GDPR Compliance

Consumers have the right to data privacy, which places a heavy burden on companies handling their data. In the EU member states, particularly, this means serious business. If your site involves information on people in the EU, you are most likely required to comply with GDPR. A daunting task like this is a major challenge to organizations.

Today, we will define GDPR, its importance, the specific data relevant to its regulations, and the entities responsible for overseeing its compliance.

What is GDPR?

GDPR stands for General Data Protection Regulation, which imposes the standards in collecting and processing data about people in the European Union (EU) and the European Economic Area (EEA). The regulation was first adopted in April 2016 and launched into full effect in May 2018. The Digital Services Act (DSA) and Digital Markets Act (DMA), while distinct from GDPR, contribute to the evolving rules and laws by addressing issues related to digital services, competition, and data protection in the European Union (EU) and the European Economic Area (EEA). Understanding the implications of the Digital Services Act vs Digital Markets Act is crucial in navigating the complex regulatory landscape, as they play distinct roles in shaping the regulatory environment for the digital space and its intersection with the GDPR framework.

The prime directive of the GDPR for sites is to give EU visitors a full data disclosure. Therefore, even if the site does not specifically offer the products and services to EU residents, as long as it attracts European visitors, it must comply accordingly.

According to the EU, GDPR was established to “harmonize” the data privacy laws in the business.

What data is protected by GDPR?

Only data qualified as “personal data” can be protected by GDPR. In Article 4, personal data is a comprehensive term that includes any information identifiable to a natural person.

Data subjects can be identified directly or indirectly through identifiers like name, identification number, location, or any identifier that can link to the subject physically, physiologically, genetically, mentally, commercially, culturally, or socially. Hence, personal data includes the following:

• Identity information
• Web data
• Biometric data
• Health and genetic data
• Political opinions

Note that according to the law, data subjects must be natural persons. Meaning data protection only applies to personalities and not entities like foundations, corporations, and institutions. The person gains this protection by birth and loses it upon death.

What are the lawful purposes for processing personal data?

Personal data must not be processed unless the subject data gives informed consent. Below are the legal bases for processing personal data according to Article 6:

1. If the data subject has duly provided consent in processing his or her data
2. To comply with the data subject’s contractual obligations
3. To fulfill the legal obligations of a data controller
4. To protect the data subject’s vital interests
5. To execute a task in the public interest
6. For the lawful interests of a third party or data controller, unless the data subject’s interests override these

The consent must be fluff-free and unambiguous, showing affirmation by the data subject. Data subjects can withdraw this consent at any given time.

Who is responsible for GDPR compliance?

To ensure compliance with GDPR, you must define these roles at the onset: data controller, data processor, and data protection officer (DPO).

What is a data subject? Data subjects are people or customers to whom an organization collects and processes personal information. Data controller

The data controller assumes the biggest role in protecting private data and the data subject’s rights. This entity defines the methods and reasons for processing data. The data controller can process the collected using its processes and resources.

In some scenarios, the data controller can work with a third-party service provider in processing the data gathered. Nevertheless, the data controller should not leave the data to a third party.

Data processor

Data processors are the third-party groups mentioned earlier. They are internal or external groups that process any data given to them by the data controller. The manner of control is bound to the instructions of the data controller.

Data protection officer

The DPO is responsible for overseeing the data security strategy and GDPR compliance. Every business or organization processing the personal data of EU citizens must have a DPO.

What are the rights of the data subject?

As data owners, data subjects are granted rights by the GDPR, which can be exercised under certain conditions. Here are the 8 rights given to them:

1. The right to access (Article 15)

The data subject has the right to know how the data is collected and processed. This obliges the data controller to give the data subjects a copy of those processed data.

There is no standard format for requesting processed data so that the data subject can make a verbal or written request. The latter is preferred to avoid future disputes over details.

2. The right to rectification (Article 16)

The data reflects information specifically identified to the data subject. Thus, if there are any inaccuracies in the personal data, the individuals have the right to rectify them. When an inaccuracy surfaces, the document controller should immediately effect the rectification.

3. The right to restriction of processing (Article 18)

As an alternative to the right to erasure, this right allows individuals to control how data is being processed. The individual has to provide reasons for limiting the use of this data under certain circumstances.

Examples of these circumstances are as follows:

• The data subject is still contesting the accuracy of the data and requesting verification.
• There is unlawful processing of the data.
• The data is not needed for processing anymore, but the data subject is requesting safekeeping.
• The data subject objects to the controller’s processing.

4. The right to erasure or to be forgotten (Article 17)

This is the right to data subjects to ask organizations for data deletion without delay. This right, however, has to be exercised in the appropriate circumstances. Article 17 discusses the specific circumstances where this right is applicable and an organization’s right to process data.

For example, the right to be forgotten only applies if the organization no longer uses the data or an organization is processing the individual’s data unlawfully. On the other hand, the organization can override the right to be forgotten if, for example, the data is used to exercise freedom of expression or to comply with a legal ruling.

5. The right to data portability (Article 20)

Data subjects can obtain their data from the controller and use it for other purposes. As data owners, they can store data and transmit it to another data controller.

6. The right to be informed (Articles 13 and 14)

This right requires total transparency of data processing transactions to the data subject. The organization should provide the individual with information, including the reasons for processing data, retention periods, and recipients.

7. The right to object (Article 21)

At any given time, the data subject has the right to object to using personal data unless the controller has legal grounds for overriding this objection. The data subject can object if the organization uses the data for any of the following reasons:

• For tasks conducted for public interest
• For exercising official authority
• For legal interests
• For scientific, statistical, or historical reasons
• For direct marketing reasons

8. The right not to be subject to a decision based merely on solely automated processing (Article 22)

‘Solely automated’ means no human intervention during the decision-making process. The process is still considered automated if data entry is done manually and the processing is automated.

What are the 7 data protection principles?

In processing data, you have to abide by the following GDPR principles:

1. Lawfulness, transparency, and fairness

Processing data must be according to law and transparent to the data owner. Transparency means that all information regarding personal data must be understandable and accessible.

2. Purpose limitation

Processing data should be within legitimate purposes and not beyond these purposes. This, however, excludes purposes of public interest and historical, statistical, or scientific purposes.

3. Data minimization

Data collected and processed should be the only ones as specified in the purposes – no more, no less.

4. Accuracy

Data collected must be accurate and updated. As discussed earlier, inaccurate data must be deleted or rectified without delay.

5. Storage limitation

Store only the data for the duration necessary for the specified purpose. As long as the data keeps serving its purpose, storing it for a long period is allowed.

6. Integrity and confidentiality

Processing must be done securely and confidentially. Organizations must implement technical measures to comply with this requirement.

7. Accountability

The data controller must assume responsibility for ensuring all these principles are followed.

Sanctions and penalties

Did you know that violating GDPR laws can result in hefty penalties? Even prominent companies like Amazon, Google, and H&M have been fined millions of dollars for committing these violations.

Generally, there are two tiers of GDPR fines: less severe infringements and serious infringements.

Less severe infringements are fined up to €10 million or 2% of the company’s global revenue of the previous financial year, whichever is higher. These violations can be found in the following sections:

1. Controllers and process (Articles 8, 11, 25-39, 42, & 43)
2. Certification bodies (Articles 42 & 43)
3. Monitoring bodies (Article 41)

On the other hand, serious infringements are heavy violations of preserving the right to privacy. These infringements can result in fines of more than €10 million or 4% of the company’s global revenue of the previous financial year, whichever is higher. These include violations of the articles that govern:

1. The basic principles for processing (Articles 5, 6, & 9)
2. The conditions for consent (Article 7)
3. The data subject’s rights (Articles 12-22)
4. The transfer of data to an international organization (Articles 44-49)

Fines are regulated by the data protection regulator in each country. These are the ten criteria for qualifying fines:

1. Gravity and nature – fact-checking if there was an infringement, the events, how they happened, and the reason for their occurrence.
2. Intention – whether the infringement was deliberate or mere negligence.
3. Mitigation – the efforts made by the company to mitigate the damages inflicted on people.
4. Preventive measures – the technical measures the organization has implemented beforehand to comply with GDPR standards.
5. History – any history of infringements and how the company implemented corresponding corrective actions.
6. Cooperator – whether the organization communicated with the supervisory authority in solving the infringement.
7. Data Category – the type of data affected.
8. Notification – whether the company immediately notified or alerted the supervisory authority regarding the infringement.
9. Certification – whether the company was previously certified or observed proper codes of conduct.
10. Aggravating or mitigating factors – the other consequential issues arising from infringement, including financial concerns.

Sustainable steps in GDPR compliance

1. Scan all your data sources. Access each data source and investigate if personal data is stored in these sources. You must have full knowledge of the specific whereabouts of personal data.
2. After determining the sources, identify if personal data is existent. These are commonly found in semistructured fields. Parse the fields to extract and catalog personal data like names and email addresses if possible. You can tap the right tools for high data volume to be more efficient.
3. Educate the whole organization. The whole organization must have an in-depth understanding of GDPR compliance. Start by defining personal data and why it should be shared across the organization. Ensure proper documentation, accountability, and privacy rule. Create a transparent and lawful method for processing data.
4. Assign a data protection officer and review your existing data protection policies. Assess each item in your organization’s data protection drive and align it with the principles of GDPR compliance.
5. Establish the appropriate level of data protection. There are three techniques you can choose: encryption (scrambling readable text), pseudonymization (using pseudonyms or identifiers), and anonymization (irreversibly altering data). You must apply the proper technique depending on the data subject’s rights.

Are web cookies subject to GDPR compliance?

When you browse websites, they place small text files called “cookies” on your device. Cookies in themselves are harmless and do not possess a serious threat. However, since they can store data, it’s possible to identify you without your consent.

With a high data storage capacity, cookies are subject to GDPR. Cookies can be classified according to their purpose, duration, and provenance.

Conclusion

It can’t be denied that the GDPR is one of the stiffest data privacy laws. Well, this is imperative so that organizations can collect, handle and produce the data of EU citizens. GDPR compliance is not an option but a sacred duty to protect the rights of individuals.

---

Got a question? We’re happy to help! Click here.