A Complete Guide to General Data Protection Regulation (GDPR)
What is GDPR?
General Data Protection Regulation, or GDPR, is Europe’s core digital privacy legislation. Essentially, it is a set of new rules designed to provide EU citizens with more control over their personal data. It creates a regulatory environment for business so that the digital economy is lucrative for both citizens and businesses in the EU. The GDPR legislation came into effect on 25 May 2018. Every organization in all member-states of the EU comes under this new framework.
What is GDPR compliance?
As part of the GDPR, organizations have to ensure that personal data is collected legally. The gathered data must be protected from misuse and exploitation by the handler. Also, adherence must be paid to the rights of data owners. Non-compliance leads to penalties.
To whom does GDPR apply?
It applies to organizations operating both within the EU and outside of the EU, delivering goods or services to businesses or customers in the EU—implying that every major company worldwide requires a GDPR compliance strategy.
The legislation divides the handlers into two: Processors and Controllers.
- Controller: person, public authority, or other body that determines the motive and means of the processing of personal data.
- Processor: person, public authority, or any agency or body that processes personal data on the controller’s behalf.
Ultimately, the GDPR onus lies on the Processor to maintain and record personal data. Hence, high legal liability lies on them if the organization is breached. And Controllers must also ensure that all the contracts with the Processor comply with GDPR.
What is personal data?
According to the legislation – name, address, photos, IP address, genetic data, biometric data, and other such sensitive information that could be processed to identify an individual uniquely classifies as personal data.
What GDPR means for businesses?
The thin lining of data legislation with GDPR has brought benefits to businesses. The EU claims that having a single supervisor authority makes it simpler and cheaper for businesses to operate within the region. It encourages innovation and has created lucrative business opportunities.
What GDPR means for consumers/citizens?
GDPR grants the consumers the ‘right to know’ when their data has been hacked. Organizations are required to notify the appropriate authority if a citizen’s data is at risk of being abused.
Consumers can also know how their personal data is processed, and they can also opt-out of being a part of a company’s database. For this, organizations must give explicit details on the data being used, whenever demanded.
What is a GDPR breach notification?
According to GDPR, personal data breaches involving unauthorized access to or loss of data must be reported to those affected and to the relevant supervisory authority. However, this communication must be a one-to-one correspondence with those affected. Hence, it is done via a breach notification delivered directly to the victim. Any breach must be reported to the relevant regulatory authority within 72-hours of the organization, first becoming aware of it.
What are the penalties for not complying with GDPR?
If a business fails to comply with the GDPR, they are charged with fines and penalties. And these charges can range from 10 million euros to 4% of the company’s annual global turnover – an amount that could be in billions.
A maximum fine of 20 million euros or 4% of global turnover – whichever is higher – is charged for –
- infringements of rights of the data subject
- unauthorized international transfer of personal data
- failure in putting procedures in place for data protection or
- ignoring subject access request for their data
A low fine of 10 million euros or 2% of global turnover is charged for mishandling data in other ways like –
- failure to report a data breach
- failure in ensuring data is protected in the first stage of a project
- not complying with the data protection officer, etc.
Some of the largest technology companies like Facebook are feeling the bite of GDPR. The company blamed GDPR for a decline in users as well as a dip in their advertising revenue growth in Europe. Indeed, organizations of all sizes have found themselves affected by it to some extent. In fact, some companies reported a decrease of 25% to 40% of their addressable market (connected via emails and other forms of contact). As an impact, many organizations have changed their data center strategy to continue attracting consumers and generating revenue.
In fact, many around the world have taken cues from the GDPR and launched their own data protection legislation. Silicon Valley, California, adopted the California Consumer Privacy Act (CCPA), on 1 January 2020. The CCPA, like the GDPR, allows the individual to have a greater say on how their personal data is used.