There are numerous public and private organizations that may have information about you. This can include something as basic as your contact information or more complex data like your web browsing history. You might be worried about your privacy, the accuracy of the information, or how the public authorities or organization collecting the data will utilize it going forward and with any other organizations it chooses to share it with.
Data protection regulations have been developed all around the world as a result of these concerns. These various data privacy laws and regulations ensure that only legitimate grounds, such as your consent or a legal requirement, should be used to store your personal data.
If you are looking to learn more, we have compiled a GDPR summary guide for you. Keep reading to learn more!
What is the GDPR?
The General Data Protection Regulation (GDPR), widely regarded as the world’s strictest set of data protection laws, which strengthens how people can access information about you and establishes restrictions on what organizations can do with personal data.
Generally, it was put in place to offer consumers in a developing digital economy more control over how their personal information is used and to harmonize data protection laws across the single market. Those that break the GDPR’s privacy and security regulations will face severe fines which could total tens of millions of dollars.
GDPR was presented to regularize data protection law across the single market and give individuals in a growing digital economy more prominent control over how their personal data is used.
The GDPR provides detailed definitions for a number of legal concepts. Some of the most crucial ones to which we make reference in this article are listed below:
- Personal data: This is any information pertaining to an individual who may be directly or indirectly recognized. Email addresses and names are obviously personal information. Political viewpoints, browser cookies, ethnicity, gender, social networking websites, biometric data, and location details can all be considered personal data.
- Data processing: This is any manual or automatic action that is done to process data. This may include acquiring, recording, organizing, structuring, storing, using, and deleting.
- Data subject: The individual whose data is processed. These are your clients or website users.
- Data controllers: The individuals who determine the purposes for and methods for processing personal data This applies to you if you are a business owner or employee that manages data.
- Data processors: A third party who handles data processing for a data controller. For these people and businesses, the GDPR contains specific regulations. These might consist of email service providers like Proton Mail or cloud servers like Tresorit.
History of the GDPR
Everyone has the right to respect their private and family lives, as well as their homes and correspondence, according to the 1950 European Convention on Human Rights. On this basis, the European Union has worked to defend this right through legislation.
With the development of technology and the advertisement of the Internet, the EU realized the necessity of new protections. Consequently, in 1995, it passed the European Data Protection Directive, which established baseline criteria for data privacy and security and served as the foundation for implementing laws in each member state.
But the Internet was already changing and becoming the information superhighway it is today. The first banner advertisement appeared online in 1994. The majority of financial institutions provided online banking in 2000. Facebook began accepting users in 2006. A Google user filed a lawsuit against the firm in 2011 after it scanned her emails.
Two months later, the European Commission’s data protection agency concluded that the EU required “a comprehensive approach on personal data protection,” and the 1995 directive update process got underway.
The GDPR became enforceable in 2016 after being approved by the European Parliament, and as of May 25, 2018, all enterprises had to comply. These regulations are now effective across all EU member states and are applicable to all EU citizens as well as, most significantly, any corporation doing business with an EU citizen.
Who does the GDPR affect?
Any business that collects personal data may be affected by the GDPR’s rules, and as a result, may be subject to the fines associated with non-compliance. Therefore, all businesses should be aware of the GDPR and strictly adhere to its requirements before it is enforced because the fines for non-compliance might be severe.
Generally, businesses that target EU data subjects must comply with the GDPR in the following situations: offering products or services, or observing internet activity.
Therefore, the GDPR applies if your business is based in the US. For instance, if you sell products to clients in the EU and other regions (such as Ireland, Lichtenstein, Norway, and Switzerland) where the GDPR is in effect and you gather their personal information,
Additionally, it also applies to monitoring GDPR data subjects’ online activities. An illustration would be tracking the personal information of visitors to your website who are located in these countries.
That said, don’t assume you are exempt from the EU if you run your business outside of Europe. The GDPR is applicable to businesses based in the EU and those operating globally that directly or indirectly target EU citizens.
What are the fundamental provisions of the GDPR?
1. Fair, legal, and transparent data processing
According to Article 5 of the GDPR, organizations must have a documented legal basis for processing and collecting personal data, and individuals must be aware of how their data is being used and processed. For transparency to be guaranteed, you should provide privacy notices and make them available to data subjects.
2. Purpose, data, and storage restrictions
Organizations are only allowed to gather personal data for specified purposes. Additionally, they need to document that goal and make sure that the collected data is destroyed when it is no longer required.
3. Data subject rights
Giving consumers a wide range of new rights surrounding their personal data is one way that the GDPR has empowered users.
Here are some of them:
- The right to be informed: According to Articles 13 and 14, GDPR promotes transparency in personal data collection procedures, so people have the right to be fully informed about the collection and use of their personal data.
- The right of access: Article 15 states that people have the right to seek to see any personal information that has been gathered about them. Again, they need to know why the data was gathered and who it was shared with. Within a month, this material must be made available without charge.
- The right to erasure: In Article 17, a person has the right to ask that all the information gathered about them be permanently removed, either because the information is no longer necessary or because they wish to revoke their consent.
- The right to rectify information: Article 16 states that an individual has the right to ask for a correction if the information acquired about them is erroneous. The data processing company is required to respond within one month and update the data. A data subject may also ask that incomplete information be filled out.
- The right to restrict data processing: In Article 18, a person has the right to request a restriction on how personal data is processed in specific circumstances, such as when the processing is illegal or when the person has objected to it.
- The right to data portability: Article 20 states that users must obtain their data in an understandable format when they desire to view it. The data subject’s capacity to transfer the data to another controller cannot be restricted or prevented by the controller who gives this information. Personal data must essentially be portable to another business, the freedom to transfer data.
- The right to object: According to Article 21, individuals are entitled to attribute to the processing of their data in specific situations, such as direct marketing.
- Rights relating to automated decision-making: Article 22 says that people have the right to be free from automated decision-making that significantly affects their lives, such as profiling.
The GDPR expressly forbids the use of lengthy, obtuse terms and condition statements, especially ones that are written in legalese. Any request for consent, statement of terms, or privacy statement must be given concisely, clearly, and without any ambiguity. Furthermore, giving consent must be as easy to withdraw as receiving it.
Additionally, the GDP makes it quite apparent that organizations that handle sensitive or private data must obtain permission each and every time they access the data. According to the rules, businesses cannot request authorization to access private data once and then assume that it covers all subsequent transactions.
5. Personal data breaches
A personal data breach is defined as an occurrence that results in unintentional or intentional loss, alteration, disclosure, or access to personal data that has been communicated, stored, or otherwise processed.
This implies that data breaches aren’t necessarily the consequence of hackers breaking into a company’s computer systems. These can also happen when an employee accesses data that is unrelated to their job function, shares files with a third party outside the organization, or sends an email with sensitive information to the incorrect recipient.
According to Article 4, a company must notify all data subjects of any security breach or cyber exposure within 72 hours of first becoming aware of it. This notification will be made in as many ways as thought necessary, such as email, phone messages, and public announcements, to ensure that the information is distributed promptly.
6. Privacy by design
To comply with the GDPR’s standards and effectively protect data subjects’ rights, compliant businesses must adhere to the Privacy by Design principles and put in place the necessary technical and other organizational measures and protections.
This means businesses must only process the data that is absolutely essential for carrying out their operations and restrict access to personal information to those workers who need it to carry out the procedure that the data subject has authorized.
This basically means organizations must:
- Adopt the right organizational and technical steps to put the data protection principles into practice.
- Adopt the right organizational and technical steps to put the data protection principles into practice.
7. Data protection impact assessment
According to Article 35, data protection impact assessments (DPIAs) enable organizations to manage vulnerabilities and reduce privacy issues when processing data. These are vital if you handle any high-risk data, but they are also important whenever you’re implementing a new system, procedure, or technology for data collection.
8. Data transfers
Depending on where you are moving sensitive personal data to and from, different rules apply to data transfers. Organizations do not need to take any additional security precautions when transferring personal data inside the EU. However, a transfer must adhere to these guidelines in accordance with Article 44.
SCCs (standard contractual clauses) are used in the majority of situations where organizations are straightforwardly sharing data with organizations headquartered outside of the EU.
9. Data protection officer
Data protection officers (DPOs) are impartial data protection experts tasked with advising an organization that processes personal data on how to comply with its regulatory standards.
According to Article 39, a DPO must meet the following data protection requirements:
- Educating employees about their obligations regarding data privacy
- Maintaining a close watch on the organization’s data protection rules and practices;
- Advising management as to the necessity of DPIAs (data protection impact assessments)
- Acting as the organization’s point of contact with its supervisory authority
- Acting as a point of contact for people with regard to privacy issues.
What are the Consequences of Violating the GDPR Regulation?
As we’ve already indicated, failing to abide by the GDPR’s requirements can result in serious penalties and serious responsibility for any business. The maximum fine that can be assessed for violating the GDPR is 4% of the company’s annual global turnover.
Organizations breaking the Privacy by Design principle or failing to obtain appropriate customer consent to process or collect personal data will be subject to the maximum penalty.
Depending on the offense, other offenses are graded on a sliding scale. For instance, failing to maintain accurate records, failing to promptly notify the supervising authority and the data subject of a security breach, or failing to carry out the necessary impact assessment could result in a 2% punishment for the organization.
Conclusion GDPR Summary
The Global Data Protection Regulation (GDPR) represents a significant advancement in enhancing data privacy. Organizations must abandon outdated data methods in order to comply with this severe rule and avoid paying significant fines, losing their reputation, and losing customers. We hope your businesses will be able to fully comply with GDPR after reading this brief GDPR summary.
Featured Image Source: unsplash.com