Consumers have the right to data privacy, which places a heavy burden on companies handling their data. In the EU member states, particularly, this means serious business. If your site involves information on people in the EU, then you are most likely required to comply with GDPR. A daunting task like this is a major challenge to organizations.
Today, we will define GDPR, the reasons for its importance, the specific data relevant to its regulations, and the entities responsible for overseeing its compliance.
What is GDPR?
GDPR stands for General Data Protection Regulation, which imposes the standards in the collection and processing of data about people in the European Union (EU) and the European Economic Area (EEA). The regulation was first adopted in April 2016 and eventually launched into full effect in May 2018.
The prime directive of the GDPR for sites is to give EU visitors a full data disclosure. Therefore, even if the site does not specifically offer the products and services to EU residents, as long as it attracts European visitors, it must comply accordingly.
|According to the EU, GDPR was established to “harmonize” the data privacy laws in the business.|
What data is protected by GDPR?
Only data qualified as “personal data” can be protected by GDPR. In Article 4, personal data is a comprehensive term that includes any information identifiable to a natural person.
Data subjects can be identified directly or indirectly through identifiers like name, identification number, location, or any identifier that can link to the subject physically, physiologically, genetically, mentally, commercially, culturally, or socially. Hence, personal data includes the following:
- Identity information
- Web data
- Biometric data
- Health and genetic data
- Political opinions
Take note that according to the law, data subjects must be natural persons. Meaning, data protection only applies to personalities and not entities like foundations, corporations, and institutions. The person gains this protection by birth and loses it upon death.
What are the lawful purposes for processing personal data?
Personal data must not be processed unless the subject data gave informed consent. Below are the legal bases for processing personal data according to Article 6:
- If the data subject has duly provided consent in processing his or her data
- To comply with the data subject’s contractual obligations
- To fulfill the legal obligations of a data controller
- To protect the data subject’s vital interests
- To execute a task in the public interest
- For the lawful interests of a third party or data controller, unless these are overridden by the data subject’s interests
The consent must be fluff-free and unambiguous, showing affirmation by the data subject. Data subjects can withdraw this consent at any given time.
Who is responsible for GDPR compliance?
To ensure compliance with GDPR, you need to define these roles at the onset: data controller, data processor, and data protection officer (DPO).
What is a data subject? Data subjects are people to whom personal information is collected and processed by an organization. Data controller
The data controller assumes the biggest role in protecting private data and the rights of the data subject. This entity defines the methods and reasons for processing data. The data controller can process the collected using its processes and resources.
In some scenarios, the data controller can work with a third-party service provider in processing the data gathered. Nevertheless, the data controller should not leave the data to a third party.
Data processors are the third-party groups mentioned earlier. They are internal or external groups that process any data given to them by the data controller. The manner of control is bound to the instructions of the data controller.
Data protection officer
The DPO is responsible for overseeing the data security strategy and GDPR compliance. Every business or organization processing the personal data of EU citizens must have a DPO.
What are the rights of the data subject?
As owners of the data, data subjects are granted rights by the GDPR, which can be exercised under certain conditions. Here are the 8 rights given to them:
1. The right to access (Article 15)
The data subject has the right to know how the data is collected and processed. This obliges the data controller to give the data subjects a copy of those processed data.
There is no standard format for requesting processed data, so the data subject can simply make a verbal or written request. The latter is more preferred to avoid future disputes over details.
2. The right to rectification (Article 16)
The data reflects information specifically identified to the data subject. Thus, if there are any inaccuracies in the personal data, the individuals have the right to rectify them. When an inaccuracy surfaces, the document controller should immediately effect the rectification.
3. The right to restriction of processing (Article 18)
As an alternative to the right to erasure, this right gives individuals the privilege to control how data is being processed. The individual has to provide reasons for limiting the use of this data under certain circumstances.
Examples of these circumstances are as follows:
- The data subject is still contesting the accuracy of the data and requesting verification.
- There is unlawful processing of the data.
- The data is not needed for processing anymore but the data subject is requesting safekeeping.
- The data subject objects to the controller’s processing.
4. The right to erasure or to be forgotten (Article 17)
This is the right granted to data subjects to ask organizations for data deletion without delay. This right, however, has to be exercised in the appropriate circumstances. Article 17 discusses the specific circumstances where this right is applicable and an organization’s right to process data.
For example, the right to be forgotten only applies if the data is no longer used by the organization, or an organization is processing the individual’s data unlawfully. On the other hand, the organization can override the right to be forgotten if, for example, the data is used to exercise freedom of expression or to comply with a legal ruling.
5. The right to data portability (Article 20)
Data subjects have the right to obtain their data from the controller and use it for other purposes. As owners of the data, they are free to store data and transmit it to another data controller.
6. The right to be informed (Article 13 and 14)
This right requires total transparency of data processing transactions to the data subject. The organization should provide the individual with information including the reasons for processing data, retention periods, and recipients of the said data.
7. The right to object (Article 21)
At any given time, the data subject has the right to object to the use of personal data, unless the controller has legal grounds for overriding this objection. The data subject can object if the organization uses the data for any of the following reasons:
- For tasks conducted for public interest
- For exercising official authority
- For legal interests
- For scientific, statistical, or historical reasons
- For direct marketing reasons
8. The right not to be subject to a decision based merely on solely automated processing (Article 22)
‘Solely automated’ means that there’s no human intervention during the decision-making process. The process is still considered automated if data entry is done manually and the processing is automated.
What are the 7 data protection principles?
In processing data, you have to abide by the following GDPR principles:
1. Lawfulness, transparency, and fairness
Processing data must be according to law and transparent to the owner of the data. Transparency means that all information regarding personal data must be comprehensible and accessible.
2. Purpose limitation
Processing data should be within legitimate purposes and not beyond these purposes. This, however, excludes purposes of public interest and historical, statistical, or scientific purposes.
3. Data minimization
Data collected and processed should be the only ones as specified in the purposes – no more no less.
Data collected must be accurate and updated. As discussed earlier, inaccurate data must be deleted or rectified without delay.
5. Storage limitation
Store only the data for the duration necessary for the specified purpose. As long as the data keeps serving its purpose, storing it for a long period is allowed.
6. Integrity and confidentiality
Processing must be done securely and confidentially. Organizations must implement technical measures to comply with this requirement.
The data controller must assume responsibility for ensuring all these principles are adhered to.
Sanctions and penalties
Did you know that violating GDPR laws can result in hefty penalties? Yes, even prominent companies like Amazon, Google, and H&M, have been fined millions of dollars for committing these violations.
Generally, there are two tiers of GDPR fines: less severed infringements and serious infringements.
Less severe infringements are fined up to €10 million or 2% of the company’s global revenue of the previous financial year, whichever is higher. These violations can be found in the following sections:
- Controllers and process (Articles 8, 11, 25-39, 42, & 43)
- Certification bodies (Articles 42 & 43)
- Monitoring bodies (Article 41)
Serious infringements, on the other hand, are heavy violations in preserving the right to privacy. These infringements can result in fines of more than €10 million or 4% of the company’s global revenue of the previous financial year, whichever is higher. These include violations for the articles that govern:
- The basic principles for processing (Articles 5, 6, & 9)
- The conditions for consent (Article 7)
- The data subject’s rights (Articles 12-22)
- The transfer of data to an international organization (Articles 44-49)
Fines are regulated by the data protection regulator in each country. These are the ten criteria in qualifying fines:
- Gravity and nature – fact-checking if there was an infringement, the events that occurred, how they happened, and the reason for their occurrence.
- Intention – whether the infringement was deliberate or mere negligence.
- Mitigation – the efforts made by the company to mitigate the damages inflicted to people.
- Precautionary measures – the technical measures that the organization has implemented beforehand to comply with GDPR standards.
- History – any history of infringements and how the company implemented corresponding corrective actions.
- Cooperator – whether the organization communicated with the supervisory authority in solving the infringement.
- Data Category – the type of data affected.
- Notification – whether the company immediately notified or alerted the supervisory authority regarding the infringement.
- Certification – whether the company was previously certified or observed proper codes of conduct.
- Aggravating or mitigating factors – the other consequential issues arising from infringement, including financial concerns.
Sustainable steps in GDPR compliance
- Scan all your data sources. Access each data source and investigate if there is personal data stored in these sources. You must have full knowledge of the specific whereabouts of personal data.
- After determining the sources, identify if personal data is existent. These are commonly found in semistructured fields. If possible, parse the fields to extract and catalog personal data like names and email addresses. For high data volume, you can tap the right tools to be more efficient.
- Educate the whole organization. The whole organization must have an in-depth understanding of GDPR compliance. Start by defining what personal data means and why it should be shared across the organization. Ensure proper documentation, accountability, and privacy rule. Create a transparent and lawful method for processing data.
- Assign a data protection officer and review your existing data protection policies. Assess each item in your organization’s data protection drive and align it with the principles of GDPR compliance.
- Establish the appropriate level of data protection. There are three techniques you can choose: encryption (scrambling readable text), pseudonymization (using pseudonyms or identifiers), and anonymization (irreversibly altering data). You must apply the proper technique depending on the data subject’s rights.
Are web cookies subject to GDPR compliance?
When you browse websites, they will place small text files called “cookies” on your device. Cookies in themselves are harmless and do not possess a serious threat. However, since they can store data, it’s possible to identify you without your consent.
With a high data storage capacity, cookies are subject to GDPR. Cookies can be classified according to their purpose, duration, and provenance.
It can’t be denied that the GDPR is one of the stiffest data privacy laws. Well, this is imperative so that organizations can collect, handle and produce the data of EU citizens. GDPR compliance is not an option but a sacred duty to protect the rights of individuals.
Got a question? We’re happy to help! Click here.