All Compliance Standards Under One Umbrella
On the 25th of May 2018, there was a significant reform in Europe’s digital privacy laws. After much preparation, the GDPR was enforced. The reform has since enabled Europe to be ‘fit’ for this digital age. The GDPR was adopted in 2016, and a two-year window was given to businesses to be GDPR compliant. The law replaces outdated data protection laws from the 1990s. So, you must be having a question. What is GDPR?
What is GDPR?
The GDPR can be considered the world’s most robust law on data protection. The General Data Protection Regulation (GDPR) 2016/679 is legislation that specifies the regulation of data privacy and protection in the European Union (EU) and the European Economic Area (EEA). The provisions of the GDPR are consistent across all 28 EU member states, which means every organization around the world which has a business in the European Union or handles data of EU residents should be GDPR compliant.
The European Union says that the GDPR was designed to “harmonize” data privacy laws across all its member states and provide greater protection and rights to individuals. GDPR was also created to alter how businesses and other organizations can handle the information of their users. The law also slaps large fines and can cause significant reputational damage to those found in breach of the rules.
Why does GDPR exist?
The short answer to that question is the rising public concern over privacy. In general, Europe has had a history of strict rules on how companies can use EU residents’ data. Before the digital age set in, the Data Protection Directive came into effect in the EU in 1995. The GDPR replaces this and builds on the outdated law to deal with technology’s progress in recent decades. With the progress in technology, more data was produced, and there was a rising skepticism among people on how it was used and who had access to it. This skepticism only keeps rising after every high-profile data breach.
According to the RSA Data Privacy & Security Report, for which RSA surveyed 7,500 consumers in France, Germany, Italy, the UK, and the US, 80% of consumers said lost banking, and financial data is a top concern. Furthermore, and specifically, lost security information (e.g., passwords) and identity information (e.g., passports or driving licenses) were cited as a significant concern among 76% of the respondents. What is even more important is that 62% of people mentioned that they would blame the company for a breach and not the hacker, while 72% of respondents from the US said that they would boycott a company in such a case. These statistics are enough for the GDPR to exist.
What kind of data does the GDPR protect?
At the heart of GDPR is personal data privacy and protection. To be very specific, this is the information that allows a living person to be directly or indirectly identified from any available data. It can be obvious as a person’s name or location data or something less apparent like an IP address, RFID tags, and cookie identifiers. This can be considered personal data.
There are also provisions in the GDPR for a few special categories of sensitive personal data given greater protection. This personal data includes information about racial and ethnic origin, political opinions, religious beliefs, biometric data, health information, sexual orientation data, and trade union membership.
Personal data is crucial under GDPR because it covers individuals, organizations, and companies that are either ‘controllers’ or ‘processors.’ I will cover these terms next.
The GDPR applies to ‘controllers’ and ‘processors.’ Their roles and responsibilities are specified in Chapter 4 of the GDPR, from Articles 24 to 43.
- Collect or process personal data.
- Decide what personal data should be collected and how it should be processed.
- Decide which individuals to collect personal data about.
- Obtain a commercial gain or other benefits from the processing, except for any payment for another controller’s services.
- Process the personal data because of a contract between you and the data subject.
- Data subjects are your employees.
- Have complete independence as to how the personal data is processed.
A processor is responsible for processing personal data on behalf of a controller. Processors act either on behalf of or on the instructions of the relevant controller. You are a processor if you do any or all of the following:
- Are you following instructions from someone else regarding the processing of personal data?
- Were given the personal data by a customer or a third party or told what data to collect.
- Do not decide to collect personal data or what personal data should be collected from individuals.
- Do not decide the lawful basis for the use of that data.
- Do not decide what purpose or purposes the data will be used for.
- Do not decide whether to disclose the data or to whom.
- Do not know how long you will retain the data.
- Are not interested in the result of the data.
- Make some decisions on how data is processed but implement these decisions under a contract with someone else.
A processor has some specific legal obligations as per the GDPR. For example, processors should maintain records of personal data and processing activities. They will have legal liability if you are responsible for a breach.
Controllers have stricter obligations under GDPR than processors.
Seven Principles of GDPR
- Lawfulness, fairness, and transparency: Lawfulness includes identifying an appropriate lawful basis (or bases) for data processing. In case a business is processing special category data or criminal offense data, there are specific terms and conditions. Furthermore, nothing unlawful should be done with personal data. Fairness includes because how the processing may affect the individuals concerned. The business should handle people’s data in ways they would reasonably expect or should be able to explain any unexpected processing. They should also not mislead people when they collect their data. Transparency ensures that the business is open and honest and complies with the transparency obligations of the right to be informed
- Purpose limitation: Businesses should identify their purposes for processing and document them. They should also include details of their purposes in their privacy information for individuals.
- Data minimization: Businesses must ensure the personal data they are processing is:
- adequate – sufficient to properly fulfill their purpose;
- relevant – has a rational link to that purpose; and
- limited to what is necessary – they do not hold more than they need for that purpose.
- Accuracy: The personal data should be accurate and up to date.
- Storage limitation: Personal data should not be kept for longer than needed. Businesses should think about and be able to justify how long they will keep personal data. This will depend on their purposes for holding the data. Businesses should also have a policy setting the standard retention periods wherever possible to comply with documentation requirements. Furthermore, they should periodically review the data they hold and erase or anonymize it when they no longer need it. Lastly, they can keep personal data for longer if they keep it for public interest archiving, scientific or historical research, or statistical purposes.
- Integrity and Confidentiality: Businesses must ensure that the data they have is protected and appropriate security measures are in place.
- Accountability: The accountability principle requires businesses to take up responsibility for their personal data and comply with other principles. They must have appropriate measures and records in place to be able to demonstrate their compliance.
Rights of an individual according to the GDPR
Which companies does the GDPR affect?
GDPR affects any company that stores, processes, or handles in any capacity, personal information about EU citizens. This law is also applicable to companies that do not have a business presence within the European Union but handle EU residents’ data. In short, if your company falls in any of the below categories, you must be GDPR compliant.
- Have a presence in an EU country.
- Do not have a presence in the EU, but process personal data of European residents.
- Have more than 250 employees.
- Have less than 250 employees but data-processing impacts data subjects’ rights and freedoms and includes sensitive personal data.
In short, every company in the world should be GDPR compliant.
What are the penalties?
In July 2019, British Airways was fined €204,6 million by the ICO for violating article 31 of the GDPR. In September 2018, an incident occurred when the British Airways website diverted users’ traffic to a hacker website, which resulted in hackers stealing the personal data of more than 500,000 customers. Other examples include Marriott International in July 2019, which was fined €110 million, and even Google, which was fined €50 million in January 2019.
There are two levels of GDPR fines
- The lower level is up to €10 million, or 2% of the worldwide annual revenue from the previous year, whichever is higher, and
- The upper level is twice that size or €20 million and 4% of the worldwide annual revenue.