful bases include obtaining explicit consent from the individual, fulfilling a contract with the individual, complying with a legal obligation, protecting vital interests, performing a task carried out in the public interest, and pursuing legitimate interests (provided they do not override the individual's rights and freedoms).
- Individual Rights: GDPR grants individuals several rights regarding their personal data, including the right to access their data, the right to rectify incorrect data, the right to erasure (right to be forgotten), the right to data portability, the right to restrict processing, and the right to object to certain types of processing.
By adhering to these key principles, organisations can ensure that they handle personal data in a privacy-focused and compliant manner under the GDPR framework.
What are my GDPR rights?
As an individual residing in the European Union, you have several rights under the General Data Protection Regulation (GDPR) that empower you to have greater control over your personal data. These rights are designed to protect your privacy and ensure that organisations handle your data responsibly. Your GDPR rights include:
- Right to Access: You have the right to obtain confirmation from organisations whether they are processing your personal data and, if so, to access that data along with information about how it is being used.
- Right to Rectification: If the personal data held by an organisation is inaccurate or incomplete, you have the right to request its correction or completion.
- Right to Erasure (Right to be Forgotten): You can request the deletion of your personal data under certain circumstances, such as when the data is no longer necessary for the purpose it was collected, you withdraw your consent, or if the data processing was unlawful.
- Right to Restrict Processing: You have the right to request the restriction of processing your personal data, which means the data can still be stored, but not actively used, under certain conditions. This might apply, for example, while a dispute is being resolved.
- Right to Data Portability: You can request a copy of your personal data in a structured, commonly used, and machine-readable format. You can also request that the data be transmitted directly to another data controller if technically feasible.
- Right to Object: You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes. The organisation must stop processing unless they have compelling legitimate grounds for continuing or the processing is necessary for legal reasons.
- Rights Related to Automated Decision-Making and Profiling: You have the right not to be subject to decisions based solely on automated processing, including profiling, if it significantly affects you. Exceptions exist if the decision is necessary for the performance of a contract, authorised by law, or based on explicit consent.
- Right to Withdraw Consent: If an organisation relies on your consent to process your personal data, you have the right to withdraw that consent at any time.
- Right to Lodge a Complaint: If you believe that an organisation is not complying with GDPR, you have the right to lodge a complaint with the relevant data protection authority in your country.
It's essential to note that the exercise of these rights is generally free of charge. Organisations must respond to your requests without undue delay and within one month, though this period may be extended in complex cases.
To exercise your GDPR rights, you can usually contact the organisation's Data Protection Officer or the relevant privacy contact provided by the organisation in their privacy policy.
GDPR Breaches and Fines
Under the General Data Protection Regulation (GDPR), breaches of data protection can lead to significant fines, which are designed to ensure that organisations take data privacy seriously and comply with the regulation. The severity of the fines depends on the nature of the breach and the extent to which the organisation has violated GDPR principles. There are two tiers of fines that can be imposed:
- Lower Tier Fines: For less severe violations, organisations can be fined up to €10 million or 2% of their global annual turnover, whichever is higher. Lower-tier fines are typically applied for offences such as not keeping proper records, not conducting data protection impact assessments when necessary, or not notifying data breaches to the supervisory authority or affected individuals.
- Upper Tier Fines: For more serious infringements, organisations can be fined up to €20 million or 4% of their global annual turnover, whichever is higher. Upper-tier fines may be imposed for more severe violations, such as not obtaining proper consent for data processing, violating the core principles of data processing (lawfulness, fairness, transparency, etc.), or failing to respect individuals' rights regarding their data.
It's important to note that the supervisory authorities responsible for enforcing GDPR have the discretion to determine the specific amount of the fine, considering factors such as the nature, gravity, and duration of the violation, the number of individuals affected, and the measures taken by the organisation to mitigate the damage.
In addition to fines, supervisory authorities have various corrective powers at their disposal to ensure compliance with GDPR. These powers include issuing warnings, ordering organisations to rectify violations, imposing temporary or definitive bans on data processing, and suspending data flows to countries outside the EU.
The actual application of fines and penalties will depend on the specific circumstances of each case. Organisations are encouraged to take GDPR compliance seriously and implement robust data protection measures to avoid breaches and potential fines.
How can organisations stay on top of GDPR?
Staying on top of GDPR compliance is essential for organisations that process the personal data of individuals within the European Union. By taking proactive measures and establishing a culture of data protection, organisations can ensure they meet the requirements of GDPR. Here are some key steps they can take to stay compliant:
- Data Protection Officer (DPO): Designate a Data Protection Officer if required by GDPR. The DPO is responsible for overseeing data protection practices, advising on compliance, and acting as a point of contact with data protection authorities.
- Awareness and Training: Conduct regular data protection training for employees to ensure they understand their responsibilities under GDPR and the importance of safeguarding personal data.
- Data Mapping: Conduct a thorough data mapping exercise to identify and document all personal data collected, processed, and stored by the organisation. Understand the purpose and legal basis for each data processing activity.
- Lawful Basis for Processing: Ensure that there is a valid lawful basis for processing personal data for each purpose. This could include consent, contract performance, legal obligation, vital interests, public task, or legitimate interests.
- Consent Management: If relying on consent for data processing, ensure that consent is obtained in a clear, explicit, and easily withdrawable manner. Maintain records of consent and update them if necessary.
- Privacy Policies and Notices: Review and update privacy policies and notices to provide clear information to data subjects about data processing activities, their rights, and how to exercise them.
- Data Subject Rights: Establish procedures to handle data subject rights requests promptly, including access, rectification, erasure, and data portability. Ensure employees are aware of these procedures.
- Data Security Measures: Implement robust data security measures to protect personal data from unauthorised access, disclosure, alteration, and destruction. Regularly assess and update security practices.
- Data Breach Response Plan: Develop a data breach response plan outlining the steps to be taken in case of a data breach, including notifying the relevant authorities and affected individuals within the required timeframe.
- Data Protection Impact Assessments (DPIAs): Conduct DPIAs for high-risk processing activities and address any potential data protection risks before starting such activities.
- Vendor Management: Ensure that third-party vendors or processors comply with GDPR and have adequate data protection measures in place. Include data protection obligations in contracts with vendors.
- Regular Auditing and Reviews: Conduct regular internal audits to assess GDPR compliance, identify areas of improvement, and address any gaps in data protection practices.
- International Data Transfers: If transferring personal data outside the EU, ensure appropriate safeguards are in place, such as Standard Contractual Clauses or Binding Corporate Rules.
- Monitor Regulatory Updates: Keep abreast of any changes or updates to data protection laws and regulations that may impact GDPR compliance.
By following these steps and consistently prioritising data protection and privacy, organisations can maintain GDPR compliance and build trust with their customers and partners regarding the handling of personal data.