All about General Data Protection Regulation (GDPR) – EU
Sunday, May 17, 2020
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Implementation date: 25 May 2018
Replaces: Data Protection Directive 95/46/EC
What is GDPR?
With the increase in personal data attacks, misuse of personal data by MNCs, and plenty of data theft cases worldwide; a requirement of strong personal law became the need of the hour in last decade. Though several data protection laws and information security laws were available in market, but they were all outdated with huge flaws, and with incompetent policies to protect the misuse of a personal’s sensitive data and information. MNCs who had a default terms and conditions mentioned on their website while capturing your personal details, could use and sell your data for business profits. Laws were not enough powerful to stop such big brands from misuse of the citizen’s information.
The European Parliament and Council of the European Union took the joint initiative and prepared the first ever robust law which is concerned about personal data of European citizens in 2018 and gave it a name General Data Protection Regulation. This law can be considered as a replacement to data protection directive 1995 law, with some major changes. General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere in the world, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. There are 99 Articles and 173 Recitals of the Regulation.
Despite a pre-GDPR transition period taking place, which allowed businesses and organisations time to change their policies, there has still been plenty of confusion around the rules. In this article, we try to decipher the GDPR and, we hope, make it less overwhelming for SMEs concerned about GDPR compliance.
Key Highlights of GDPR 2016:
In layman language, GDPR is a set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
GDPR can be considered as the world’s strongest set of Personal Data Protection rules, which enhance how people can access information about them and places limits on what organisations can do with personal data. With the GDPR, Europe is signalling its robust stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises.
The General Data Protection Regulation (GDPR) has now been in place for around two years and has modernised the laws that protect the personal information of individuals.
Key Definitions of GDPR:
Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Anonymous data can also fall under the definition if it’s relatively easy to Identify someone from it.
Data processing — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… so basically anything.
Data subject — The person whose data is processed. These are your customers or site visitors.
Data controller — The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.
Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. They could include cloud servers, or email service providers.
Personal data is so important under GDPR. Individuals, organisations, and companies that are either ‘controllers’ or ‘processors’ of it are covered by the law. The Bill governs the processing of personal data by: (i) government, (ii) corporates or companies, and (iii) foreign companies dealing with personal data of EU Citizens. Although coming from the EU, GDPR can also apply to businesses that are based outside the region. If a business in the US, for instance, does business in the EU then GDPR can apply and also if it is a controller of EU citizens.
Data protection principles
As per Article 5.1-2, If you process data, you must follow seven protection and accountability principles:
Lawfulness, fairness, and transparency — Processing must be lawful, fair, and transparent to the data subject.
Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
Accuracy — You must keep personal data accurate and up to date.
Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality.
Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
Accountability of Organizations
The GDPR says data controllers (the person who decides why and how personal data will be processed) must be able to demonstrate they are GDPR compliant. And this isn’t something you can do after the fact: If you think you are compliant with the GDPR but can’t show how, then you’re not GDPR compliant. Among the ways you can do this:
- Designate data protection responsibilities to your team.
- Maintain detailed documentation of the data you are collecting, how it’s used, where it’s stored, which employee is responsible for it, etc.
- Train your staff and implement technical and organizational security measures.
- Have Data Processing Agreement contracts in place with third parties you contract to process data for you.
- Appoint a Data Protection Officer (if applicable)
People’s Privacy Rights
The GDPR recognizes a list of new privacy rights for data subjects, which aim to give individuals more control over the data they provide to organizations. As an organization, it’s important to understand these rights to ensure you are GDPR compliant.
Below is a rundown of data subjects’ privacy rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
No one can overrule these rights and everyone including government must follow Data Subject’s consent before taking any action on his personal data.
Security discussions in GDPR
As a key principle of GDPR, Personal data must be protected against “unauthorised or unlawful processing,” as well as accidental loss, destruction, or damage. It means that means that appropriate information security protections must be put in place to make sure information isn’t accessed by hackers or accidentally leaked as part of a data breach. So, security of such data becomes mandatory for Data Controllers and Data processors.
GDPR doesn’t talked about what good security practices look like, as technical stuff keeps on changing and it differs from organization to organization. But the end goal or result is clearly mentioned in GDPR that – ” You’re required to handle data securely by implementing “appropriate technical and organizational measures.”. If a data breach occurs, data protection regulators will look at a company’s information security setup when determining any fines that may be issued.
Technical measures mean anything from requiring your employees to use two-factor authentication on accounts where personal data are stored, to contracting with cloud providers that use end-to-end encryption and other security measures.
To have full security in place and validation of same, GDPR added Accountability as its key principle. It was added to ensure that companies must follow security guidelines and they have to prove that they are complaint with same. At its simplest, accountability can mean documenting how personal data is handled and the steps taken to ensure only people who need to access some information are able to. For companies that have more than 250 employees, there’s a need to have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place.
Data protection by design and by default
As per GDPR, everything you do in your organization must, “by design and by default,” consider data protection. This means you must consider the data protection principles in the design of any new product or activity, as well as to existing products and processes. The GDPR covers this principle in Article 25.
Data Protection Officers
As per GDPR, appointing a Data Protection officer is mandatory for few organization types.
DPO’s basic tasks involve understanding the GDPR and how it applies to the organization, advising people in the organization about their responsibilities, conducting data protection trainings, conducting audits and monitoring GDPR compliance, and serving as a liaison with regulators.
Contrary to popular belief, not every data controller or processor needs to appoint a Data Protection Officer (DPO). There are three conditions under which an organization is required to appoint a DPO:
- You are a public authority other than a court
- Your core activities require you to monitor people systematically and regularly on a large scale.
- Your core activities are large-scale processing of special categories of data listed under Article 9 of the GDPR or data relating to criminal convictions and offenses mentioned in Article 10.
You could also choose to designate a DPO even if you aren’t required to. There are benefits to organizations to having someone in this role.
GDPR breaches and fines:
In comparison to the former Data Protection Directive, the GDPR has increased penalties for non-compliance. Supervising Authorities have more power than in the previous legislation because the GDPR sets a standard across the EU and throughout world for all companies that handle EU citizens’ personal data. Supervising Authorities hold investigative and corrective powers and may issue warnings for non-compliance, perform audits to ensure compliance, require companies to make specified improvements by prescribed deadlines, order data to be erased, and block companies from transferring data to other countries. Data controllers and processors are subject to the SAs’ powers and penalties.
The GDPR also allows SAs to issue larger fines than the Data Protection Directive; fines are determined based on the circumstances of each case and the SA may choose whether to impose their corrective powers with or without fines.
Failure to comply with GDPR can result in a fine ranging from 10 million euros to four per cent of the company’s annual global turnover. Fines depend on the severity of the breach and on whether the company is deemed to have taken compliance and regulations around security in a serious enough manner or not.
The maximum fine of 20 million euros or four percent of worldwide turnover – whichever is greater – is for infringements of the rights of the data subjects, unauthorised international transfer of personal data, and failure to put procedures in place for or ignoring subject access requests for their data.
A lower fine of 10 million euros or two percent of worldwide turnover will be applied to companies that mishandle data in other ways. They include, but aren’t limited to, failure to report a data breach, failure to build in privacy by design and ensure data protection is applied in the first stage of a project and be compliant by appointing a data protection officer – should the organisation be one of those required to by GDPR.
If a company have a data breach, they have 72 hours to tell the data subjects about same or face penalties. This notification of breach must include approximate data about the breach, including the categories of information and number of individuals compromised as a result of the incident, and the categories and approximate numbers of personal data records concerned. The contact details of the data protection officer, or main point of contact dealing with the breach, will also need to be provided.
EU Citizens immediately started using GDPR rights as soon as it got launch on 25th May 2018.
Some of the biggest fines under GDPR to date are as below (source Wikipedia):
- Facebook and subsidiaries WhatsApp and Instagram, as well as Google LLC (targeting Android), were immediately sued by Max Schrems’s non-profit NOYB just hours after midnight on 25 May 2018, for their use of “forced consent”.
- On 21 January 2019, Google was fined €50 million by the French DPA for showing insufficient control, consent, and transparency over use of personal data for behavioural advertising.
- In July 2019, the British Information Commissioner’s Office issued a record fine of £183 million (1.5% of turnover) against British Airways, for poor security arrangements that enabled a 2018 web skimming attack affecting around 380,000 transactions
Advantages to EU Citizens
While GDPR arguably places the immense levies on data controllers and processors, the legislation is designed to help protect the rights of individuals. The Law gives excessive priority for individual rights on data protection. As per the law, citizens’ personal information can’t be collected, processed, and shared without their consent. Only the necessary data will be collected, and same can be used for pre-defined purposes only.
With this Citizens will have a peace of mind about the misuse of their personal data and will also get freedom from unwanted marketing and sales calls and Identity frauds. People have successfully used SARs to find out information technology companies hold about them. If you want to find out what a company or organisation knows about you, you need a Subject Access Request (SAR). Upon filing a SAR by one citizen, Tinder sent him 800 pages of information about his use of its app, including education details, the age-rank of the people he was interested in and the location of where every match happened etc. So things are scary if you check the Quantity of your personal data been hold by such big giants like Google, Apple, Yahoo, Facebook, WhatsApp, Tinder, LinkedIn, Amazon etc. GDPR gives every citizen (only EU) a right to – be informed, access, rectify, erasure, restrict processing, portability, object the data handling, and rights in relation to automated decision making and profiling.
The companies are required to be clear and concise on what data is collected, its purpose, how it’s used, where it’ll be stored and for how long the data will be retained.
GDPR Impact on Businesses
This law is a revolutionary step for EU Citizens towards building the significant base of Personal information Security. It’ll change the way of business for all SMB companies, due to restriction on Data localization, establishment of Data Protection Officers and stringent penalty clauses. Considering the Stringent compliance & policies, and requirement of dedicated Data Protection Officers, most global firms will face challenges in-terms of increased compliance costs and restrictions.
Chapter V of the GDPR forbids the transfer of the personal data of EU data subjects to countries outside of the EEA — known as third countries — unless appropriate safeguards are imposed, or the third country’s data protection regulations are formally considered adequate by the European Commission (Article 45).
Since 2018, some of the world’s largest technology firms have (been made forcefully by law) re-positioned their products as privacy-focused – a strategy that has likely come about in some parts.
GDPR Impact on third-party and customer contracts
The GDPR places equal liability on data controllers and data processors. A third-party processor not following the compliance means your organization is not in compliance. The new regulation also has strict rules for reporting breaches that everyone in the chain must be able to comply with.
So, in short, all existing contracts with processors (e.g., cloud service providers, IT vendors, support vendors, SaaS vendors, or payroll service providers) and customers need to revise and redefine the responsibilities. The revised contracts also need to define consistent processes for how data is managed and protected, how breaches are reported, who will be held responsible for any breach, and how the compliance will be achieved etc.
Steps to ensure GDPR Compliance
- Have a dedicated legal team to keep an eye on local law as well as GDPR law for handling the data in protected way as well as for new law updates.
- Take help from assisting organizations, but make sure to remain complaint. Non-Compliance will lead to heavy penalties.
- Pay Close Attention to your tools, website, and applications. Cookies, opt-ins, data storage, network etc, must be a part of compliance checklist.
- All data in your organization must comply with GDPR if you have a presence in the E.U or even if you are processing the EU Citizen data.
- Implement proper tools and technologies implementation to remain compliant.
- Implement security guidelines around vulnerabilities, threats, risks; and use proper security tools and techniques like Encryption, Data Leak Prevention etc.
- Designate a data protection officer that will build a data protection program to meet GDPR requirements.
GDPR Influence on international laws
Mass adoption of these new privacy standards by international companies and governments have been cited. Several Countries and regions around the world, appear to be taking clues from GDPR by introducing or modifying data protection legislation. Several laws like “California Consumer Privacy Act” -with effect 1 January 2020, and Personal Data Protection Bill (PDPA) 2019 of India, are influenced by GDPR. Personal rights, controls, data management authorities, processes and penalties are designed in influence with GDPR.
Hope you have a good understanding on GDPR now. Though we have covered all the major points on GDPR, yet we strongly recommend going through the complete regulation itself if you are handling the EU citizen data or anyhow need to achieve compliance regarding same.
Regulation can be downloaded from here.
This Website/document does not constitute any professional advice. The information in this document has been obtained or derived from different sources believed by dataprivacyacts.com to be reliable but dataprivacyacts.com does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of Dataprivacyacts.com at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. Dataprivacyacts.com neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.
© dataprivacyacts.com. All rights reserved.