What Is GDPR?: The Facts You Need to KnowGreg Garner
It was introduced by the EU in 2016 and has been in force since 2018.
This is an extension of the security and privacy protection in US legislation, such as the Health Insurance Portability and Accountability Act (HIPPA). There are currently conversations in the US about the need to further security and privacy regulations and introduce something similar to the GDPR.
But what is the GDPR? What does it mean for you and your business? We’ve put together this complete guide to the GDPR, to answer your questions.
What Is the GDPR?
The GDPR is the European Union’s (EU’s) latest data protection law. It has been in force since May 25, 2018.
As technology advances and we move further into the digital age, more of our daily lives are happening online. We are sharing our personal data every day. Europe introduced the GDPR in response to these changes, establishing a clear and firm policy on the privacy and security of people’s data.
The rules are designed to give EU citizens more control over their personal data. It allows people to more easily access their personal information, and limits how organizations can use this personal information.
The legislation also aims to harmonize data privacy laws across the EU. This means that organizations and companies only have to meet one standard for all EU countries. This makes it much more efficient and streamlined to operate in more than one EU member state.
This is not currently the case in the US, where there are specific legislation and regulation in certain areas or industries, such as the California Consumer Privacy Act (CCPA).
The penalties for breaching the GDPR are extreme. Organizations and companies who violate the GDPR standards can face large fines, reaching tens of millions of euros.
Scope of the GDPR
The GDPR was passed and introduced in the EU. However, the GDPR can also apply to companies and organizations elsewhere.
The GDPR applies to you if you target, collect, handle or store data related to anyone in the EU.
For example, if you are based in the US but you do business in the EU, then the GDPR can apply to you.
History of the GDPR
The EU has long worked to protect the privacy of its citizens.
In 1950 the European Convention on Human Rights stated that ‘Everyone has the right to respect for his private and family life, his home and his correspondence.’ By including this in legislation, the EU was clearly stating that everyone has a right to privacy.
By 1995 the world had changed dramatically. Technology was continuously developing, especially with the creation of the Internet. That’s why the EU introduced the European Data Protection Directive, which established minimum data privacy and security standards across the EU.
In 2011, the EU began work to update this 1995 directive. By early 2012, the European Commission set out their ambitious goal; they were working on reforming data protection across the entire EU.
After four years of negotiations and discussion, the GDPR was adopted by the European Parliament and European Council in 2016.
It came into force on May 25, 2018. From this date onwards, all relevant organizations and companies have had to comply with the legislation. It has transformed the way personal data is processed.
What Is Personal Data?
At its core, the GDPR aims to protect people’s personal data. But what is personal data?
It is defined in Article 4 of the GDPR; ‘personal data means any information relating to an identified or identifiable natural person’.
In other words, personal data any piece of information that can directly or indirectly identify a living person.
Information That Could Be Personal Data
The legislation is very inclusive; many types of information qualify as personal data.
Information that is clearly about a specific person is personal data. It can be in any format. It could be objective (someone’s height) or subjective (employer references). Even inaccurate information can also be defined as personal data.
Personal data can be defined as information that describes a person’s activities. It can also be information that can have an impact on the person when it is processed, even if that wasn’t your intention.
Personal data can allow direct identification of a person. This means that the person can be identified using only the information you process.
However, personal data can also enable a person to be indirectly identified. This is when you can use the information you have to access other sources and identify the person.
As a result, there are many types of information that qualify as personal data. This makes the GDPR even more wide-ranging.
Examples of Personal Data
There are many examples of information that can be defined as personal data.
Basic identity information about a person is defined as their personal data:
- Identification (ID) number
- Online username
Personal data can also be less obvious information about a person, such as:
- Internet protocol (IP) address
- Cookie identifiers
- Radio frequency identification (RFID) tags
- Any information that could identify a specific device
Sensitive personal data is also given protection in the GDPR, including:
- Racial or ethnic origin
- Political opinions
- Religious beliefs
- Trade union membership
- Genetic data
- Biometric data (such as fingerprints)
- Health information
- Sexual orientation
Information that describes a person’s activities is classed as personal data and includes:
- Criminal record
- Bank statement
Data used for learning or making decisions about a person is also considered as personal data, such as:
- Electricity usage
- Water usage
When You’re Allowed To Process Personal Data
The GDPR has seven key data protection principles. These are listed in Article 5 of the legislation.
When you’re collecting, using, or storing somebody’s personal data, you have to follow these principles:
- Lawfulness, fairness, and transparency: Data processing must be lawful, fair, and transparent to the person.
- Purpose limitation: You have to process personal data for legitimate purposes, which must be explicitly specified to the person when you collected it.
- Data minimization: You should collect and process only the amount of data that is absolutely necessary for the reason you have specified.
- Accuracy: You have to keep personal data accurate and up-to-date.
- Storage limitation: You can only store personal data for as long as needed for the specific purpose.
- Integrity and confidentiality: When processing personal data, you must ensure appropriate security, integrity, and confidentiality.
- Accountability: The data controller is responsible for demonstrating compliance with these principles as requested.
If you’re going to process someone’s personal data, it needs to be done for a legitimate reason. According to the GDPR, there are six reasons for collecting, handling, and storing someone’s personal data:
- You have consent from the person; you clearly explain what you’re going to do with someone’s personal data, and they explicitly give permission. For example, they’ve opted into a mailing list.
- You need to process personal data to fulfill a contract which the person is part of. For example, you need to do a background check before employing someone.
- You need to process the personal data to comply with a legal obligation. For example, you have received an order from your local court.
- You need to process the personal data to save somebody’s life.
- You need to process the personal data to perform a task in the public interest or for an official function. For example, you’re a private garbage collection company.
- You have a legitimate interest to process someone’s personal data. This is the most flexible reason and can apply to a range of circumstances.
You only need to choose one legal basis for processing someone’s personal data. But it’s important to remember that once you’ve chosen a justification, you can’t change it. You also need to tell the person whose data you’ll be using.
Once you’ve decided why you’re collecting personal data, you should identify the minimum amount of information you need to meet your requirements.
You should then collect this minimum amount; you shouldn’t collect more personal information than you need.
This is included in the GDPR to make sure that organizations and companies don’t overreach and collect information about people that they don’t need. It ensures that all personal data collected is relevant, and means that a person only shares what is absolutely needed.
Integrity and Confidentiality
When you’re collecting, handling, or storing data, you must make sure that the data is secure and protected.
Threats include unauthorized or unlawful processing (seen by someone or for a reason it shouldn’t be), as well as accidental loss, damage, or destruction.
Personal Data Security Practices
Security practices are different for every organization or company. This depends on the size of the organization, the amount of personal data collected, and the way that this data is used.
However, the GDPR does state that you must establish ‘appropriate technical and organizational measures’ to securely handle data.
Appropriate technical measures could include using two-factor authentication on accounts where personal data is stored, or using technology with end-to-end encryption.
No one wants a data breach, but this does sometimes happen. If you do have a data breach, you have 72 hours to inform the relevant supervisory body. According to the GDPR, if your customers need to be notified, this needs to be done without ‘undue delay’.
Personal Data Protection by Design and by Default
The GDPR also states that – for security reasons – data protection needs to be considered at all times. Everything that your company does, by design and default, must consider data protection.
This means that the seven data protection principles must be considered from the moment you start developing a project; long before you process any personal data.
For example, you are launching a new online retail company. Before you begin to build your website, you have to consider what personal data you will need from your customers, and how you will keep this secure. You can then include this in the design and build of your website from the very beginning.
The seventh data protection principle – accountability – was included to make sure that organizations and companies can prove they are working to comply with the GDPR.
The Data Controller
The data controller in your organization or company is the person who decides why and how personal data will be processed. If requested, they have to be able to show how they are meeting the requirements set out in the GDPR.
Ways for the data controller to show that you are GDPR compliant include:
- Maintaining detailed documentation about the personal data you’re collecting, how it’s used, where it’s stored, and which employee is responsible for it;
- Training staff on the GDPR and personal data protection;
- Regularly evaluating data handling processes;
- Making sure that only the people who need the personal data can access it;
- Introducing technical and organizational security measures.
Organizations with 250 or more employees are required to keep an up-to-date and detailed list of their processing activities. This includes the personal data collected, why it was collected, how it was collected, how it was handled, what it was used for, and how it is being securely stored.
The Data Processor
The data processor is the person that collects, handles, updates, and stores the personal data.
They must be aware of the data controller’s policies, and follow them accordingly. This will ensure that they process data securely and confidentially.
The Data Protection Officer
A Data Protection Officer (DPO) oversees the company’s security and privacy strategies and ensures they comply with the GDPR.
According to the GDPR, you are required to appoint a Data Protection Officer (DPO) if:
- You process or store large amounts of personal data about EU citizens;
- You process or store large volumes of special personal data, listed under Article 9 and Article 10 of the GDPR;
- You are a public authority;
- You systematically and regularly monitor people on a large scale.
You can also choose to appoint a DPO, even if you’re not required to.
People’s Privacy Rights
The GDPR recognizes new and far-reaching privacy rights for people. These rights aim to give people more control over the data they share with organizations and companies.
People now have the following privacy rights:
- The right to be informed: They should be made aware of what personal data is being collected, and why.
- The right of access: A person can request and receive all of the information that you have about them. They usually do this by submitting a Subject Access Request (SAR).
- The right to rectification: Any incorrect, inaccurate, incomplete, or outdated information must be remedied.
- The right to erasure: A person has the right for their personal data to be deleted.
- The right to restrict processing: A person can ask you to stop processing their data.
- The right to data portability: People can request and receive a copy of their personal data in a format that can be easily transferred to another company.
- The right to object: People can object to you processing their personal data.
- Rights in relation to automated decision making and profiling: If you make decisions about people based on automated processes using personal data, you have to protect their rights. Generally, you must be able to explain the decision made.
Whenever someone requests their personal data, you must have processes in place to verify their identity. You should then be able to fulfill their request within one month.
The Right of Access
People have the right to access the personal data that you hold, and to see how it is handled.
They are also entitled to know how you’re storing the personal data, how long you intend to store it, and why.
The Right of Rectification
According to the GDPR, it should be easy for a person to correct any inaccurate, or update any incomplete, personal data.
As stated in the GDPR data protection principles, organizations and companies should be doing as much as possible to keep personal data up-to-date.
The Right of Erasure
The right of erasure is also known as the right to be forgotten. It should be simple and easy for a person to ask for you to delete their personal data from your records.
Someone has the right to have their personal data erased if:
- The personal data is no longer needed for the reason the organization or company originally collected it;
- An organization or business is using consent as the legal justification for processing the personal data, and the person withdraws consent;
- An organization or company is using legitimate interests as the legal justification for processing the personal data, the person objects to this processing, and there is no overriding legitimate interest for the organization or company to continue processing;
- An organization or company is processing personal data for direct marketing and the individual objects;
- An organization or company processed someone’s personal data unlawfully;
- An organization or company has to delete personal data to comply with the law.
However, organizations and companies are not always obliged to delete personal data. This happens when:
- The personal data is being used to exercise the right of freedom of expression and information;
- The personal data is being used to comply with law;
- The personal data is being used in the public interest, scientific research, historical research, or statistical work;
- The personal data is being used an organization is exercising official authority;
- The personal data is being used in the public interest;
- The personal data is needed for medical purposes;
- The personal data is needed for legal matters.
An organization can also ask for a ‘reasonable fee’ or refuse to erase personal data if they can prove that the request was either unfounded or excessive.
Fines for Breaching the GDPR
If you violate the terms of the GDPR, the fines can be severe. This is done to increase GDPR compliance; it is deemed too costly to fail to implement the protection and security.
Examples of breaching the legislation include:
- An organization or company not processing personal data is the correct way;
- An organization or company requiring a Data Protection Officer, but not appointing one;
- A security breach of personal data.
There are two tiers of penalties. Less severe breaches can lead to a fine of up to €10 million, or 2% of the firm’s worldwide revenue from the preceding financial year (whichever is higher). More serious breaches can result in a fine of up to €20 million, or 4% of the firm’s worldwide revenue from the preceding financial year (whichever is higher).
One of the biggest GDPR fines so far was against Google. The French data authority fined Google €50 million (approx. $57 million) for breaching GDPR legislation. Google did not properly inform users how their personal data is collected to display personalized adverts.
The GDPR in Practice
So, what is the GDPR? What does it mean for you? Now you’ve made it this far, you should begin to know some of the answers.
The EU’s General Data Protection Regulation (GDPR) is detailed, innovative, and far-reaching legislation. It protects the personal data of EU citizens and can apply to organizations and companies all over the world.
It may seem daunting. But you must understand how the legislation impacts your business, and what you need to do to ensure GDPR compliance. Otherwise, you can face extensive fines.
Do get in touch if you have any questions about the GDPR, how it affects you, or would like to discuss your specific circumstances. We’re with you every step of the way.