What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data privacy law that came into force on 25 May 2018. It was implemented by the European Union to protect the privacy and personal data of EU citizens.
The GDPR sets out detailed requirements for companies and organizations on collecting, storing and managing personal data. It applies both to European organizations that process personal data of individuals in the EU, and to organizations outside the EU that target people living in the EU.
Its aim is to protect individuals when their data is being processed by the private sector and most of the public sector. It puts individuals in better control of their personal data and creates a system of fully independent supervisory authorities in charge of monitoring and enforcing compliance.
Who does the GDPR apply to?
The GDPR applies to all companies and organizations that process EU citizens’ data, regardless of their location. This includes the collection, processing, storage and transfer of personal data. Non-EU based businesses processing EU citizen’s data have to appoint a representative in the EU.
The GDPR does not apply if:
- The data subject is dead.
- The data subject is a legal person.
- The processing is done by a person acting for purposes which are outside his trade, business, or profession.
Personal Data
Personal data is any information relating to an identified or identifiable living natural person. This includes any information which, when collected and linked, can lead to the identification of a specific individual. For example, personal data can be a person’s first and last name, home address, e-mail address, national identity card number, location data, internet protocol (IP) address, a cookie identifier, data held by a hospital or doctor, which could be a symbol that uniquely identifies an individual.
During processing, personal data can pass through various companies or organizations. Within this cycle there are two main profiles that deal with processing personal data:
- The data controller – decides the purpose and way in which personal data is processed.
- The data processor – holds and processes data on behalf of a data controller.
The Data Protection Officer (DPO), who may have been designated by the company, is responsible for monitoring how personal data is processed and to inform and advise employees who process personal data about their obligations.
The DPO also cooperates with the Data Protection Authority (DPA), serving as a contact point towards the DPA and individuals.
A company is required to appoint a DPO when:
- Regularly or systematically monitor individuals or process special categories of data
- Data processing is a core business activity
- It process data on a large scale.
When personal data is transferred outside the EU, the protection offered by the GDPR should travel with the data. This means that if you export data abroad, your company must ensure one of the following measures are adhered to:
- Data protection in the non-EU country is considered adequate.
- The company takes the necessary measures to provide appropriate safeguards, such as including specific clauses in the agreed contract with the non-European importer of the personal data.
- The company relies on specific grounds for the transfer (exceptions) such as the consent of the individual.
EU data protection rules mean you should process data in a fair and lawful manner, for a specified and legitimate purpose and only process the data necessary to fulfil this purpose. You must ensure that you fulfil one of the following conditions to process the personal data; you:
- Have been given the consent of the individual concerned.
- Need the personal data to fulfil a contractual obligation with the individual.
- Need the personal data to satisfy a legal obligation.
- Need the personal data to protect the vital interests of the individual.
- Process personal data to carry out the task in the interest of the public.
- Are acting in your company’s legitimate interests, as long as the fundamental rights and freedoms of the individual whose data are processed are not seriously impacted. If the person’s rights override your company’s interests, then you cannot process the personal data.
Individual Consent
The GDPR applies strict rules for processing data based on consent. The purpose of these rules is to ensure that the individual understands what he or she is consenting to. This means that consent should be freely given, specific, informed and unambiguous by way of a request presented in clear and plain language. Consent should be given by an affirmative act, such as checking a box online or signing a form.
When someone consents to the processing of their personal data, you can only process the data for the purposes for which consent was given. You must also give them the opportunity to withdraw their consent.
Data subjects should receive clear information about who processes their personal data and why. It should present this information in clear and simple language.
Control over Personal Data
The GDPR strengthens existing rights, creates new rights and gives individuals greater control over their personal data. This includes easier access to an individual’s own data, a new right to data portability, a clearer right to erasure (the right to be forgotten), and the right to know when there is a breach of personal data security.
It is important to stress that the GDPR is not an absolute right, but must be considered in relation to its role in society and in balance with other fundamental rights.
A data breach is an accidental or unlawful disclosure to unauthorised recipients of data under the responsibility of a company, as well as its temporary unavailability or modification. If a data breach occurs that poses a risk to individual rights and freedoms, the competent data protection authority must be notified within 72 hours of becoming aware of the breach. In case the personal data breach poses a high risk to the individuals concerned, the company may also be obliged to inform all data subjects.
Consequences of non-compliance
If the company receives a request from an individual wishing to exercise his or her rights, it must respond to the request without undue delay and in any event within one month of receiving the request. This period may be extended by two months in the case of complex or multiple requests, provided that the person concerned is informed of the extension. Applications are processed free of charge.
If the company refuses a request, it must inform the data subject of the reasons and of his or her right to lodge a complaint with the data protection authority.
The company must demonstrate that it acts in accordance with the General Data Protection Regulation and complies with all applicable obligations, especially at the request or under the inspection of the data protection authority. The company should also maintain, and regularly update, written guidelines and procedures and make them known to its employees.
Non-compliance with the General Data Protection Regulation can lead to fines of up to €20 million or 4% of the company’s worldwide turnover for certain infringements. The data protection authority may impose additional remedial measures, such as forcing the termination of the processing of personal data.
In summary, the General Data Protection Regulation (GDPR) is an EU law that protects the privacy and personal data of its citizens. It applies to all companies that process EU citizens’ data, regardless of their location, and gives individuals greater control over their personal data. Compliance with the GDPR is essential for all organizations handling personal data. While it can present challenges, it also offers opportunities to gain customer trust and enhance reputation. In an increasingly digital world, the GDPR represents an important step towards a more secure and private world.