An Overview of General Data Protection Regulation GDPR and How Does It Affect You#

The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. The new set of privacy laws protects the personal data of EU citizens and requires companies to disclose how they handle user information. These new regulations apply to any company that handles the personal data of EU residents, no matter where the company is based. Non-compliance with GDPR can result in hefty fines. The cyber security landscape has changed rapidly over the past few years with an increasing number of cyber attacks and breaches reported almost every day. Companies are also increasingly aware of their responsibilities for protecting customer data as well as other personally identifiable information (PII). This article goes over the importance of this law, how organizations around the world are affected by the law, the rights of data subjects under this law, and how organizations can ensure data protection under this law.

What Exactly is the General Data Protection Regulation#

The GDPR is currently the toughest data privacy and protection law all over the world. The primary goal of the GDPR data privacy and protection law, which was developed by the EU (European Union), is to control how businesses around the world collect, use, and safeguard the personal data of European residents. After being approved by the European Parliament in April 2016, the GDPR regulation replaced the earlier 1995 data protection directive. The 28 member states of the European Union have now ratified this regulation, providing the relevant organizations with a unified and consistent standard to meet and put into practice. This law has been formulated to strengthen and protect the privacy rights of a data subject by giving him or her greater control of how their personal data is obtained, processed and shared with other organizations.

The term “data subject” as used in this law refers to any live individual whose personal information is gathered, stored, or processed by an organization. Personal Data can be any data related to a person such as:

  • personal identification

  • location data

  • biometric, physical, physiological, genetic, or mental health data

  • economic, cultural, or religious sentiment data

  • social, political, or gender preference data and more.

GDPR was formulated with the aim of achieving three primary goals:

  1. Establishing and ensuring the protection of the basic privacy rights of the information related to the data subjects i.e. to ensure the security and confidentiality of the subject’s personal data, but also ensuring proper notice, right to be forgotten, and much more.

  2. Unifying the privacy laws across the 28 European Union individual member states

  3. Modifying the privacy rules that take into account the changes the technological environment has brought about for personal data over the past 25 years.

Why Is GDPR Important?#

The main reason why GDPR is important is because it protects individuals’ rights to privacy and data protection. The aim of the regulation is to ensure that companies and organizations handle customer data appropriately and are transparent in how they use and process data. In addition, GDPR is designed to help organizations and businesses be more secure by requiring them to use appropriate levels of encryption and be more vigilant when it comes to monitoring systems for unusual activity. Organizations will now be required to secure user consent for collecting personal data and inform users how that data is used. They will also have to be transparent about data breaches that occur and notify users who might be affected. GDPR is important for every individual, as it gives you control over your personal data. The regulation requires companies to obtain your consent for collecting your data and inform you how your data is being used.

What Changes Does GDPR Bring?#

The GDPR brings significant changes to all the aspects of data privacy - from the way users can access and control their data to the requirements, companies have to fulfill when handling this data. There are a few key changes that GDPR brings to the table:

Increased Territorial Scope#

GDPR is applicable to all companies processing the data of EU citizens, even if the company has no physical presence within the EU. This change makes it more likely that a company will be fined for data breaches or non-compliance with GDPR.

Stronger Privacy protections#

GDPR provides stronger data protections for individuals by strengthening the contractual terms between the Data Controller and the Data Processor. It also provides individuals with better access to their personal data and the ability to correct inaccurate data.

Increased Transparency and Accountability#

GDPR requires organizations to be more transparent about how they collect and use personal data, as well as be more accountable for any potential breaches.

Increased Jurisdiction#

GDPR gives data privacy authorities broader jurisdiction over companies and data subjects.

Increased Penalties#

GDPR brings higher maximum fines for non-compliance of up to €20 million or 4% of global annual turnover as compared to the previous fine amounts of £500,000 under the 1995 data protection directive.

Seven Basic Principles of GDPR#

The GDPR consists of seven basic principles that guide the data processors about how they should process and protect the collected data. These principles are as follows:

1. Lawfulness, fairness, and transparency:

Every processing operation should have a lawful justification. The data subject must be informed of the processing and this processing should be done in a manner that doesn’t misuse or mishandle the data.

2. Purpose limitation:

The purpose limitation principle restricts the data processing strictly for the specified purpose. This principle means that the data is “collected for specified, explicit, and legitimate purposes” only, as stated in the GDPR.

3. Data minimization:

The data minimization GDPR principle states that only the minimum amount of data must be collected for the specified purposes and the data must be processed to the extent that is necessary.

4. Accuracy:

The Accuracy GDPR principle states that the personal data that is being processed is accurate. There must be checks that ensure that the data is accurate and updated and any inaccurate, outdated, or incomplete data must be immediately removed.

5. Storage Limitation:

The Storage Limitation GDPR principle states that the organization must define the time period for which the data must be retained. The organization must securely discard the data after it is no longer required.

6. Integrity and confidentiality:

The Integrity and confidentiality GDPR principle requires organizations to protect the personal data that they gather while storing and processing it. This personal data must be protected against different internal and external security threats. This principle mandates that the organizations employ sufficient security controls to maintain the integrity and confidentiality of the data stored and processed by them. For this purpose, the organization must use proactive strategies and perform risk management to deal with the threats to data security and protect it against unintentional loss, destruction, or damage as well as unauthorized or unlawful processing.

7. Accountability:

The Accountability GDPR principle requires organizations to adopt appropriate and adequate measures to ensure that they have a sound record of compliance with this law. These records are extremely beneficial in proving compliance with this law to the external GDPR consultants. This law requires organizations to maintain a high level of accountability.

What are the Rights Of Data Subject under GDPR?#

The biggest shift brought about by GDPR is that it puts the responsibility of obtaining consent for the collection of personal data on the Data Controller. Additionally, it gives Data Subjects more rights, such as the right to be informed, the right to withdraw consent, the right to be notified of breaches, the right to be forgotten, the right to data portability, and much more. Additionally, data subjects have a right to be informed about cookie use and for businesses to have a legitimate reason for processing their data. Some of these rights are explained in greater detail in this section:

Right to be Informed#

The right to be informed gives the data subjects the right to be informed about the collection and processing of their personal data.

Right to Access#

The right to access gives the data subjects the right to view and request copies of their personal data (within 1 month) free of charge.

Right of Breach notification#

There are clear rules concerning personal data breach notifications in the EU’s personal data protection regulation. In the GDPR text, a personal data breach is defined as a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. According to this law, the data subject have the right to be notified if their personal data was involved in a data breach.

Right to be forgotten#

The Right to be forgotten is also called the right to erasure under GDPR. Under this right, the data subjects can request to have their personal data erased if certain conditions are met. These conditions are as follows:

  • If the subject’s personal data is no longer required for the purpose for which the data was collected

  • If the subject withdraws his or her consent to the data processing

  • If the subject’s personal data is unlawfully processed

  • If the subject’s personal data is to be erased in order to comply with a legal obligation

  • If the subject’s personal data is processed to offer information security services to a child

  • If the subject objects to his data being processed for direct marketing purposes

  • If the subject objects to the processing of data and there are no overriding legitimate grounds for continuing the processing of his or her personal data.

Right to Data Portability#

The right to data portability gives the data subjects the right to receive their personal data they have provided to a data controller in a structured, commonly used, and machine-readable format. It also gives them the right to request that a data controller transmits this data directly to another controller.

Right to Rectification#

The right to rectification gives the data subjects the right to have their personal data corrected if it is inaccurate, outdated, or incomplete.

Right to Object Data Processing and Profiling#

The right to object gives the data subjects the right to refuse data processing unless these objections can be overridden using compelling grounds. The data subjects also have the right to object to profiling that has the effect of discriminating against them on the basis of race, religious beliefs, sexual orientation or gender identity, etc.

Right to restrict#

The right to restrict gives the data subjects the right to inhibit or block the processing of their personal data. After that, personal data may be saved but not processed further until the problem is fixed.

Right to refuse automated decision-making#

Data subjects have the right to refuse any decision-making processes that are performed entirely automatically, without any human involvement, if those decisions have a significant impact on them.

Who Is Responsible For Personal Data?#

In the past, the Data Controller assumed full responsibility for securing and handling personal data. GDPR shifts the responsibility for securing data to both the Data Controller and the Data Processor. The Data Controller is the organization collecting the data and determining the purposes for collecting it. The Data Processor is the organization that actually processes the data on behalf of the Controller. For example, a marketing company handling a car manufacturer’s data is the Data Processor, whereas the car manufacturer itself is the Data Controller. The GDPR provides a framework for organizations to secure data by creating contractual terms between Data Controllers and Data Processors. These contractual terms are crucial in outlining who is responsible for what part of the process. Data Controllers must specify what the Data Processor is allowed to do and what it is not allowed to do with the data being processed. Data Processors are required to sign a contract with the Data Controller that outlines their commitments under GDPR.

Responsibilities And Rights of Data Processors#

Data Processors play a critical role in securing personal data. The GDPR requires Data Processors to use appropriate technical and organizational measures for securing data, such as maintaining the confidentiality of data, protecting against unauthorized access, detecting and responding to cyber incidents, and having a contingency plan for data recovery. Data Processors must also be transparent about how they handle data by securing user consent for collecting data and informing data subjects about how their data is being used. Data Processors must also provide rights to erasure, and data portability and be open about any breaches that occur. Data Processors also have specific rights under GDPR, such as the right to receive adequate compensation for services and to be informed of any breaches that occur. Data Processors are also required to have a valid privacy policy that informs data subjects of what they can expect in terms of privacy and data security.

Conclusion#

The GDPR brings significant changes to the way organizations to handle personal data. It shifts the responsibility for securing data from the Data Controller to both the Data Controller and the Data Processor. The GDPR also provides greater rights to Data Subjects, such as the right to erasure, the right to data portability, and the right to be informed of breaches. It also requires companies to obtain user consent for collecting their data and inform them how their data is being used. The GDPR is important for every individual, as it gives you control over your personal data. It also provides stronger privacy protections, increased transparency and accountability, and higher penalties for non-compliance.

See also

Want to learn practical Governance, Risk and Compliance skills? Enrol in MCSI’s MGRC Certified GRC Expert