If you work in data protection or are just active online, you’ll likely have heard of GDPR. Drafted and passed by the EU, it is the most stringent privacy and security law worldwide. However, GDPR isn’t exclusively related to EU countries. Because GDPR imposes obligations on organisations anywhere in the world if they find themselves in possession of data from EU citizens.
That’s why it’s so important to ensure your business is GDPR compliant.
Here we’ll be explaining what exactly is GDPR and the important implications. That includes topics of consent, compliance, and personal data.
What is GDPR?
The General Data Protection Regulation (GDPR) is the legal framework guiding the collection and processing of the personal data of residents of the European Union (EU). The framework was first adopted in April 2016 but did not come into full effect until May 2018.
GDPR is the toughest privacy and security law worldwide. That’s because a website is still liable under GDPR even if it doesn’t market goods or services to EU residents specifically. Any site that attracts European visitors is affected.
Why was GDPR implemented?
Europeans have long held privacy a necessary right. That’s why, in the 1950 European Convention on Human Rights, it was codified that “Everyone has the right to respect for his private and family life, his home and his correspondence.”
Yet, the convention became overshadowed by technological advancement.
In 1995, therefore, the EU passed the European Data Protection Directive – to establish minimum data privacy and security standards. Using these standards, each member state would then draft its legislation.
What the standards failed to appreciate was the sheer scale of personal data collection. What was needed was a way to ensure public consent, fundamental to EU attitudes on privacy – so the EU returned to the drawing board.
With ever more of our personal data found online, the EU moved to increase the protection of EU citizens robustly. Concerns were raised about the limited regional scope of former legislative initiatives, despite the global reach of the online sphere. Therefore, EU legislators proposed regulation with truly global reach.
The result was GDPR.
What are the principles of GDPR?
Under GDPR, seven broad principles were outlined. These include:
- Lawfulness, fairness, and transparency. All data collection must be lawful, fair, and transparent to the individual.
- Purpose limitation. Data collection should be restricted only to essential purposes.
- Data minimization. No irrelevant personal data is collected – it must pertain to the stated purpose.
- Accuracy. Personal data must be accurate and up-to-date.
- Storage limitation. Personal data may only be stored for as long as needed for the stated purpose.
- Integrity and confidentiality. Personal data consented to for collection must be kept safe and secure.
- Accountability. The data controller must demonstrate how they are compliant with GDPR.
Privacy rights and GDPR
In addition to the seven principles, GDPR also recognizes many privacy rights for data subjects. The fundamental goal is to give users more control and access to their personal data. Thus, personal data is no longer owned by the organizations but merely loaned for a time.
The privacy rights for data subjects include:
- The right to be informed
- The right to access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
What are the requirements under GDPR?
Have you noticed those cookie boxes on a website? That’s the result of GDPR. They were implemented as, to be GDPR compliant, customers must be explicitly content to any information-gathering. Since “cookies” are small files of personal data, they fall under its remit.
That isn’t all of the GDPR requirements, however.
Following a data breach, sites must inform any visitors promptly if their personal data is affected. They will need to do this, even if their local legislation is not as strict.
Moreover, organizations must conduct a data security review to ensure compliance. And evaluate if a dedicated data protection officer (DPO) is necessary. Site users must also be able contact the data controller and ask for their personal data to be erased.
Finally, all personally identifiable information (PII) must be anonymized; merely gaining consent is not enough. Pseudonymization is also permitted – where a pseudonym replaces a consumer’s identity. That allows data controllers to still conduct data analysis without jeopardizing user privacy.
What happens if you’re not GDPR compliant?
Suppose you fail to gain explicit consent for personal data collection? You’re no longer GDPR compliant.
So, what happens?
In most cases, serious breaches of GDPR will result in hefty fines – up to £17,000,000. However, in some cases, GDPR enforcement regulators may not fine the business but merely require action from the site owner.
That may sound better – however, it can still significantly tarnish your business’s reputation, leading to a loss of customers.
Either way, failure to be GDPR compliant can and does sink businesses. Most do not have the necessary funds to pay the eye-watering fines, nor suffer the loss of business.
That’s led to some severe criticism of GDPR. Critics argue it has created an undue administrative burden. There is also concern that, on the one hand, the guidelines are too vague for certain areas, i.e., employee data. Whereas, on the other hand, there’s a worry that the legislative burden will continue to increase over time, further hampering online businesses.
Whatever your opinion of GDPR, it’s here to stay. With almost every significant online business affected, it’s essential to know the ins and outs of GDPR to stay compliant.
If you believe you are affected by GDPR, we wholly recommend reading the 88-page regulation itself.