General Data Protection Regulation (GDPR)
What is General Data Protection Regulation (GDPR)?
In December 2016, the EU Parliament and Council agreed upon the EU General Data Protection Regulation, first proposed in 2012, and as of May 25, 2018, it is in effect.
The GDPR offers a framework for data protection with increased obligations for organizations, and its reach is far and wide. It applies to any organization — no matter where it is located — that intentionally offers goods/services or monitors individuals’ behavior within the EU.
The General Data Protection Regulation (GDPR) standardizes data protection legislation for all EU member nations and significantly impacts businesses. The one certainty of the GDPR is that compliance is a complex, business-wide initiative that spans people, processes, technology, and data.
What is personal data according to GDPR?
As per Article 4 of the GDPR, Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data may also include special categories of personal data or criminal conviction and offenses data. These are considered to be more sensitive, and you may only process them in more limited circumstances.
Is it mandatory for every organization to appoint a Data protection officer (DPO) under GDPR?
Data controllers and processors whose core activities consist either of processing operations that require regular and systematic monitoring of data subjects on a large scale, or processing on a large scale of special categories of data, are required to appoint a data protection officer (DPO).
Data Protection Officer (DPO): Article 37, 38, and 39 of the GDPR.
What are the Data Subjects Rights under GDPR?
- Right to access: The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals understand how and why you are using their data and check you are doing it lawfully.
- Right to rectification: Under Article 16 of the GDPR, individuals have the right to have inaccurate personal data rectified.
- Right to erasure: Under Article 17 of the GDPR, individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten. The right is not absolute and only applies in certain circumstances.
- Right to restriction of the processing: Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organization uses its data. This is an alternative to requesting the erasure of their data.
- Right to data portability: The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used, and machine-readable format. It also gives them the right to request that a controller transmits this data directly to another controller.
- Right to object: Article 21 of the GDPR gives individuals the right to object to the processing of their personal data. This effectively allows individuals to ask you to stop processing their personal data.
- Right related to automated individual decision-making: The data subject has the right not to be subject to a decision based solely on automated processing, such as profiling, which uses personal data to make calculated assumptions about individuals.
- Right to be informed: Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
What are the legal bases of GDPR?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Do GDPR provisions for the safety of children?
According to Article 8 of the GDPR, The GDPR’s default age for consent is 16, although individual member state law may lower the age to no lower than 13. The person with parental responsibility must provide consent for children under the consent age.
Children must receive an age-appropriate privacy notice.
Children’s personal data is subject to heightened security requirements.
What is the penalty for GDPR non-compliance?
The GDPR’s fines allow data protection authorities across Europe to issue fines of up to:
- 4% of a company’s global annual turnover
or - €20,000,000
whichever is higher.
Further, EU Member States can impose their own penalties applicable to infringements of the GDPR that are not subject to administrative fines under Article 83, GDPR.
FAQs
The General Data Protection Regulation (GDPR) is a comprehensive data protection and privacy regulation introduced by the European Union (EU). It came into effect on May 25, 2018, with the primary objective of enhancing individuals’ control over their personal data and ensuring the responsible handling of such data by organizations.
GDPR is important because it safeguards individual privacy by regulating how organizations collect and process personal data. It holds businesses accountable, promotes transparency, and imposes significant fines for non-compliance, encouraging responsible data handling and protecting people’s sensitive information.
The General Data Protection Regulation (GDPR) applies to any organization that processes the personal data of individuals located in the European Economic Area (EEA), regardless of where the organization is located. This includes businesses offering goods or services to EEA residents or monitoring their behavior. Examples of organizations subject to GDPR include those selling online to EU customers, having EU offices or employees, using social media analytics, advertising platforms, or cloud computing for EEA resident data.
There are exceptions to GDPR: It doesn’t apply to personal data processing for personal/household activity, public authorities in official duties, or data processing for scientific research/statistics, provided certain conditions are met.
According to the GDPR, there are seven principles that govern how personal data should be processed:
- Lawfulness, fairness and transparency: Data should be processed in a legal, fair and clear way.
- Purpose limitation: Data should be collected for specific and legitimate purposes and not used for other purposes.
- Data minimization: Data should be relevant and limited to what is necessary for the purposes of processing.
- Accuracy: Data should be accurate and up to date and corrected or deleted if not.
- Storage limitation: Data should be kept for no longer than necessary for the purposes of processing.
- Integrity and confidentiality: Data should be protected from unauthorized or unlawful access, loss, destruction or damage.
- Accountability: Data controllers should be responsible for complying with the principles and demonstrate their compliance.
Under the GDPR, individuals have the following rights:
- Right to be informed: Individuals have the right to know how organizations collect, use, and share their personal data.
- Right of access: Individuals have the right to request access to their personal data and to receive a copy of it.
- Right to rectification: Individuals have the right to correct inaccurate or incomplete data.
- Right to erasure: Individuals have the right to have their personal data erased, also known as the “right to be forgotten.”
- Right to restrict processing: Individuals have the right to restrict the processing of their personal data in certain circumstances.
- Right to data portability: Individuals have the right to receive their personal data in a machine-readable format and to transmit it to another organization.
- Right to object: Individuals have the right to object to the processing of their personal data for certain purposes, such as direct marketing.
- The right not to be subject to automated decision-making: The right to avoid solely automated decisions affecting the individual.
Penalties for non-compliance with GDPR (General Data Protection Regulation) can be significant and include:
Fines:
- Higher-Tier Penalties Organizations can face fines of up to €20 million or 4% of their global annual turnover, whichever is higher, for the most serious violations. These fines are designed to be a strong deterrent for non-compliance.
- Lower-Tier Penalties: For less severe infringements, fines of up to €10 million or 2% of global annual turnover, whichever is higher, may be imposed.
The exact penalty depends on factors like the nature and severity of the breach, mitigating actions taken, and the company’s cooperation with authorities.