What is the GDPR?
The GDPR is a set of rules on the personal data protection and privacy of individuals, known as data subjects, in the European Union (EU) and the European Economic Area (EEA). Even though the data protection directive was written in the EU, it applies to businesses or organizations worldwide when processing data based in the EU member states.
Introduced in 2018, the GDPR replaced the previous Data Protection Directive, officially known as Directive 95/46/EC, which was the data protection framework since 1995. The GDPR was designed to harmonize data protection laws across the EU. It strengthened the rights of data subjects to control how their personal data is collected, used, and shared. It also placed new obligations on organizations that process personal data.
The regulation also provides businesses with a set of rules to follow, which should make it easier for them to do business in the EU. Every organization that handles the private information of EU residents must be GDPR-compliant to prevent any data breach and properly manage user data. The fines for violations of the data privacy laws and non-compliance can be very severe for companies, reaching millions of euros.
Why does the GDPR exist, and who does it apply to?
The GDPR was adopted in response to significant changes in the digital landscape in recent years. With the development of the internet and the increasing use of digital technologies, there has been a corresponding increase in the amount of personal data that organizations collect, use, and share.
The growth of the internet has raised concerns about protecting data privacy and the potential for data breaches. The GDPR addressed these concerns by establishing a new set of rules for personal data processing.
The GDPR applies to any institution that processes the data of EU residents. It governs every data point that is used to identify a person uniquely and includes:
- Basic identity information (name, address, ID/passport number)
- Web data (IP addresses, location, cookies)
- Health, genetic, and biometric data
- Racial or ethnic origin
- Political opinions or religious beliefs
- Sexual orientation
- Any other information that identifies an individual
This single set of rules has made it easier for international organizations to process sensitive data and do business in Europe. It also allows building trust between companies and data subjects, which is essential for developing the digital economy.
The seven principles of the GDPR
The GDPR sets out seven key principles for sensitive data protection. These principles define how sensitive data controllers should collect, use, and safeguard personal data. Here are the seven principles of the GDPR:
- 1.Lawfulness, fairness, and transparency. Organizations must ensure that its data processing does not violate the law, is clear and undisguised, and serves the consumer.
- 2.Purpose limitation. Organizations collecting private information must specify the purpose of the data collection and keep it only for as long as is necessary to achieve that purpose.
- 3.Data minimization. Companies may only collect adequate and relevant consumer information for the intended purpose.
- 4.Accuracy. The accuracy of the personal data collected is an indispensable part of the data protection act. All irrelevant or incorrect user data must be deleted or rectified.
- 5.Storage limitation. Companies can only keep personal data for as long as it takes to achieve the purpose for which they process it.
- 6.Integrity and confidentiality. Data controllers must process personal information to secure appropriate data surveillance. Data processors must take reasonable steps to protect private information from unauthorized and unlawful misuse and accidental destruction or loss.
- 7.Accountability. It requires the data processor to demonstrate compliance with the rest of the GDPR principles. Data controllers must ensure and be able to prove that they process personal data following the law.
All the data must be processed fairly, lawfully, and transparently, using the "appropriate technical and organizational measures" according to the GDPR. If organizations process data following data privacy laws, it reduces the likelihood of security breaches and increases information security for people living in the EU.
What does GDPR compliance mean?
GDPR compliance refers to the state conforming with the General Data Protection Regulation, a data protection and privacy regulation for all the EU member states' residents. To be GDPR compliant, an organization must follow the principles and requirements outlined in the GDPR when processing consumer data.
Organizations that fail to comply with the GDPR may face fines and other penalties.
Fines and penalties for failure to comply with the GDPR
Organizations that fail to ensure compliance with the GDPR may be subject to fines and other penalties. The specific fines and penalties depend on the nature and severity of the non-compliance, as well as the size and resources of the organization.
The GDPR sets out two tiers of fines for non-compliance with the data protection rules:
- 1.Minor violations: For less severe violations, such as failure to maintain records of processing activities or to designate a data protection officer, organizations can be fined up to €10 million or 2% of their global annual revenue, whichever is higher.
- 2.Severe violations: For more serious offenses, such as processing personal data without a legal basis or failing to report a personal data breach, organizations can be fined up to €20 million or 4% of their global annual revenue, whichever is higher.
Besides fines, companies may also face other penalties for non-compliance with the data protection principles, such as a temporary or permanent ban on processing personal data or the suspension of data processing operations.
Know your GDPR rights
The main idea of the General Data Protection Regulation is to strengthen individuals' rights to their personal data and to give them more control over personal data processing. Educate yourself about your rights in cyberspace and remember that you always have the right to access your data held by the data controller or the right to be forgotten.
The GDPR lists eight fundamental rights that a person has when providing organizations with access to their personal data.
The right to be informed
According to the GDPR, data subjects have the right to be informed about how companies collect and use their sensitive personal data. Individuals have the right to know how long the organization will keep the personal data and to whom it will be accessible.
The right of access
The data subject has the right to request access to their personal data and to receive information about the collection’s purpose and information on how the data controller stores and processes it.
If a person wants to know what information an organization holds about them, they need a Subject Access Request (SAR). Only the data subject can submit the request, and the data controller must send a response in a readable format within one month.
The right to rectification
Under the GDPR, individuals have the right to request that any incorrect, incomplete, or inaccurate personal data about them be corrected.
The right to erasure
Also known as "the right to be forgotten." Data subjects have the right to request that the controller permanently erase any personal information. However, the data controller is not obliged to delete an individual’s data if it is necessary to comply with a company’s legal obligations.
The right to restrict processing
If, for specific reasons, a person cannot request erasure or the data cannot be erased, they have the right to request that the use and processing of their data be restricted.
The right to data portability
A person has the right to request personal data be transferred to another organization in a structured, commonly used, and machine-readable format.
The right to object
In some cases, the data subject has the right to object to the processing of personal data. For example, if the data is used for direct marketing, scientific research, or any other task in the public interest.
The right not to be subject to automated decision making
The data subject has the right to request that decisions concerning or significantly affecting the person be made by a human rather than automated processes.
These rights apply to all residents of the European Union, regardless of where the personal data is processed or where the company or organization is based. It also applies to those who buy services or goods from non-European organizations operating in Europe. It is important to note that these rights are not absolute and may be subject to certain exemptions or limitations.
Like what you’re reading?
Get the latest stories and announcements from NordVPN
We won’t spam and you will always have the choice to unsubscribe