What is GDPR, the EU’s data protection law?
Almost every interaction a person has with an organization involves the exchange of personal information. This could be a name, an address, or even the way a website is navigated by using cookies.
This transfer of information certainly makes life easier; however, it requires the organization to collect and process the data to do so with safeguards in place for its protection and security. Data protection legislation, such as the GDPR, ensures that when data is shared, it is used in a legal manner.
GDPR is EU’s data protection law but some non-EU countries have adopted it too
The GDPR is a critical component of EU privacy law as well as human rights law. The General Data Protection Regulation (GDPR) is a piece of legislation that updates and unifies data privacy laws throughout the European Union (EU). On April 14, 2016, the European Parliament approved GDPR, which went into effect on May 25, 2018.
Many other countries, including Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South Africa, Argentina, and Kenya, adopted the regulation as a model. Despite no longer being an EU member state, the United Kingdom retains the law in its current form as of 2021. The California Consumer Privacy Act (CCPA), which went into effect on June 28, 2018, shares many similarities with the GDPR.
The Principles of GDRP
The GDPR 2016 is divided into eleven chapters that cover general provisions, principles, data subject rights, data controller or processor duties, transfers of personal data to third countries, supervisory authorities, member state cooperation, remedies, liability or penalties for breach of rights, and miscellaneous final provisions.
Personal data cannot be processed unless at least one legal basis exists. According to Article 6, the lawful purposes are:
- If the data subject has given consent to the processing of his or her personal data;
- To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;
- To comply with a data controller’s legal obligations;
- To protect the vital interests of a data subject or another individual;
- To perform a task in the public interest or in official authority;
- For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children)
Furthermore, companies that process data or monitor data subjects on a large scale must appoint a data protection officer (DPO). The DPO is the person in charge of data governance and ensuring that the company complies with GDRP. If a company fails to comply with the GDPR, it may face fines of up to 20 million euros ($24.26 million) or 4% of annual global turnover. Furthermore, the individual in this role is accountable for ensuring that appropriate data protection principles are applied to the maintenance of personal data.
What data does GDPR protect?
Users must give their permission to any company or organization that wants to collect and use their personal information. Personal data, as defined by the GDPR, is information relating to “an identified or identifiable natural person” – referred to as a “data subject.”
Personal data may contain the following types of information:
- Identification number
- Location data
- Any information that is specific to “the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
- Biometric data that is acquired through some form of technical process, such as facial imaging or fingerprinting
- Information related to a person’s health or healthcare
- Racial or ethnic information of an individual
- Political opinions or religious beliefs
- Union membership
Procedures to ensure GDPR compliance
The GDPR describes the expected outcomes of good and responsible data management, but it does not specify any technical measures that data collectors must employ to achieve that goal.
Some best practices for ensuring GDPR compliance include:
- Always request permission before collecting personal information; data subjects must be willing participants.
- Only collect what you truly require; organizations will be held accountable for all data collected, whether or not it is used.
- Unless users have agreed and supervisory authorities have approved the transaction, do not share data with other entities.
- Encrypt all personal data, both in transit and at rest.
- Maintain at least two current and secure backup copies of all personal data in two separate off-site locations.
- Have the ability to easily edit or delete specific personal data items, as well as verify and document the actions.