What is the European Union (EU) General Data Protection Regulation (GDPR)?
Europe’s new data privacy and security law includes many pages’ worth of latest requirements for organizations round the world. This GDPR overview will assist you understand the law and determine what parts of it apply to you.
Introduction
The General Data Protection Regulation (GDPR) is the toughest privacy and security law within the world. Though it had been drafted and gone by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they aim or collect data associated with people within the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those that violate its privacy and security standards, with penalties reaching into the tens of many euros.
With the GDPR, Europe is signaling its Company stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a frightening prospect, particularly for small and medium-sized enterprises (SMEs).
The GDPR entered into force in 2016 after passing European Parliament, and as of May 25, 2018, all organizations were required to be compliant.
Scope, penalties, and key definitions
First, if you process the private data of EU citizens or residents, or you offer goods or services to such people, then the GDPR applies to you although you’re not within the EU.
Second, the fines for violating the GDPR are very high. There are two tiers of penalties, which reach at €20 million or 4% of worldwide revenue (whichever is higher), plus data subjects have the right to hunt compensation for damages.
The GDPR defines an array of legal terms at length. Below are a number of the most important ones that we refer to during this article:
Personal data — Personal data is any information that relates to a private who are often directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions also can be personal data. Pseudonymous data also can fall into the definition if it’s relatively easy to ID someone from it.
Data processing — Any action performed on data, whether automated or manual. The examples cited within the text include collecting, recording, organizing, structuring, storing, using, erasing etc.
Data subject — The person whose data is processed. These are your customers or site visitors.
Data controller — The one that decides why and the way personal data are going to be processed. If you’re an owner or employee in your organization who handles data, this is often you.
Data processor — A 3rd party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. they might include cloud servers like Tresorit or email service providers like Proton Mail.
What the GDPR says about?
We will briefly explain all the key regulatory points of the GDPR.
Data protection principles
If you process data, you’ve got to do so consistent with seven protection and accountability principles-
Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
Purpose limitation — you must process data for the legitimate purposes specified explicitly to the data subject once you collected it.
Data minimization — you should collect and process only as much data as absolutely necessary for the needs specified.
Accuracy — you must keep personal data accurate and up so far .
Storage limitation — you may only store personally identifying data for as long as necessary for the required purpose.
Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
Responsibility — the data controller is liable for being able to demonstrate GDPR compliance with all of those principles.
Accountability
The GDPR says data controllers need to be ready to demonstrate they’re GDPR compliant. And this isn’t something you can do after the fact; If you think that you’re compliant with the GDPR but can’t show how, then you’re not GDPR compliant. Among the ways you’ll do this:
• Designate data protection responsibilities to your team.
• Maintain detailed documentation of the data you’re collecting, how it’s used, where it’s stored, which employee is liable for it etc.
• Train your staff and implement technical and organizational security measures.
• Have data processing Agreement contracts in situ with third parties you contract to process data for you.
• Appoint a data Protection Officer (though not all organizations need one)
Data security
You’re required to handle data securely by implementing “appropriate technical and organizational measures.”
Technical measures mean anything from requiring your employees to use two-factor authentication on accounts where personal data are stored to contracting with cloud providers that use end-to-end encryption.
Organizational measures are things like staff trainings, adding a data privacy policy to your employee handbook, or limiting access to non-public data to only those employees in your organization who need it.
If you’ve got a data breach, you have 72 hours to inform the data subjects or face penalties. (This notification requirement could also be waived if you employ technological safeguards, like encryption, to render data useless to an attacker.)
Data protection by design and by default
From now on, everything you are doing in your organization must, “by design and by default,” consider data protection. Practically speaking, this suggests you must consider the data protection principles within the design of any new product or activity. The GDPR covers this principle in Article 25.
Suppose, you’re launching a replacement app for your company, think about what personal data the app could possibly collect from users, then consider ways to attenuate the quantity of data and how you’ll secure it with the newest technology.
When you’re allowed to process data
Article 6 lists the instances in which it’s legal to process personal data. Don’t even think about touching somebody’s personal data — don’t collect it, don’t store it, don’t sell it to advertisers — unless you’ll justify it with one among the following:
The data subject gave you specific, unambiguous consent to process the data. (e.g. They’ve opted in to your marketing email list.)
Processing is important to execute or to prepare to enter into a contract to which the data subject may be a party. (e.g. you need to do a background check before leasing property to a prospective tenant.)
You need to process it to comply with a legal obligation of yours. (e.g. You receive an order from the court in your jurisdiction.)
You need to process the data to save somebody’s life. (e.g. Well, you’ll probably know when this one applies.)
Processing is important to perform a task within the public interest or to carry out some official function. (e.g. You’re a personal garbage collection company.)
You have a legitimate interest to process someone’s personal data. This is often the foremost flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.
(It’s difficult to offer an example here because there is a spread of factors you’ll have to consider for the case. United Kingdom Information Commissioner’s Office provides helpful guidance here.)
Once you’ve determined the lawful basis for your data processing, you need to document this basis and notify the info subject (transparency!). And if you opt later to vary your justification, you need to possess an honest reason, document this reason, and notify the data subject.
Consent
There are strict new rules about what constitutes consent from a data subject to process their information.
Consent must be “freely given, specific, informed and unambiguous.”
Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
Data subjects can withdraw previously given consent whenever they need and you’ve got to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
Children under 13 can only give consent with permission from their parent.
You need to keep documentary evidence of consent.
Data Protection Officers
Contrary to popular belief, not every data controller or processor must appoint a data Protection Officer (DPO). There are three conditions under which you’re required to appoint a DPO:
• You are a public authority other than a court acting in a judicial capacity.
• Your core activities require to watch people systematically and frequently on an outsized scale. (e.g. You’re Google.)
• Your core activities are large-scale processing of special categories of data listed under Article 9 of the GDPR or data concerning criminal convictions and offenses mentioned in Article 10. (e.g. You’re a medical office.)
You could also prefer to designate a DPO although you aren’t required to. There are benefits to having someone in this role. Their basic tasks involve understanding the GDPR and the way it applies to the organization, advising people within the organization about their responsibilities, conducting data protection trainings, conducting audits and monitoring GDPR compliance, and serving as a liaison with regulators.
People’s privacy rights
You are a data controller and/or a data processor. But as an individual who uses the web, you’re also a data subject. The GDPR recognizes a litany of latest privacy rights for data subjects, which aim to offer individuals more control over the data they provide to organizations. As a corporation, it’s important to know these rights to make sure that you’re GDPR compliant.
Below is a list of data subjects’ privacy rights:
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to limit processing
• The right to data portability
• The right to object
• Rights in reference to automated decision making and profiling.
Conclusion
We’ve just covered all the main points of the GDPR. The regulation itself (not including the accompanying directives) is 88 pages. If you’re affected by the GDPR, we strongly recommend that somebody in your organization reads it and that you consult an attorney / consultant to make sure you’re GDPR compliant.
EmpGrow Business Solutions provide GDPR services as a part of ‘Business Services – Business Process Management’.