What is GDPR (General Data Protection Regulation)?

The General Data Protection Regulation, commonly known as GDPR, is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Established by the European Parliament and Council in April 2016, it replaced the Data Protection Directive 95/46/ec as the primary law regulating how companies protect EU citizens’ personal data. GDPR came into effect on May 25, 2018.

GDPR is a significant piece of legislation that has far-reaching effects on how businesses handle and manage data. It aims to harmonize data protection laws across the EU and to protect the rights of EU citizens regarding their personal data. The regulation applies to all companies that process personal data of people residing in the EU, regardless of the company’s location.

Key Principles of GDPR

The GDPR is based on seven key principles which lay the foundation for the rules and regulations. These principles are lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. These principles are not rules as such but rather provide the context in which data protection laws should be applied and understood.

Each principle carries its own set of rules and guidelines, which are designed to ensure that businesses and organizations handle personal data in a way that respects individual rights and freedoms. Violations of these principles can lead to significant fines and penalties.

Lawfulness, Fairness and Transparency

The principle of lawfulness, fairness, and transparency emphasizes that personal data should be processed lawfully, fairly, and in a transparent manner in relation to the data subject. This means that companies must be open about their data processing activities and must not use data in ways that would have unjust or prejudicial effects on the individuals concerned.

Transparency requires that any information and communication relating to the processing of personal data be easily accessible and easy to understand, and that clear and plain language is used. This is particularly relevant in situations where the data subject’s consent is sought or where data is collected directly from the data subject.

Purpose Limitation

The principle of purpose limitation states that personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means that companies must be clear about why they are collecting personal data and what they plan to do with it. They must also ensure that if they wish to use the data for other purposes, these are compatible with their original purpose or they have the explicit consent of the data subject.

This principle is closely linked with the principles of data minimization and storage limitation, which require that companies collect only the data they need for their specified purpose and that they keep it only for as long as necessary.

Individual Rights under GDPR

One of the key aspects of the GDPR is the enhanced rights it gives to individuals, or ‘data subjects’, in relation to their personal data. These rights are designed to give individuals more control over their personal data and to ensure that companies are transparent about how they use this data.

These rights include the right to be informed, the right of access, the right to rectification, the right to erasure (also known as ‘the right to be forgotten’), the right to restrict processing, the right to data portability, the right to object, and rights in relation to automated decision making and profiling.

The Right to be Informed

The right to be informed covers an individual’s right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. When personal data is collected, either directly from the individual or from a third party, the individual has a right to be informed about how the data will be used, who it will be shared with, how long it will be kept and whether it will be transferred to a third country or international organisation.

In practice, this means that companies must provide individuals with a privacy notice at the time they collect their personal data. The privacy notice must be concise, transparent, intelligible and easily accessible, written in clear and plain language, and free of charge.

The Right of Access

The right of access, also known as the subject access right, allows individuals to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why their data is being used, and to check whether the use of their data is lawful.

Individuals can make a subject access request verbally or in writing, and the company must respond within one month. If the request is complex or numerous, the company may extend the response time by a further two months. If the company refuses a request, they must tell the individual why and inform them of their right to complain to the supervisory authority and to a judicial remedy.

GDPR Compliance

Compliance with GDPR is not just a matter of ticking a few boxes; the Regulation demands that you be able to demonstrate compliance with the data protection principles and rights set out in the GDPR. This includes showing how you have implemented data protection into your operations, such as through data protection policies, data protection impact assessments, data subject consent, breach notification procedures, and more.

Non-compliance with GDPR can result in hefty fines and penalties. Under GDPR, organizations can be fined up to 4% of annual global turnover or €20 Million (whichever is greater) for breaching GDPR. This is the maximum fine that can be imposed for the most serious infringements.

Data Protection Impact Assessments (DPIAs)

A Data Protection Impact Assessment (DPIA) is a process designed to help organizations systematically analyze, identify and minimize the data protection risks of a project or plan. It is a key part of the GDPR’s focus on accountability and is required in certain situations where data processing is likely to result in high risk to individuals’ interests.

DPIAs are particularly relevant when a new data processing technology is being introduced, or when a profiling operation is likely to significantly affect individuals. If a DPIA indicates that the data processing is high risk, and you cannot sufficiently address those risks, you will be required to consult the supervisory authority before starting the processing.

Data Subject Consent

Consent is one of the lawful bases for processing personal data under the GDPR. Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.

Under the GDPR, consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent. Consent has to be verifiable, and individuals generally have more rights where you rely on consent to process their data.

GDPR and Cybersecurity

GDPR has a significant impact on cybersecurity practices. The regulation requires organizations to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the pseudonymization and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Furthermore, GDPR introduces a duty on all organizations to report certain types of personal data breach to the relevant supervisory authority. They must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, organizations must also inform those individuals without undue delay.

Technical and Organizational Measures

Technical and organizational measures are the security measures that an organization puts in place to protect the personal data it holds from being accidentally or deliberately compromised. They are essentially the measures that help an organization achieve the level of security appropriate to the risk of processing.

These measures could include, for example, pseudonymization and encryption of personal data, ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing and evaluating the effectiveness of these measures.

Data Breach Notification

Under the GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the relevant supervisory authority; if it’s likely that there will be a high risk then you must also inform the individuals concerned.

Conclusion

The GDPR is a comprehensive data protection law that has reshaped the way organizations across the region approach data privacy. It has set a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply.

Understanding the GDPR and its implications is crucial for any organization dealing with EU citizens’ data, regardless of where the organization is based. Non-compliance can result in hefty fines and damage to company reputation. Therefore, it is essential for organizations to understand and implement the necessary procedures and controls to ensure GDPR compliance.