What Is the General Data Protection Regulation (GDP)?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU).
In the European Union (EU), privacy and data protection are fundamental human rights enforced through law. The GDPR supersedes existing national data protection laws across the EU, bringing uniformity by introducing just one main data protection law for organizations to comply with.
Significant and wide-reaching in scope, the Regulation brings a 21st-century approach to data protection. It expands the rights of EU residents to have more control over how their personal data is collected and processed and places a range of new obligations and responsibilities on organizations to be more accountable for data privacy and protection.
History of the General Data Protection Regulation (GDP)
In 2016, the EU adopted the General Data Protection Regulation (GDPR) replacing the1995 Data Protection Directive which was adopted at a time when the internet was in its infancy.
The regulation came into full effect in May 2018, after a two-year transition period. The GDPR is now recognized as law across the EU.
What types of Privacy Data does the GDPR protect?
GDPR’s personal data definition includes any information that can directly or indirectly identify a specific Data Subject. Examples:
- Biometric data, including physical characteristics such as height or weight; physiological characteristics such as DNA, fingerprints, or facial recognition images; and behavioral characteristics such as gait or voice.
- Genetic characteristics acquired at birth, such as ethnic or racial characteristics.
- Health data, including records of physical/mental conditions and healthcare codes.
- Other data, including online identifiers such as IP addresses, cookies, geolocation, or radio frequency tags; device identifiers such as MAC addresses; personal identifying information (PII) such as name, employee number, medical record number, or social security number; emails, instant messages, photos, cultural, economic, or social data.
How are Companies affect by the GDPR?
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies. A PwC survey showed that 92% of U.S. companies consider GDPR a top data protection priority.
Who is Responsible for GDPR Compliance in the Organization?
According to article 39 of the legislation, an organization must recruit a GDPR Data Protection Officer (DPO), who is responsible for overseeing the organization’s GDPR compliance, including the data protection strategy and implementation.
The duties of the data protection officer are as follows:
- Conducting training for employees about their compliance obligations under the GDPR
- Assessing and auditing the organization to ensure it is in compliance with GDPR
- Records data processing activities performed by the company
- Serves as a point of contact between the company and the relevant GDPR authority
- Respond to data subject inquiries and informs them how personal data is used and protected
- Receives data subject requests to view or delete their personal data
What are the punishments for Breaking GDPR Rules?
The GDPR states explicitly that some violations are more severe than others.
Two Tiers of GDPR Fines
The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. They include any violation of the articles governing:
- Controllers and processors (Articles 8, 11, 25-39, 42, and 43) — Organizations that collect and control data (controllers) and those that are contracted to process data (processors) must adhere to rules governing data protection, lawful basis for processing, and more. As an organization, these are the articles you need to read and adhere to.
- Certification bodies (Articles 42 and 43) — Accredited bodies charged with certifying organizations must execute their evaluations and assessments without bias and via a transparent process.
- Monitoring bodies (Article 41) — Bodies that have been designated to have the appropriate level of expertise must demonstrate independence and follow established procedure in handling complaints or reported infringements in an impartial and transparent manner.
The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. These include any violations of the articles governing:
- The basic principles for processing (Articles 5, 6 and 9) — Data processing must be done in a lawful, fair, and transparent manner. It has to be collected and processed for a specific purpose, be kept accurate and up to date, and processed in a manner that ensures its security. Organizations are only allowed to process data if they meet one of the six lawful bases listed in Article 6. In addition, certain types of personal data, including racial origin, political opinions, religious beliefs, trade union membership, sexual orientation, and health or biometric data are prohibited except under specific circumstances.
- The conditions for consent (Article 7) — When an organization’s data processing is justified based on the person’s consent, that organization needs to have the documentation to prove it.
- The data subjects’ rights (Articles 12-22) — Individuals have a right to know what data an organization is collecting and what they are doing with it. They also have a right to obtain a copy of the data collected, to have this data corrected, and in certain cases, the right to have this data be erased. People also have a right to transfer their data to another organization.
- The transfer of data to an international organization or a recipient in a third country (Articles 44-49) — Before an organization transfers any personal data to a third country or international organization, the European Commission must decide that that country or organization ensures an adequate level of protection. The transfers themselves must be safeguarded.
- Any violation of member state laws adopted under Chapter IX — Chapter IX grants EU member states the ability to pass additional data protection laws as long as they are in accordance with the GDPR. Any violation of these national laws also faces GDPR administrative fines.
- Non-compliance with an order by a supervisory authority — If an organization fails to comply with an order from the monitoring bodies of the GDPR, they have set themselves up to face a huge fine, regardless of what the original infringement was.
The lists above are for administration fines. Do note that Article 82 gives data subjects the right to seek compensation from organizations that cause them material or non-material damage as a result of a GDPR infringement.