GDPR

The General Data Protection Regulation (GDPR) is a legal framework that reshaped how organizations process personal data within the European Union (EU).

In this summary, we explain the GDPR, who it applies to, how to comply, and its key requirements and penalties for not complying with it. Here's a clear and straightforward overview to help you understand its essential provisions.

What is the GDPR? A Brief Overview

The GDPR is a comprehensive data protection law introduced by the EU to regulate the processing of personal data belonging to EU residents. It was adopted in the EU in 2016 and has been effective since 2018.

The GDPR replaced the Data Protection Directive (1995) to address new tech-related data-sharing challenges. It applies to all EU and non-EU-based businesses that analyze, track, process, and collect personal data of all EU citizens.

The regulation allows individuals to correct, monitor and access personal data and enforces user privacy.

It also imposes binding requirements on businesses to ensure the personal data of EU citizens is securely and transparently handled.

How Does the GDPR Define Personal Data?

In paragraph 1 of Article 4, the GDPR defines personal data as "...any information relating to an identified or identifiable natural person."

This includes a wide range of online and offline data that can directly or indirectly identify an individual independently or when combined with other information. Examples include:

  • Names, addresses, phone numbers, and emails
  • Identification numbers (e.g., Social Security, passport, or driver's license numbers)
  • Location data (e.g., GPS coordinates or IP addresses)
  • Biometric data (e.g., fingerprints, facial recognition, or DNA)
  • Genetic information
  • Health or medical data
  • Political opinions, religious beliefs, or trade union membership
  • The GDPR applies to any company operating in the EU, whether in e-commerce or serving B2B customers

The regulation emphasises strict principles regarding collecting, accessing, and using personal data.

Minor details, such as website cookies, social media activity, or audio and video recordings, can also be classified as personal data if they can be linked to an individual, even indirectly or through a combination of data points.

Who Does the GDPR Apply to?

The GDPR explains the "territorial scope" in detail in Article 3. The regulation applies to any organization that handles the personal data of EU residents. The company's physical location can be worldwide. For example, if a company outside the EU has EU customers, it must comply with the GDPR. However, it is not obligated to follow the regulation if it doesn't have EU customers.

Here's a list of entities to whom the GDPR applies:

  • EU-based companies or entities that process EU citizens' personal data
  • Worldwide businesses that process EU citizens' personal data. This includes offering paid or free goods or services to EU residents or monitoring their behavior through online analytics, cookies, targeted advertising, etc.
  • Data controllers that establish the objectives and methods for processing data
  • Data processors that process and track personal data in the name of data controllers

What Does the GDPR Require?

The key principles of the GDPR are included in paragraphs 1 and 2 in Article 5.

Here's a brief overview of the main requirements:

  • Responsibility and accountability
  • Six principles of data handling
  • Legal data processing
  • Rights of personal data subjects
  • Compliance with consent requirements
  • Built-in data protection and default privacy
  • Privacy and transparency disclosures
  • International personal data transfers
  • Compulsory data breach reporting
  • Data protection officers (DPOs)

In the following section, we'll explore how to meet GDPR compliance and the key requirements organizations must follow.

How to Comply With the GDPR

To ensure your business complies with the GDPR practices, go through the following checklist and see if you adhere to the specific requirements.

Here's a brief explanation of the checklist criteria.

Ensure Responsibility and Support

Top-level endorsement and support are necessary for GDPR adherence. Businesses should do the following:

  • Consult and advise board members on the key benefits of adhering to the GDPR and personal data breach risks
  • Secure management approval and support for GDPR adherence
  • Appoint a director to be responsible for GDPR adherence

GDPR Adherence Project Development

After obtaining executive support and endorsement, you must develop your GDPR adherence project. To do so, you'll need to take the following steps:

  • Assign a project manager who will keep track of the GDPR adherence project development steps
  • Assign a data protection officer
  • Identify and assess the security framework (i.e. ISO 27001) to make sure the company is in line with high-level data safety practices under the Article 32 of the GDPR
  • Enforce the Privacy Information Management System and make sure it is in line with ISO 27701 guidelines and standards
  • Evaluate if data protection by design and by default is embedded in your processes and systems

Data Flow Analysis and Data Registry

The next step is to conduct a complete data flow analysis and create a data registry. These are the key steps you'll need to take:

  • Evaluate specific data keywords and categories
  • Conduct a data map on how data is transmitted throughout the organization
  • Identify, monitor and track data risks. While doing so, you can decide if your organization requires a data protection impact assessment
  • Maintain activities connected to handling of data records

In-Depth Risk Evaluation

Once you conduct the data flow analysis and data registry, continue with an in-depth evaluation and assessment of the risks of personal data infringement. Here's what you can do:

  • Create a risk evaluation plan
  • Pinpoint data breach risks
  • Evaluate and monitor data breach risks
  • Identify methods to prevent or handle data breach risks

Gap Evaluation

Carrying out a gap evaluation helps assess and keep track of your daily workflows and ensures that your business adheres to the GDPR. Here's what you'll need to do:

  • GDPR adherence audit and analysis
  • Pinpoint specific GDPR adherence gaps

Guidelines, Protocols, and Workflows

The next step requires you to establish business guidelines, protocols and workflows. Follow the steps below to make sure your company meets the GDPR's legal requirements:

  • Confirm if policies and notices on personal data safety comply with the regulation
  • Verify if your workflow process that requires consent is in compliance with the regulation
  • Evaluate clients, suppliers and staff members' contracts and make sure they're up-to-date with the GDPR requirements
  • Identify and address Data Subject Access Requests in 30 days
  • Verify if your business should conduct a Data Protection Impact Assessment
  • Check if the data transmission mechanisms beyond the European Economic Area are adherent to the GDPR

Technical and Administrative Safeguards

Once you ensure that your business guidelines, protocols and workflows are adherent to the GDPR, continue by conducting technical and administrative safeguards, such as the following:

  • Conduct a business strategy on data security
  • Apply fundamental technical safeguards like those recommended by recognized frameworks like Cyber Essentials
  • Employ data pseudonymisation or/and encryption (if necessary)
  • Implement guidelines and practices to monitor, identify and keep track of data privacy violations

Employee Skills and Training

Training employees on understanding personal data protection safety is vital to a company's framework plan for ensuring GDPR compliance. Here's a list of the recommended steps:

  • Make sure that the communication between employees and stakeholders is clear, concise and effective
  • Educate staff members on personal data safety, protection and the key GDPR guidelines and principles

GDPR Compliance Evaluation

Achieving GDPR compliance is a continuous process, not a one-time task. To ensure your company is always compliant with the GDPR, conduct regular company audits and update the data safety and protection workflows. Here's a list of the steps you need to take:

  • Planned and conducted periodic reviews of data safety procedures and security protocols
  • Maintain up-to-date records of personal data processing
  • Perform DPIAs, when necessary
  • Evaluate data safety practices
  • Manage and address all GDPR adherence elements

Penalties For Not Complying With the GDPR

GDPR fines aim to make non-compliance financially impactful for businesses of all sizes, including small, mid, and large-sized companies and enterprises.

Under Article 83, penalties are flexible and proportional to the organization, ensuring non-compliance comes with serious consequences.

There are two administrative penalty levels for businesses that do not comply with the GDPR.

Less serious violations can lead to fines of €10 million maximum or 2% of the company's yearly revenue from the previous fiscal year. The company that receives such a penalty must pay the higher sum out of the two.

Businesses are obliged to pay this type of fine in case of violating any of the GDPR articles below:

  • Data processors and controllers: Articles 11, 42, 8, 43, and all articles between 25 and 39
  • Accredited, certified bodies: Articles 43 and 42
  • Monitoring, supervisory bodies: Article 41

In addition to the less serious violations, the GDPR recognizes severe violations that undermine the core principles of privacy rights and the right to data removal ("right to be forgotten"). These two principles are central to the GDPR.

These offences may lead to penalties of €20 million maximum, or 4% of a company's global yearly revenue from the previous fiscal year. The company that receives such a penalty must pay the higher sum out of the two.

These violations pertain to breaches of the articles related to the following:

  • Key data processing regulations and principles: Articles 9, 6 and 5
  • Breach of consent: Article 7
  • Breach of the rights of the owners of the personal data: All articles between 12 and 22
  • Transfer of data to an international entity or a recipient located in a non-EU country: All articles between 44 and 49
  • Breach of the laws enacted by member states under Chapter IX: All articles between 85 and 91
  • Non-conformance and failure to adhere to directives by a regulatory authority

Key Criteria to Assess Penalties

Authorities assess and determine if there should be a penalty for the businesses that infringed the GDPR by following the key criteria in Article 83. Here's a list of the ten key standards for penalty assessment:

  • The nature and severity of the case, i.e., the number of individuals affected by the infringement, the reason behind it, and the timeframe in which the case was resolved
  • Premeditation and intention to infringe the GDPR or the infringement occurred because of oversight or neglect
  • Examination and assessment of whether the infringing party took steps to reduce the harm experienced by those affected
  • Procurement and technical safeguards that the businesses have already undertaken to comply with the specific GDPR requirements
  • Prior infringements, both under the GDPR and the Data Protection Directive
  • Cooperation and coordination with supervisory bodies to identify and address the breach
  • Data type that was impacted by the breach
  • Initiative to inform the supervisory body about the infringement
  • Adherence to recognized conduct guidelines or prior certification
  • Additional considerations, such as any financial gains or losses prevented due to the violation

Summary

The GDPR has transformed how data privacy for EU citizens is handled. The regulation ensures that each EU individual has control of their data while worldwide organizations adopt transparent, secure, and ethical data handling practices. GDPR Compliance is a global priority as it applies to organizations located within and outside of the EU.

To comply with the GDPR, businesses must understand their data flows, identify lawful processing bases, implement robust security measures, and uphold data subject rights.

The severe penalties for non-compliance highlight how important it is for organizations to align all their operations with GDPR requirements. By setting high standards and severe penalties, The GDPR encourages organizations to handle customer data transparently and take accountability for their actions.