EU GDPR (General Data Protection Regulation)
General Data Protection Regulation, also popularly known as GDPR, is here.
But what is it, how it impacts businesses and individuals, and how we can ensure its compliance can be a little bit challenging to comprehend at first?
We have compiled all the necessary information that you need for knowing the nitty-gritty of GDPR.
What is the EU GDPR Compliance Protection?
As stated before, GDPR stands for General Data Protection Regulation. It is the new data security and privacy law of Europe that includes hundreds of pages talking about new organizational requirements worldwide. It is regarded as the toughest security and privacy law worldwide.
Although it was drafted and passed by the EU (European Union) on May 25, 2018, GDPR imposes certain obligations on any organizations who are collecting or targeting the data related to the EU population.
The organizations violating the security and privacy standards imposed by GDPR would have to give penalties reaching up to millions of euros.
Europe has signaled its firm stand on data security and privacy with GDPR as more people are uploading their personal data on various cloud services with breaches occurring daily. Nevertheless, the regulation is fairly light, far-reaching, and large on certain specifics, which makes the GDPR compliance a complicated prospect to deal with, especially for medium-sized and small enterprises.
History of the General Data Protection Regulation (GDPR)
According to the European Convention on Human Rights of 1950, the right to privacy states that “Everyone has the right to respect for his private and family life, his home and his correspondence.” The European Union has used this right as the basis of ensuring the protection of the same through GDPR.
Therefore, with the invention of the Internet and the advancement of technology, the European Union recognized the requirement for modern and more secure protection. Hence in 1955, the EU established minimum data security and privacy standards through their European Data Protection Directive.
However, each member state implemented its law. The first online banner advertisement appeared in 1994. By 2000, almost all major financial institutions provided online banking services. Facebook opened to the public in 2006, and a user sued Google for scanning her personal emails in 2011.
As a result, the data protection authority of Europe declared that the European Union required a more comprehensive approach towards their personal data protection laws and started updating their 1995 directive.
In 2016, the GDPR was implemented after passing the European Parliament, and by May 25, 2018, all relevant organizations had to comply with the regulation.
What are the key provisions of the General Data Protection Regulation?
There are Thirteen Key General Provisions of the General Data Protection Regulation
GDPR Extra-territorial effect
The extra-territorial effect of the GDPR applies to both EU and non-EU businesses. It applies to all EU businesses that process data both inside and outside the EU. Besides, non-EU businesses processing data of the EU citizens in terms of offering services and goods to them or monitoring the behavior of EU citizens. Moreover, the business must ensure that they are appointing an EU-based representative.
GDPR DPO (Data Protection Officer)
Businesses like public authorities or businesses that indulge in regular, large-scale processing of personal data or monitoring individuals have to appoint a DPO. Besides this, some businesses may or may not appoint a DPO as per the GDPR rules.
The DPO’s responsibility is to monitor GDPR compliance and advise businesses on their GDPR obligations. They also work as the contact point and cooperate with the Data Protection Authority.
GDPR Consent Requirements
Businesses have to ensure that they have valid consent of the data subjects on retrieving their data and processing it. They should also demonstrate that the subjects’ consent was given freely, in plain language, unambiguous, and informed.
Other than that, individuals can also revoke their right to consent anytime without facing any hassle. The age of consent under GDPR for digital services is 16 years for most countries. For users below the age of 16, they have to get the consent of their legal guardian or parents before accessing online services.
GDPR rights for individuals
Data subjects have the right under the GDPR
- to access their personal data
- erase their data in certain cases
- rectifying inaccuracies
- the right to portability
- the right to restrict personal data processing, and
- the right to no profiling.
Rights of Data Subjects Under GDPR – Earliest Dealing
Businesses should provide proper and adequate information to their data subjects within a month of receiving a request for information from the subject.
However, the period can extend up to two months if the requests are numerous and/or complex. Businesses should also offer free of charge information but may charge for further copies that data subjects have requested.
If businesses refuse to provide information, they can explain their reason and inform the data subjects about their right to seek judicial remedy or complain to the DPA. This should be done within a month of the request.
GDPR use of personal data
Businesses have to be transparent about their personal data usage and provide relevant information to the data subjects regarding their data processing process and purpose.
Businesses need to provide certain information to the subjects such as contact details and identity of the controller and the DPO, the legal basis and purpose of data processing, recipients of the data, data transfer details, data storage, and the right to request access, lodge complaints, or rectify the data.
GDPR DPIA (Data Protection Impact Assessment)
Businesses have to carry out the data protection impact assessment if they sense their processing operations can pose a ridi of the rights of data subjects. The assessment helps identify effective data protection methods and seek the DPO’s advice on the same.
When the DPIA indicates significant risk, the business would have to consult with the DPA beforehand when they fail to take relevant and effective measures to mitigate the risk.
GDPR Notification of data breach (Article. 33)
Within 72 hours of being aware of a data breach, businesses must notify the about the same to DPA. However, the DPA can be refrained by notifying if the breach does not affect the rights of the data subjects. Moreover, businesses would also have to provide a valid reason for failing to notify within the stipulated period.
Personal data processors are immediately required to notify the data controller after being aware of the data breach. It is the controller’s responsibility to document all breaches.
GDPR article 25 data protection by design and by default
Businesses must build service design processes and privacy of their product to strengthen their overall privacy protection.
Through privacy of design, businesses are required to determine their means of data processing during its course itself and implement proper measures to comply with data protection principles. Hence both the rights of data subjects and GDPR requirements should be met.
Through privacy by default, businesses are required to ensure that only necessary personal data is acquired for specific purposes of data processing. This is applicable to the amount of collected personal data, accessibility, storage period, and the processing extent.
GDPR right to compensation (Article 82 para. 1)
Organizations have to offer compensation to individuals subjected to GDPR infringement for the damage they have suffered. Businesses can avoid liability after proving they were not responsible for the damage caused. Both processor or controller are jointly liable when they are accountable for the caused damage.
Data subjects can also appeal to the court to relieve them against businesses due to the GDPR non-compliance.
Data processor obligations GDPR (Article 28)
Processors and controllers are severally and jointly liable as per their respective responsibility of the consequences caused by the data protection law breach. The GDPR imposes direct statutory obligations on processors.
Therefore processors are subject to compensation claims by subjects, fines, and enforcement by the Data Protection Act.
Besides, the GDPR also ensures the inclusion of certain terms in a contract between the processor and the controller. For instance, the processor can only process data as per the controller’s documented instructions, sub-contract only with the prior consent of the controller, ensure confidentiality by the processor’s staff, and assist the controller in complying with the subjects’ rights and obligations of the data breach.
Organizations facing non-compliance with the General Data Protection Regulation have to pay more penalties than before. Businesses can be fined 4% of their overall annual turnover or €20 million, whichever is higher for violating the principles for processing data or not having adequate consent from subjects for processing their data.
Businesses can even be fined 2% of the overall annual turnover or €10 million, whichever is higher for offenses, including notifying the relevant authorities about a breach, not having records in order, and not conducting the Data Protection Impact Assessment.
These penalties also apply to businesses that have processors or controllers.
The Data Protection Act enforces the GDPR in states without a Data Protection Commission. Independent public authorities should be appointed by each member state that would be in charge of monitoring the GDPR application. Businesses should comply with the Data Protection Act on request. The LSA would also have to deal with the complaints and queries regarding cross-border processing.
7 principles of general data protection regulation
The GDPR policy includes seven broad principles in it. These principles help determine the nature of GDPR policy and apply to the enterprises based in the USA. In addition, these principles reflect the nature of the regulations. This also helps in determining how these regulations apply to enterprises based in the USA. They are laid out in Article 5 in the legislation.
● Transparency, Fairness, and Lawfulness
Personal data shall be:
1 (a) processed lawfully, fairly, and in a transparent manner concerning the data subject (‘lawfulness, fairness, and transparency);
Under this principle, all data subjects of the European Union are privy to the transparency of data use. Meaning, during collecting data, the organization has to provide relevant information regarding the reason behind the data collection to the subjects. The subjects should also be aware of how the data would be used. Therefore, any aspects related to data processing should be given to subjects when they request it.
● Limitation of Purpose
Personal data shall be: 1 (b) collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall, following Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
Under this principle, companies can only ask for personal information which serves the purpose of their work. Besides legal authorities, the public can question companies on their service requests for information that may not be relevant. The principle makes it a non-compliance act when companies ask for irrelevant personal information.
● Minimization of Data
Personal data shall be: 1 (c) adequate, relevant and limited to what is necessary concerning the purposes for which they are processed (‘data minimisation’);
The collected data should only fulfill the precise requirements of the concerned service or business. Companies cannot gather or request irrelevant or unnecessary information for their service. Therefore, this principle prevents exposing the personal information of individuals which are not required for processing.
Personal data shall be: 1 (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
Under this principle, the data handlers guarantee that the information is fit, legitimate, and correct for its purpose. Organizations should have clear policies and thorough processes for addressing their data processing, storing, and maintaining process.
● Limitation of Storage
Personal data shall be: 1 (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes following Article 89(1) subject to the implementation of the appropriate technical and organizational measures required by this regulation to safeguard the rights and freedoms of the data subject (‘storage limitation’);
Data subjects can request organizations to delete their personal information whenever they want. Organizations can also delete data when they no longer require it. Moreover, companies cannot keep information about individuals who are not their customers or clients anymore.
● Confidentiality and Integrity
Personal data shall be: 1 (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality).
Data privacy and integrity should be protected. Organizations processing and collecting data are responsible for implementing proper security measures compatible with the rights of risks of data subjects. GDPR leaves no room for negligence which makes organizations take strict preventive measures against security breaches.
The controller shall be responsible for and demonstrate compliance with, paragraph 1 (‘accountability’).
Organizations are accountable for any data breach that may happen. Both European and non-European companies should ensure compliance. Businesses should take necessary effort and time to evaluate their potential risks. Businesses have to pay huge fines when they fail to protect the data of the subject