The General Data Protection Regulation, or GDPR, is a law that originated in the European Union (EU) and took effect on May 25, 2018.
It was designed to harmonize data privacy laws across all EU member states and to reshape how organizations worldwide approach data privacy.
The GDPR replaced the previous EU Data Protection Directive of 1995.
The key element of the GDPR is that it is built around the principle of privacy by default and by design. It requires organizations to handle personal data responsibly and transparently, providing individuals with significant control over their own information.
The GDPR applies to any business or organization worldwide that processes the personal data of EU residents.
Why Do We Need GDPR?
Before the GDPR, there was a patchwork of data protection laws across the EU, each with its own interpretations and implementations. These discrepancies made it difficult for companies to comply and for citizens to understand their rights.
The GDPR sought to provide a uniform set of rules to simplify the regulatory environment and bolster data protection.
With the advent of technology and the internet, our lives have increasingly moved online. This digital shift has allowed organizations to gather vast amounts of data about us. Such data, when mishandled or misused, can lead to significant privacy breaches.
The GDPR aims to protect against such threats by empowering individuals to control how their personal data is used.
How Does GDPR Affect Me?
If you’re an individual residing in the EU, the GDPR provides you with several rights:
- Right to be Informed: Organizations must tell you what data is being collected, how it’s being used, how long it will be kept, and whether it will be shared with any third parties.
- Right to Access: You have the right to request access to the data collected from you.
- Right to Rectification: You can request to have inaccurate data amended.
- Right to Erasure (or ‘Right to be Forgotten’): In certain circumstances, you can request for your data to be deleted.
- Right to Restrict Processing: You can ask to restrict the processing of your data.
- Right to Data Portability: You can ask for your data to be transferred to another organization or to you directly.
- Right to Object: You can object to the processing of your data for certain purposes, such as direct marketing.
- Rights Related to Automated Decision Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling.
If you’re a business, especially one operating within the EU or dealing with the personal data of EU citizens, you need to comply with these regulations or risk severe penalties. Businesses need to ensure they have adequate data handling and data protection measures in place.
- Table: GDPR Fines by Year (up to 2021)
Year Number of Fines Total Value of Fines (€) 2018 12 460,000 2019 190 417,000,000 2020 331 171,320,000 2021* 265 273,830,000
*Data for 2021 is up to September.
- Top 5 Countries by GDPR Fines (up to 2021)
Country Number of Fines Total Value of Fines (€) Italy 68 69,328,716 Germany 61 69,080,000 France 23 54,431,300 Spain 172 29,521,400 UK 23 44,221,000
- Top 5 Violations Resulting in Fines (up to 2021)
Violation Type Number of Fines Non-compliance with data subject rights 281 Insufficient legal basis for data processing 215 Insufficient technical and organizational measures to ensure data security 145 Non-compliance with general data processing principles 105 Data breach notification obligations 94
Please note that the numbers and fines are indicative and vary greatly by case. Also, the categories of violation types may differ slightly among sources.
How Can I Stay Safe and Compliant?
If you’re an individual, the key to staying safe is understanding your rights under GDPR and being proactive. Carefully read privacy policies and terms of service before sharing your personal data. Use the rights granted to you by the GDPR, such as the right to access, rectify, or erase your data.
If you’re a business, here are some steps you can take to comply with GDPR:
- Understand the Law: This might seem obvious, but understanding the nuances of the GDPR is crucial. Not all businesses are affected equally.
- Hire a Data Protection Officer (DPO): If you’re a public authority, or if your core activities require large-scale monitoring or processing of sensitive data, GDPR mandates the appointment of a DPO.
- Implement Data Protection by Design and Default: Incorporate data protection measures from the start of any system design, not as an addition.
- Conduct Data Protection Impact Assessments: If your business is involved in high-risk processing, you’re required to conduct a Data Protection Impact Assessment (DPIA).
- Maintain Documentation: Record your processing activities and maintain a clear policy on data retention periods.
- Be Prepared for Data Breaches: You must notify the appropriate supervisory authority of a data breach within 72 hours of becoming aware of it.
- Respect User Rights: Make sure systems are in place to respect the new user rights under GDPR, including the right to be forgotten and the right to data portability.
The GDPR is not just another regulation. It represents a shift in how we view and handle data privacy.
By understanding the principles behind it and your rights and responsibilities under it, you can make the most of this law, whether you’re an individual wanting to protect your personal information or a business seeking to respect and protect your customers’ data.
- Q: What types of personal data does the GDPR protect?A: The GDPR protects any information that can be used to directly or indirectly identify a person. This can range from names and email addresses to more complex data like IP addresses, genetic data, or even mental, economic, cultural, or social identity information.
- Q: Who does GDPR apply to?A: The GDPR applies to all EU-based organizations, whether commercial business, charity, or public authority, that collect, store, or process the data of EU residents. It also applies to non-EU organizations that offer goods or services to, or monitor the behavior of, EU residents.
- Q: What is ‘processing’ in the context of GDPR?A: ‘Processing’ refers to any operation performed on personal data. It includes collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
- Q: What is the role of a Data Protection Officer (DPO)?A: A DPO ensures that an organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the GDPR. Their tasks include informing and advising the organization and its employees about their obligations, monitoring compliance, providing advice regarding data protection impact assessments, and cooperating with supervisory authorities.
- Q: What happens if a company doesn’t comply with the GDPR?A: Organizations can face hefty fines for GDPR non-compliance. These fines can be up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever is higher.
- Q: How does the ‘Right to be Forgotten’ work?A: The ‘Right to be Forgotten’ or the ‘Right to Erasure’ means that the data subject can request the deletion of their personal data from an organization’s records. The organization must comply unless there’s a legitimate reason for retaining the data, such as for compliance with a legal obligation or for reasons of public interest.
- Q: What is a Data Processing Agreement (DPA)?A: A DPA is a legally binding contract that states the rights and obligations of the data controller (the entity determining the purposes and means of processing data) and the data processor (the entity processing data on behalf of the controller) in terms of data processing. The GDPR requires a DPA whenever a data controller outsources data processing to an external data processor.
- Q: How does GDPR affect businesses outside of the EU?A: GDPR has a global reach. It applies to any organization, regardless of its location, that processes the personal data of EU residents. This means businesses outside the EU must also comply with GDPR if they offer goods or services to, or monitor the behavior of, EU residents.
I hope this deep-dive Q&A helps further your understanding of the GDPR.