What is GDPR?
The planning years came to an end on 25 May 2018. Long-term data security legislation in Europe began to be introduced. The GDPR has already been in effect for almost two years and has modernized the regulation that protects individuals ‘ personal information.
GDPR replaced the almost twenty years of existing European data protection regulations – some of which were first drafted in the 1990s. Since that time it has emerged that our data-heavy lifestyles regularly exchange your personal details online.
After a pre-GDPR transitional phase encouraging companies and organizations to change their practices, the laws remain confused. Here is our guide to the definition of GDPR.
According to the EU, the GDPR has been intended to “harmonize” data protection legislation in all the Member States and to provide greater protection and human rights for persons. GDPR has also been developed to transform how corporations and other entities will process the information of people communicating with them. For those that contravene the laws, there is the potential for substantial fines and reputational harm.
The legislation has implemented significant changes but is based on earlier standards of data security. As a consequence, many people in the field of data protection, including the UK IT Commissioner, Elizabeth Denham, have brought about a reform in GDPR rather than a full rewrite. The law ought to have been a ‘step change’ for companies that were still compliant with the pre-GDPR regulations, Denham said.
Who does GDPR apply to?
Personal information is at the core of GDPR. This is usually information that enables a person to be recognized directly or indirectly from available data. This may be apparent, for example a name, location, or a simple online user name, or it may be less immediately visible: IP addresses and cookie identifiers may be considered personal information.
There are also a range of special categories under GDPR which provide further protection in relation to sensitive personal data. This personal data contains information regarding ethnic or ethical backgrounds, political views, religious convictions, trade union membership, genetic and biometric information , health information , and information relating to the sexual life or orientation of an individual.
What is important about personal information is that it makes it possible for a person to be identified – pseudonymized data can still be classified as personal information. Personal information is so relevant in the GDPR because the legislation extends to individuals, associations and corporations which are either ‘controllers’ or ‘processors.’
“The key decision makers are the controllers – they exert overall restrictions on the objectives and method for the processing of their personal data,” says the UK data protection authority, the ICO. There may also be joint personal data controllers where two or more parties decide how the data are processed. “The processors operate on behalf of the respective controller and only according to instructions,” the ICO says. Controllers are more GDPR-compliant than processors.
GDPR can also refer to companies located outside the region even though it comes from the EU. For example, when a company in the USA does business in the EU, GDPR will apply and even if it is an EU citizen controller.
What are GDPR’s key principles?
Seven fundamental principles – laid down in Article 5 of the law – are at the fundamental of GDPR, and are meant to govern how personal data should be treated. The rules are not hard but more overarching to set down the wide-ranging goals of the GDPR. The standards are essentially the same as former data privacy regulations.
The seven principles of GDPR consist of lawfulness, fairness and transparency; limiting purpose; minimizing data; accuracy; limiting stored property; honesty and confidentiality (security). In fact, the rules on data security are new only to one of these standards – accountable. In the United Kingdom, any other concept is equivalent to the Data Protection Legislation of 1998.
- Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy — You must keep personal data accurate and up to date.
- Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
- Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
What are your GDPR rights?
While the GDPR puts the greatest burden on data controllers and processors, the law seeks to safeguard the rights of individuals. As such, GDPR provides for eight protections. This involve the possibility of easy access by people to data companies and deletion in some cases.
The full GDPR rights of individuals are: the right to be notified, access right to rectification, right to cancel, right to limit processing, right to portability of data, right to object, and automatic decision-making and profiling rights.
We just go into depth on some of the rights here, as in the GDPR principles.
RoyalTech’s implementation of GDPR…
This latest Data Protection Legislation places our client in the driver’s seat, and it is our business to comply with it. We refuse to comply otherwise.
What is compliance with GDPR?
Well, GDPR refers to both companies and organisations, whether or not data processing is performed in the EU. GDPR can also refer to non-EU organisations. If your organization provides goods and/or services to EU residents, the GDPR is applicable.
A data protection officer or data controller responsible for GDPR enforcement should be named by all organisations and businesses engaged in personal data enforcement.
Strict sanctions apply for businesses or organisations that do not comply with GDPR fines of up to 4% or EUR 20 million, whichever is higher.
The EU takes GDPR seriously?
Very serious. Very grave.
The British Airways and the Marriott International, for example, face eye-watering fines of 100 million euros for non-compliance.
- British Airways face fines of up to € 200 m in September 2018 for a breach of data.
- Between 2014 and 2018, Marriott International is expected to pay €99 million in penalties for data breaches.
Now, many people may think GDPR is just an IT issue, but that’s the reality. It has broad consequences for the whole business, including the management of marketing activities and sales activities by businesses.
Why GDPR more important?
In this new world , data is a worthwhile currency.
And while GDPR brings us, as companies, challenges and pain, it also brings opportunities.
Companies who demonstrate who they respect the privacy of a person (beyond merely legal compliance), transparently understand how information is used, who design and enforce better ways to handle consumer data over their life cycle create deeper faith and sustain loyal customers.
When it was first revealed in 2016, it looked as if new companies had plenty of time to take the steps required. But this time has gone by and even after this time, many businesses are still struggling. So, we advise you to start now if you have not already begun your journey towards compliance.
Give yourself time to understand what you need to do to comply and use the practical tips in this article to help get you started. Create an action plan for your trip to GDPR so that you and your company can make sure that they complain sooner rather than later.