The EU General Data Protection Regulation is mainly known by its shorter name – GDPR, and represents the first data privacy and data protection law of this magnitude and importance.
The Regulation was adopted in April 2016 (replacing the Data Protection Directive from ’95) and was finally put into full effect on May 25, 2018, ending the two-year adjustment period.
Even though GDPR is not the first data protection law, what sets it apart from all other attempts at regulating data protection area, is its extensiveness and determination of the EU legislators to unify data protection policies and laws throughout the EEU and enforce it with heavy penalties.
Why was GDPR necessary?
There are always multiple elements influencing the passing of such Regulation. However, we can’t overlook the importance of rapidly advancing technology. We live in unprecedented times, where you, as an individual, produce and share enormous amounts of data.
Every day, we create roughly 2.5 quintillion bytes of data. With the growing popularity of IoT (Internet of Things), this data creation rate will become even greater.
That data is at the center of business and profit for a lot of organizations, and it is harvested and used in ways that weren’t even imaginable just a few years ago.
While previous data protection laws did not follow this technological development, the GDPR was set out to “catch up” and disrupt the way things have been done thus far.
Personal information does not belong to organizations. It belongs to the individual and therefore needs to be protected – GDPR was the first step in that direction, changing the way we are affected by the use of technology.
There are, of course, situations where the rights of individuals are limited. That is because GDPR is not here to prevent companies from doing business but rather to forbid the processing of personal data without a proper lawful basis.
What is the purpose of the GDPR?
One of the purposes of the GDPR is to give back individuals control over their data, especially regarding how their data is being handled, what data is collected, by whom, and why.
Therefore individuals are granted rights that allow them to probe organizations, ask questions, and demand their data be erased, transferred, or rectified.
GDPR should also force organizations to take full responsibility and accountability for how they use, handle, process, and govern the use of personal data across an entire organization.
Does GDPR apply to you?
GDPR applies to individuals (or data subjects) that are EU citizens or residents on one side and organizations that are based in the EU on the other side.
However, GDPR also applies to organizations based outside the EU if they monitor the behavior of EU citizens (cookies) or offer goods and services to them (for example, via a website).
GDPR- Key definitions
Here is a crash course on key definitions if you are not familiar with the GDPR wording. Sometimes in order to fully understand what the GDPR is propagating, you will need to learn these terms, so we encourage you to explore the links:
Data Subject or an individual is a natural person who can be directly or indirectly identified through personal data. In the CCPA data subject is a consumer, but basically, those two terms are the same.
Data Controller is a legal entity, organization, company, person, or institution that collects and processes personal data for predefined purposes. Data Controller is the one who determines the purpose of the processing and the means of processing.
Data Processor is a legal or natural person, organization, or institution which processes personal data on behalf of the controller.
Data Protection Officer (DPO) is a new leadership role responsible for supervising the implementation of the organization’s data protection strategy and making sure it is compliant with applicable data protection laws.
Personal data is a piece of information that relates to or can be related to a natural person that can be directly or indirectly identified via that information.
Supervisory authority(SA) is responsible for monitoring the application of the General Data Protection Regulation and protecting the fundamental rights and freedoms of individuals.
GDPR is comprised of 11 chapters and 99 extensive articles that prescribe requirements for organizations (data controllers), and subcontractors (data processors). If we would sum up each chapter in one sentence, this is what it would look like:
- Chapter 1- explains the definitions, objectives, material, and territorial scope of the GDPR.
- Chapter 2- deals with the GDPR principles and sets out responsibilities around the legal basis and lawfulness of processing, conditions for consent, and processing special categories of data.
- Chapter 3- describes data subject rights (explained in full below)
- Chapter 4- this chapter is arguably most important if you are processing personal data. It sets obligations for the controller and processor and prescribes data security principles, records of processing activities, a designation of DPO, DPIA, data protection by design and default, and more.
- Chapter 5- transfers of personal data to third parties.
- Chapter 6- details on supervisory authorities
- Chapter 7- describes in detail the manner of cooperation between the lead supervisory authority and the other supervisory authorities, the exchange of information, tasks, procedures, and more.
- Chapter 8- explains how to lodge a complaint with a supervisory authority, as well as remedies, liability, and penalties.
- Chapter 9- provisions relating to specific processing situations
- Chapter 10- Exercise of the delegation
- Chapter 11– in the final provisions, the relationship between Directive 2002/58/EC and Directive 95/46/EC is further elaborated.
Data Subject rights
As we mentioned before, one of the main purposes of the GDPR is to give individuals control over their data, and in order to do so, it prescribes eight data subject rights:
- Right to be informed
- Right of access
- Right to rectification
- Right to be forgotten
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Rights in relation to automated decision-making and profiling
The IAPP Annual Governance Report indicated that more than half of firms had received access and right to erasure requests in 2019, and if you are an EU-based company, the likelihood is even higher.
GDPR prescribes two levels of fines:
- The less severe violation can result in penalties up to €10 million, or 2% of the organization’s global turnover.
- For especially serious violations, the fine framework can be up to €20 million euros or up to 4 % of total global turnover.
In the first two years of GDPR enforcement, most supervisory authorities practiced caution since both SA and organizations have found themselves in uncharted territory. This resulted in scarce, conservative fines and rather timid actions by the SA.
However, things are changing quite a bit, with supervisory authorities stepping up, and issuing multiple fines (some of them multimillion-euro fines), adding more pressure on organizations to invest in their GDPR compliance.
There is also a change in the general attitude from the business side since most organizations that invested in privacy are now showing impressive ROI (40% are seeing benefits at least twice that of their privacy spend), accentuating data privacy as a business imperative and critical business goal.
What are the seven principles of GDPR?
GDPR principles are a backbone of compliance and include:
- Lawfulness, fairness, and transparency principle means you should process personal data within the lines of the law and based on what you have communicated to the individual.
- Purpose limitation means personal data processing is limited to the purpose of the data collection. You need to collect personal data for specified, explicit, and legitimate purposes and not in a manner that is incompatible with those purposes.
- Data minimization means you should collect, store, process, and use only information that is necessary to provide the required service.
- The accuracy principle means you should ensure that the data you hold is correct and accurate.
- Storage limitation means you shouldn’t keep the data for longer than it is necessary. Find out how long you should keep personal data.
- Integrity and confidentiality principle is often called security principle since it entails the implementation of appropriate technical and organizational measures.
- Accountability principle means you (as a data controller or organization) are responsible for compliance with all of the above-mentioned principles and for demonstrating compliance if necessary.
Data breach under the GDPR
As we mentioned in our article, there was a 19% increase in the number of breach notifications, from 287 to 331 breach notifications per day, in the past year, continuing the trend of double-digit growth.
This is why organizations, now more than ever, are aware of the importance of responding to data breaches, not only to stay compliant with the GDPR but to soften the impact on the overall business.
Organizations will have to assess the potential risks that data breach imposes on individuals and, in some cases, notify supervisory authority or individuals within a 72 hours timeframe. We have discussed this in detail in our article, so be sure to explore more about this subject ⬇
Data Protection Officer – a new role
Data Protection Officer is a new organizational role created by the GDPR with the main goal of overseeing data protection strategy, policies, and compliance.
DPO’s job is to raise awareness about data privacy, inform and advise organizations, monitor compliance, handle requests, and more.
Appointing a DPO can influence your organization positively in more than one way. However, some organizations are obligated to appoint a Data protection officer, and some are not. In fact, many organizations are appointing DPO, nevertheless, since it is easier if there is an organizational role that takes care of all GDPR-related issues.
How to achieve GDPR compliance faster
Understanding the obligations that GDPR puts before you and the implementation of those principles and obligations in everyday business are two very different things.
Many organizations lack insight into the personal data they are processing and have difficulty tracking, monitoring, and responding to data subject requests. They struggle with understanding where their data is and how to manage it properly.
There are, however, privacy solutions that are designed to help you navigate through GDPR compliance easily (among other things):
- Discover personal data across multiple systems in the cloud or on-premise.
- Manage privacy risks
- Consolidate your data and prioritize your relationship with customers by centralizing collected consent and aligning your marketing communication with data privacy regulations
- Successfully resolved data subject requests.
- Successfully manage third parties and guide your partners through vendor management process workflow.
- Harbor cooperation between DPO, Legal services, IT, and Marketing, dividing their responsibilities and enabling your team to work together
The best part is it will serve you as a single source of truth, allowing you to track your compliance efforts, monitor legal deadlines, cooperate with other departments, and have insight into data.