Guide to General Data Protection Regulation (GDPR) Compliance

Introduction

The General Data Protection Regulation (GDPR) is a landmark privacy regulation adopted by the European Union (EU) in 2016 and became enforceable in May 2018. It was designed to conform to privacy laws across EU member states, enhance protection for EU data subjects, and reshape how organisations approach data privacy.

The regulation significantly alters how organisations manage such data, broadly defining personal identification information and requiring explicit consent for data processing. Under GDPR, companies must design their data collection systems with privacy in mind, limiting the amount of collected data and retaining it only as long as necessary.

Keep reading as we explore the fundamental principles and implications of the GDPR, delving into its impact on organisations, the rights it affords to individuals, and the fine associated with it.

What Is the GDPR?

GDPR is widely regarded as the world’s most stringent set of data privacy standards, improving how people can access information about themselves while limiting what companies may do with personal data. The complete text of GDPR is a cumbersome beast with 99 distinct articles.

The rule serves as a basis for laws across the continent, replacing the old 1995 data protection directive. The GDPR’s ultimate form emerged after more than four years of debate and negotiation; it was accepted by both the European Parliament and the European Council in April 2016. Also, the underlying regulations and directives were issued at the end of the month.

GDPR came into force on May 25, 2018, and European countries were granted the opportunity to make tiny changes to meet their needs. Within the United Kingdom, this flexibility resulted in the introduction of the Data Protection Act (2018), which replaced the earlier Data Protection Act of 1998.

Furthermore, it aims to offer customers control over their personal data by holding firms accountable for handling and treating this information. The legislation applies regardless of where websites are hosted. Therefore, it must be followed by any sites that draw European visitors, even if they don't promote products or services to EU residents.

Understanding the General Data Protection Regulation (GDPR)

The GDPR is a comprehensive privacy regulation passed by the European Union that was enacted in May 2018, replacing an older EU data protection law. It strengthens privacy rights and protections for EU citizens’ data collected online.

The key components of GDPR include:

1. Requires clear notice and consent for data collection and use
2. It gives users the right to access, correct, delete, or transfer their data
3. Mandates data breach notification within 72 hours
4. Requires assessment of data protection/security measures
5. It can require hiring a Data Protection Officer (DPO)
6. Sites must provide contact info for users to exercise data rights

Now, let’s talk about its impact. The GDPR forces companies to overhaul data collection and storage and use policies to get affirmative consent. It also provides greater transparency for users around how their information is used and drives increased investment in data security and privacy staff/procedures.

What Are GDPR’s Key Principles?

The GDPR establishes seven key principles for the processing of personal data:

1. Lawfulness, fairness and transparency - Data must be processed lawfully, fairly and transparently. Organisations need a valid legal basis to process personal data and should clearly communicate with data subjects how their data will be used.
2. Purpose limitation - Individual data can only be collected for specific, explicit, legitimate purposes. Data can’t be further processed in a way incompatible with those original purposes.
3. Data minimisation - Only personal data that is necessary and relevant should be collected and processed. Excessive data collection should be avoided.
4. Accuracy - Data must be kept accurate and up-to-date. Inaccurate personal data should be erased or rectified.
5. Storage limitation - Personal data should only be stored in an identifiable format for a short time to achieve the original processing purpose.
6. Integrity and confidentiality - Appropriate security measures must safeguard the privacy and integrity of personal data.
7. Accountability - Organisations must be able to demonstrate their GDPR compliance through policies, procedures and audit trails. They are responsible for complying with the principles and must be able to provide proof.

GDPR Breaches and Fines

The GDPR establishes two tiers of fines for violations, distinguishing between less severe and more serious infringements.

Less Severe Violations:

1. Fines of up to €10 million or 2% of the firm’s global annual revenue (whichever is higher) may apply.
2. These violations encompass rules for controllers and processors, certification bodies, and monitoring bodies.
3. Processors and controllers must adhere to data protection rules, lawful processing, and more.
4. Certification bodies must conduct evaluations transparently and without bias.
5. Monitoring bodies must demonstrate independence and handle complaints impartially.

More Serious Violations:

1. Fines of up to €20 million or 4% of the firm’s global annual revenue (whichever is higher) may be imposed.
2. These violations go against core GDPR principles, including the right to privacy and the right to be forgotten.
3. Principles for lawful data processing, conditions for consent, and data subjects’ rights fall into this category.
4. Transfer of data to international organisations or third countries is also covered.
5. Any violation of member state laws under Chapter IX and non-compliance with supervisory authority orders are considered severe breaches.

A few more points that you should keep in mind are:

1. Individuals can seek compensation under Article 82 for material or non-material damage resulting from a GDPR infringement.
2. Non-compliance with supervisory authority orders can lead to significant fines, regardless of the initial infringement.
3. Member states can enact additional data protection laws under Chapter IX, and violations of these laws are subject to GDPR fines.

How Do Companies Become Compliant Under the General Data Protection Regulation?

Companies can become compliant under the GDPR by protecting the personal data of EU citizens, which includes various types of information such as basic identity information, web data, biometric data, health and genetic data, political opinions, racial or ethnic data, sexual orientation, and IP addresses.

They are also responsible for ensuring their third-party data processors are GDPR compliant. To achieve compliance, companies should conduct a gap analysis, involve representatives from all functions in the organisation, document their processes, and ensure GDPR compliance through system changes.

Plus, it’s crucial to have an initial catalogue of personal data detailing where it’s held, its lineage, and processing activities, and regularly review these procedures. Also, appointing a Data Protection Officer with expert knowledge regarding laws and regulations pertaining to data privacy is another step towards compliance.

Who Is Covered Under the General Data Protection Regulation?

The GDPR sets expansive requirements for organisations globally regarding safeguarding EU citizens’ and residents’ personal data. Here are some of the aspects that it covers:

1. Organisations: The GDPR applies to all companies that process the personal data of EU citizens, regardless of the company’s location. It covers organisations with an establishment in the EU and those outside the EU if they offer goods/services to or monitor the behaviour of EU data subjects.
2. EU Citizens: The data protection rights and principles outlined in the GDPR apply to all EU citizens, regardless of where they reside. It also covers EU citizens temporarily travelling outside the EU. The regulation is centred around protecting their data and privacy.
3. Other Individuals: The GDPR extends beyond EU citizens to cover all individuals physically in the EU when their data is collected/processed. This includes non-EU tourists or temporary residents.
4. Data Types: The GDPR has a broad definition of “personal data” that it applies to. This includes online identifiers like IP addresses, cookies, account handles, contact info, financial info, genetic data, etc. Virtually any data that can identify an individual, directly or indirectly, falls under its scope.

When Did the GDPR Come into Effect?

Following four years of preparation and debate, the European Parliament passed GDPR in April 2016, and the formal texts and regulations of the directive were published in all of the EU’s official languages in May 2016. The Act was enacted across the European Union on May 25, 2018.

Who Does GDPR Apply To?

The GDPR applies to two main categories of entities:

1. Companies or entities with branches in the EU: If a company or entity processes an individual's data in any of its branches established in the EU, the GDPR applies to them. This is regardless of where the actual data processing takes place.
2. Companies established outside the EU: If a company is located outside the EU but offers goods or services (whether paid or free) to individuals in the EU or oversees the behaviour of individuals in the EU, the GDPR applies. However, if processing personal data is not a core part of the business and doesn’t pose risks to individuals, some obligations of the GDPR may not apply, such as the requirement to appoint a Data Protection Officer (DPO).

To help you understand better, here’s an example of when the regulation applies:

Your small tertiary education company operates online from outside the EU but targets Spanish and Portuguese language universities in the EU. Since you process personal data (username and password) as part of your enrollment process, the GDPR applies to your company.

In contrast, here is an example of when the regulation does not apply:

Your service provider company, based outside the EU, offers services to customers outside the EU. As long as your services are not specifically targeted at individuals in the EU, and your clients can use the services when travelling to various countries, including within the EU, your company is not subject to the rules of the GDPR.

The Bottom Line

Some businesses acquire personal data and frequently sell that information, sometimes without their customers' agreement. However, laws have been enacted in several world regions to safeguard individuals. One such law is the General Data Protection Regulation (GDPR) that occurred in the European Union in 2018. Under this, companies are legally required to secure consumer data and tell consumers how it is used. However, it has a vast scope that extends beyond the borders of the EU.