GDPR

The EU General Data Protection Regulation (GDPR) is considered the world's most robust data protection law. It aims to protect individuals and their data while ensuring that organizations collect and manage data responsibly.

With the GDPR, Europe is signaling its firm stance on data privacy and security. The GDPR enforces its rules by imposing potentially heavy fines and reputational damage on those who breach them.

This article will discuss the GDPR, who it applies to, how to comply, and the penalties for non-compliance.

What Is the GDPR?

The GDPR came into force on May 25, 2018. It imposes obligations on organizations worldwide, including outside the EU, as long as they target or collect data related to people in the EU.

At the core of GDPR lies a concern for personal data security. Personal data is information that can identify a living individual. This can include personal information such as a person's name or location and other data, like IP addresses and cookie identifiers.

Below is the subject matter and objectives article of the GDPR. These three objectives capture the essence of the GDPR, which is the protection of the fundamental rights of people's personal data.

GDPR Article 1

Who Does the GDPR Apply To?

The GDPR primarily applies to all EU businesses processing personal data. However, it also applies to non-EU companies that process the personal data of EU persons or offer goods or services to them.

The GDPR outlines this in Article 3, which details the territorial scope of the law. Note how businesses must comply with the GDPR if they offer a good or service to an EU person, regardless of whether or not a financial transaction was made.

GDPR Article 3

There are a few exceptions to the scope of the GDPR to note:

  1. If the data processing activity is a purely personal or household activity. The GDPR only applies to professional or commercial activity.
  2. If the data subject is dead.
  3. If the data subject is a company. A company's data is not considered personal data.

According to the GDPR, a data subject is a person who can be identified by data points such as a name, identification number, physical appearance, economic status, and others.

Additionally, organizations with fewer than 250 employees have some exceptions under the GDPR. This includes freedom from record-keeping obligations in most cases.

How Do You Comply With the GDPR?

You can comply with the GDPR by following its key regulatory points, as defined on their website. We will discuss some data protection principles, such as data security, accountability, data minimization, and other ways to comply with the GDPR below.

You Must Keep Data Secure

Data security is a data protection principle stating that personal data must be protected against unauthorized processing, accidental loss, and damage. This means implementing security measures to prevent unauthorized access and data breaches.

The GDPR doesn't exactly define effective security practices, as they differ for each organization. Nevertheless, some data security processes, such as website encryption and pseudonymization, are always worth using.

Pseudonymization is the process of removing personal identifiers from data and replacing those identifiers with placeholder values.

The data security principle also entails that If there is a data breach, you must inform the affected persons within 72 hours, or else you will be subject to penalties.

You Must Demonstrate Accountability in Your Data Collection Processes

Data accountability involves documenting how personal data is managed. It also entails that only authorized individuals can access this data. Accountability also includes providing data protection training to staff and regular assessment of data handling processes.

If your business handles personal data, you have to be able to demonstrate GDPR compliance by integrating accountability into your processes. Among the ways you can do this include:

  1. Assigning data protection duties to your team
  2. Keeping thorough records of the data you collect, its usage, storage location, and the employee accountable for it
  3. Implement technical and organizational security measures. These measures usually include limiting access to personal data and anonymizing or encrypting data.

If data destruction, loss, alteration, unauthorized disclosure, or access concerning individuals' data could negatively impact the individuals involved, the respective country's data protection regulator must be notified. This includes cases of financial loss, breaches of confidentiality, damage to reputation, and more.

You Must Minimize the Data You Collect

Data minimization is a data protection principle that emphasizes that organizations should collect only the necessary personal information from their users and no more. This principle aims to prevent organizations from gathering excessive data about individuals.

You Must Obtain Consent Before Processing Personal Data

According to the GDPR, you need consent to collect personal data from an EU person. You must also keep records to prove that consent was given.

Once you have consent, it is the person's right to withdraw it at any time.

Article 7 of the GDPR, shown below, lists the four conditions for consent. Notice how the request for consent must be distinguishable from other articles in the document and written in "clear and plain language."

GDPR Article 7

You Must Respect Individual's Privacy Rights

The GDPR recognizes several privacy rights for individuals. These rights aim to give EU persons more control over the data they loan to organizations.

As an organization, it is essential to ensure that these privacy rights are protected to comply with the GDPR. Here is of summary of some of the most critical data subject privacy rights:

  1. Transparent Information, Communication and Modalities for the Exercise of the Rights of the Data Subject. This refers to an individual's right to be informed of who will collect their information, what it will be used for, the purpose of the collection, and more.
  2. Right of Access by the Data Subject. This right refers to a data subject's right to access their information. This includes the purpose of the data collection, the categories of data collection, and how long the data will be stored.
  3. Right to Rectification. This grants individuals the right to rectify inaccurate personal data and fill in incomplete data.
  4. Right to Erasure ('Right to Be Forgotten'). This gives data subjects the right to have their personal data immediately erased under the conditions specified in Article 17.
  5. Right to Object. This right allows individuals to object that their data is necessary for the objectives of a data processing activity. The individual also retains the right to object to their data being used for direct marketing purposes.

Chapter 3 of the GDPR, shown below, recognizes these rights, among others, across 12 different articles.

GDPR Chapter 3 Articles list

You Must Only Process Personal Data if Fulfills at Least One of the GDPR Conditions for Lawful Data Processing

Article 6, shown below, lists the instances in which processing personal data is legal. Note how you only need to fulfill at least one of the cases for your data processing to be considered lawful.

GDPR Article 6

After determining the legal justification for processing personal data, it's important to record this basis and inform the data subject. If you change your justification for processing later on, you must have a valid reason, then document it and notify the data subject.

You Must Make Data Protection a Core Value of Your Business

According to the GDPR, your organization must consider data protection "by design and by default." This means that data protection should be a core objective from the beginning of any data processing activity or business.

Ensure that only necessary personal data is collected, including the type and amount collected, processing extent, storage period, and accessibility. Data must also be protected throughout its life cycle.

Finally, it's essential to be transparent in your Privacy Policy about your data processing activities, such as what data you collect, what it's used for, and the justification for this collection.

You Must Make Sure Your Privacy Policy is Publicly Available and is GDPR-compliant

The GDPR requires businesses to make their privacy policy publicly accessible. A privacy policy is a formal document that reveals how a party collects, uses, shares, and handles a person's data.

A GDPR-compliant privacy policy should address the following:

  1. The data you collect and how it will be used. Your privacy policy needs to provide the categories of information you will collect and how it will be used.
  2. Contact information. Your privacy policy should include different ways for individuals to contact you, your data protection officer, or an EU-based representative if you have one.

You Must Appoint a Data Protection Officer if Necessary

A Data Protection Officer (DPO) is an independent specialist who ensures that organizations follow data protection laws. They work directly with a business's top management to align data protection strategies with the law.

The GDPR requires organizations to appoint a DPO if they:

  1. Process personal data of EU residents on a large scale
  2. Process sensitive personal data on a large scale
  3. Regularly and systematically monitor individuals on a large scale

The GDPR does not define "large-scale" processing. However, it is generally understood to mean processing the personal data of millions of individuals.

What Are the Penalties for Non-compliance With the GDPR?

The GDPR fines are intended to ensure that failing to comply is an expensive error for all businesses. According to Article 83, the GDPR fines increase in line with the company's size.

An EU data protection regulator will administer fines based on the criteria shown below. Note how circumstantial each criterion is, with assessment being based on the severity of each infraction.

The GDPR states explicitly that some violations are more severe than others. There are two tiers of violations with corresponding penalties to be applied.

Less Severe

Less severe violations may result in a penalty of up to €10 million or 2% of the company's global yearly revenue from the previous financial year, whichever is greater.

These penalties are imposed on organizations that do not adhere to data protection rules, the lawful basis for processing, and more.

More Severe

More severe violations are classified as such if they disregard the basic human rights of data privacy on which the GDPR is based.

Severe breaches may result in a penalty of up to €20 million or 4% of the company's global annual revenue from the previous fiscal year, whichever is greater.

These breaches include but are not limited to the following:

  1. Processing data in a manner that is not lawful, fair, or transparent as per GDPR guidelines.
  2. Collecting prohibited types of personal data, including racial origin, religious beliefs, sexual orientation, and more.
  3. Not having documentation proving an individual's consent for their data to be processed.
  4. Not disclosing what data is being collected and what it is being used for.
  5. Not allowing individuals to collect, correct, or, in some instances, erase their data.
  6. Not allowing individuals to transfer their data to another organization.

In May 2023, the Irish Data Protection Committee fined tech giant Meta €1.2 billion. It determined that Meta transferred European users' personal data to the United States without sufficient data protection mechanisms. This historic fine is a stark reminder of the harsh, scalable penalties that can be applied under the GDPR.

Conclusion

The GDPR is a far-reaching law designed to protect individual's personal data and privacy. It applies not only to EU businesses but also to non-EU companies that process data related to individuals in the EU.

Compliance with the GDPR requires a deep understanding of its principles and regulations, including data security, data minimization, and data accountability.

By complying with the GDPR's guidelines, businesses can demonstrate their commitment to protecting personal data and avoiding potential fines and reputational damage.

If you plan to operate a business that collects the personal information of EU persons, it's essential to review the full text of the GDPR with the help of a legal professional. This will ensure that your data processing activity is set up for GDPR compliance from the onset.