The General Data Protection Regulation (GDPR) is a set of compliance standards, which aim to protect EU citizens' personal data. Developed by the European Union. GDPR came into effect in 2018 to standardize and modernize data protection and privacy requirements across the EU.
But the regulations don't only apply to European countries. Any company that handles EU citizens' data is liable for keeping that sensitive data safe. Organizations that fail to comply with GDPR requirements risk serious penalties.
Key takeaways
- GDPR requirements include obtaining consent for data processing, anonymizing collected data, providing data breach notifications, handling international data transfers, and ensuring privacy by design.
- Any data controller or data processor that markets goods or services to EU residents, regardless of their location, is subject to GDPR compliance.
- Key GDPR articles refer to data subjects' control over their personal data, data protection measures, data breach notification, data protection impact assessments, and penalties for non-compliance.
- While not meeting GDPR standards, or non-compliance, may result in a warning, serious infringements can result in fines up to 4% of a company's global annual revenue.
General requirements for GDPR compliance
While the GDPR regulations are very detailed, they don't prescribe how businesses should implement these data protection and privacy rules. The regulations do provide general requirements that help business leaders adopt the right mindset, technology and processes regarding GDPR.
Processing that is transparent and lawful
Companies can only process peoples' personal data for a valid reason. In terms of GDPR, they specify exactly what conditions are lawful for processing peoples' data. These include:
- Having the clear consent of the data subject
- Under specific legal obligations
- Legitimate interests of the data controller
- Necessary to fulfill a contract with the data subject
- To protect the vital interests of the individual
- In the public interest
Plus, data subjects need to know exactly how their data will be used. Privacy policies or notices can help inform data subjects about how you handle and safeguard their personal data.
Limiting the purpose of the data and what is collected
When collecting and processing personal data, companies can only use the data for the purpose specified by the data subject. They must also only request the minimum amount of data for their task. For instance, the individual's name, surname, and email address for digital marketing purposes. And after the company is finished using that data and it's no longer needed, it must be deleted.
Ensuring privacy by design
The privacy by design principle means that companies must consider data privacy and protection first when they're developing a new product or starting a new project, for instance. They must consider all the data risks upfront so that safeguarding data is a part of everything they do.
A data subject's rights
Under GDPR, individuals have more control over their data - what information is collected, how it's used, and the right to ask companies to it erase it. These rights include:
- Right to access: The right to be given a copy of the info that a company has on them. The company must inform the data subject whether they are processing their data and why, for instance.
- Right to erasure: They can request to have their personal data, like their email address, removed from a company's records. For example, if they change banks, requesting their previous bank to erase all their personal data.
- Right to information: This means the data subject can find out how a company is using their personal data or how their info is being processed by data controllers and their business associates.
- Right to object: Consumers have the right to object to their personal data being processed. For instance, when a company doesn't request the data subject's permission to gather and process their personal info.
- Right to data portability: This right enables data subjects to transfer their personal data from one company to another. For example, from one healthcare provider to another, in a secure manner.
- Rights in relation to automated data decision making: In this case, consumers can object to an automatic decision made my AI, for instance, such as an automated process declining the person a personal loan or insurance cover.
The importance of consent
If a business wants to use someone's personal data for reasons other than what was agreed on, they need clear consent from that data subject. Companies must document this consent, along with detailed records of everything related to GDPR compliance.
Reporting personal data breaches
A data breach can be a result of a cyberattack. But the term applies to more than just cybercrime. It can also occur as a result an employee sending or accessing sensitive information by mistake. What's important about data breaches within the GDPR rules is that they must be reported to the regulatory authority within 72 hours.
Data security during transfers
Companies that transfer personal data outside of the EU need to sign a contract with their third party providers. The contract should include specific clauses that make data protection and privacy a top priority. Both parties are responsible for keeping the data safe, and liable if something goes wrong.
Conducting data protection impact assessments
The General Data Protection Regulation suggests that companies perform a data protection impact assessment. This assessment can help businesses identify and reduce potential data privacy risks when they process data. These assessments are a must if you process high-risk data, like financial or health-related data.
The role of a data protection officer
If a company handles high volumes of personal data or high-risk data, then they need to appoint a data protection officer (DPO). The DPO advises the organization about how to comply with GDPR requirements.
Employee awareness and training
Staff training about GDPR is vital. In addition to general training on GDPR basics, training should be tailored to the person's role and how they work with data. For instance, a marketing team that collects personal data needs to know exactly what data they can collect and how to provide clear ways for people to opt-out.
Essential GDPR articles
The GDPR laws contain 11 chapters and 99 rules or articles. We'll take a closer look at the articles about data security and privacy.
Articles 17 & 20: Right to portability and erasure of personal data
GDPR articles 17 and 18 deal with ensuring individuals have more control over their data. They have the right to transfer their personal data from one service provider to another. For example, from one healthcare provider to another. They can also ask companies to delete their personal data, which is also called the right to erasure. An interesting example here is ChatGPT, which shows how data scraped from across the internet is very difficult to attribute to a specific user. As a result, article 17, or the right to erasure, becomes difficult to implement.
Articles 23 & 30: Implementing data protection measures and record keeping
These two articles refer to the technical data protection measures data controllers and data processors must adhere to. Articles 23 and 30 help to prevent data exposure or loss. These rules also mention that companies must keep detailed records of how they use data, store it, and share it.
Articles 33 & 34: Data breach notifications
When a data breach occurs, GDPR has strict rules about notifying those involved. Firstly, data breaches must be reported within 72 hours. The notification must include specific details of what data has been stolen, such as protected health information (PHI). Plus, how many data subjects were affected. The regulations state that the individuals whose data has been stolen must be notified as soon as possible.
Articles 35 & 41: Data protection impact assessments and compliance reviews
Compliance is never a once-off activity. To ensure companies are following key GDPR requirements, they need to perform regular checks. Data protection impact assessments (DPIAs) are one of these checks. DPIAs ensure data protection is prioritized before starting any new project. Article 35 mentions that companies should perform a compliance review if the risk to data security will change in any way.
Article 37--39: Role of Data Protection Officers
GDPR requires that companies processing high-risk data, such as details of a person's race, health, or religious beliefs, must appoint a data protection officer (DPO). The DPO's tasks include:
- Informing all employees that process data about the GDPR requirements.
- Monitoring the company's compliance with the regulations.
- Providing advice for data protection impact assessments.
- Being the point of contact for data subjects and supervisory authorities.
Article 44: Extending data protection requirements to international companies
GDPR regulations make it clear that any organization that processes consumer data is liable for keeping it secure and private. This applies when transferring EU citizens' data to international companies. While they may have their own data protection laws or lack thereof, they must abide by GDPR when processing data from EU consumers.
GDPR enforcement and penalties for non-compliance
GDPR applies to businesses of any size and includes businesses that are data controllers and data processors. Supervisory authorities (SA) have the right to issue fines to any companies that violate the rules. However, all infringements are judged on a case-by-case basis, assessing aspects such as:
- The "nature, gravity and duration of the infringement" - including how and why the data was processed, the number of data subject affected and the level of damage caused.
- Any negligence on the part of the company or intentional infringement.
- Any actions the company took to handle the damage caused to those affected.
- Any technical or organizational measures the company implements, like data encryption.
- Whether they have any previous infringements.
The SA may not always issue a fine, depending on the circumstances. They may issue a warning, perform an audit to help the company implement better data privacy and security measures, order the business to delete certain data, or block a company from transferring personal data to another country.
If the SA does choose to fine a company due to infringements or non-compliance, such as not meeting the conditions for consent, those fines can be up to 4% of their total annual turnover!
The requirements set out by GDPR aim to help organizations implement the right technology, processes and mindset around data privacy and security. Any companies processing, transferring, or collecting personal data must enforce these rules or be liable for big penalties. Ultimately, these requirements are more suited to modern digital business operations. And with the vast quantity of data available today and ever-evolving technology, GDPR provides the control individuals need over their personal data.
Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.