GDPR in a nutshell
The General Data Protection Regulation (GDPR) is the most significant and toughest privacy law introduced in the world. Although it was drafted in 2016 it came into effect on 25th May 2018 by the European Union (EU). It comprises of 99 individual articles that are organized into 11 chapters. This regulation imposes its obligations both inside and outside the EU that process the personal data of the EU citizens. This article focuses on some key areas of the GDPR for organizations.
Over the last 40 years since the Internet came into existence, it has drastically transformed our lives in ways we could not have imagined. With the emergence of new technologies and their possibilities for expansion, a review of the existing laws was needed. In the year 1950, the European Convention on Human Rights pinpointed the need for the protection of the Right to Privacy. This acted as a foundation for the EU to lay down the protection of this right through appropriate legislation. Previously, the European law governing data protection was the Data Protection Directive of 1995. Now, it has been replaced by GDPR which is considered as a recognized administration all over the World.
The GDPR is applicable to all those organizations and entities that automatically or manually process personal data belonging to the EU citizens and residents irrespective of being established in EU or outside the EU. The principles under the GDPR apply to every kind of operation and activity processing and collecting personal data. However, there are some exemptions for private individuals and in the case of freedom of information and expression.
Application of GDPR outside Europe
A Non- EU organization shall comply with the GDPR if:
Offers goods or services
The GDPR regulators determine whether the organization is set out to offer goods and services to residents of EU or not. Simply making a website available that can be easily accessed by the EU citizens is not enough. There must be services provided and/or goods being offered to people in the EU through that site.
Monitoring their behavior
If any organization makes use of web tools that track cookies or IP addresses of the EU people who visit that website then the said organization has to comply with GDPR. Monitoring behavior not just includes tracking online but also using of profiling techniques to predict the preferences of the person.
Exceptions to the rule
The GDPR does not apply to natural persons processing and storing data to carry out an activity of private nature or that has a connection with his/her own household.
For example, a person collecting email addresses to organize a trip with work colleagues will not have to comply with GDPR whereas a person holding a fundraiser gathers email addresses and must comply with the GDPR.
Those organizations with employees less than 250 and those Small and medium–sized enterprises (SMEs) are not totally exempted from complying with the GDPR but in most cases are free from record-keeping observation as per Article 30.5 of GDPR.
Some important terms under GDPR are:
- Personal Data
Any information relating to an identified person in reference to name, ID number, location, online identifier, physical, genetic, economic or social identity is termed as Personal Data.
- Data processing
Any action performed on data and includes collecting, storing, organizing, altering, retrieving, disclosing, using and erasing personal data of an identified natural person.
- Data controller
Those persons who make decisions relating to the data processing activities are referred to as the Data controllers. They are in complete charge of and responsible for the processing. A controller can be a company or any legal entity or an individual. Some controllers may be under a statutory obligation as per Section 6(2) of the Data Protection Act 2018.
- Data Processor
Those natural or legal people, public authority, agency or other body which processes the personal data on behalf of the Data controller. A controller should only process personal data in line with the controller’s instructions and within the law regulating it.
There are Seven Principles outlined in Article 5 of GDPR.
- Lawfulness, fairness and transparency
- The data must be processed in a lawful, fair and transparent manner.
- The user should have given his/her consent.
- There is a legal obligation and legal interest behind collecting data.
- The organization should be open and honest with data subjects and shall act fairly.
- Purpose limitation
This principle sets boundaries for using data for specific activities. The purpose of data processing must be clearly stated to the individuals through a privacy notice. If at any point the data collected is to be used for a new purpose then the original purpose in that case consent has to be obtained by the user.
- Data minimization
The data collected should be to the smallest and minimum extent as per the requirement and purpose. For example: if the entity wants to gather subscribers and inform them of the latest offers then one should as only by email.
There has to be accuracy along with regular check-ups to correct, update or erase incomplete and incorrect data.
- Storage limitation
The organization must justify the duration of time for which it is storing personal data. The data retention period is needed to establish the storage limitation policy. It helps in creating a standard time period after which the stored personal data should be prohibited from use.
- Integrity and confidentiality (Security)
The GDPR requires the organization to maintain the confidentiality of the data collected and stored. There must be security and surety provided to the users. The organizations must safeguard the data from unauthorized and unlawful processing. The Data should not be stolen nor cause damage to the users.
An organization should maintain proper records to show as proof of their compliance of GDPR. They shall be able to demonstrate that they adhere to the above-mentioned process.
The data protection authorities can levy fines up to 20 million euros or 4% of the global turnover (whichever is higher) to the organizations/ companies who fail to comply with GDPR guidelines.
Some of the biggest fines recorded to date are:
Meta (Ireland) – 405 million Euros
The meta was punished due to Instagram violating the privacy of children and publishing their email ID and phone numbers. The social media platform allowed children of the age group of 13 to 17 to use business accounts.
Google – 10 million Euros
Google had unlawfully disclosed the personal data of its users to an independent third party for a research project.
Any individual’s personal data is like an asset. If it gets into the wrong hands, it jeopardized an individual right. The GDPR and data privacy protection rules and regulations are created with the purpose to bring surety to those users and safeguarding their personal data. It also cautions and limits the processing of personal data by the organizations that collect and store the Personal Data.