1. What is General Data Protection Regulation (GDPR)?
2. What is considered Personal Data under GDPR?
3. Who does the GDPR apply to?
4. GDPR Key Concepts
What is General Data Protection Regulation (GDPR)?
GDPR stands for “General Data Protection Regulation”. The law is passed by the European Union (EU), and it imposes obligations onto organizations anywhere, as long as they target or collect data related to people in the EU. In other words, though it is drafted and passed in Europe, it influences worldwide businesses.
The GDPR updates the 1950 European Convention on Human Rights to make it relevant for the digital age. Article 8 of the convention states that everyone has the right to respect private family life. The regulation was put into effect on May 25, 2018, and it set the new standards for data privacy and data protection and provoked a wave of global privacy laws that forever changed how we use the internet.
Any companies or businesses that go against the regulation will face severe fines “potentially up to €20 million or 4% of annual global revenue, depending on the severity and circumstances of the violation”.
GDPR is compulsory for any company or business.
This new norm affects businesses worldwide, Facebook, Google, and recently, Condé Nast has been reported to run afoul of GDPR guidelines. Thus, businesses with a shortage of funds, workforce, or expertise might encounter the violation. This article will walk you through the process of being GDPR complaint.
What is considered Personal Data under GDPR?
According to the Art 4. GDPR, “personal data” includes any information relating to an individual's identification, directly or indirectly. “Personal data” refers to identifier such as name, day of birth, identification number, location data, or the factors that belong to a natural person such as physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This means the “personal data” does not just include the information linking to a person, but it also includes any facts or behaviors belonged to that individual.
Who does the GDPR apply to?
Even though the GDPR is drafted and passed in the EU, it influences worldwide business. Here’s why: The reason for GDPR is to give data subjects greater control over the information that is collected, stored, and used by others. It doesn’t matter where in the world an entity is located, if that entity does business with EU citizens that involves collecting or processing personal data they must comply with GDPR. So, as long as your business has any relations to EU citizens, you must comply with GDPR.
Personal data is funneled into two categories: the controller and the processor.
Data controllers are any individual, public authority, agency, or another body that determines the purpose and means of processing personal data. Controllers decide how personal data is processed.
Data processors are any individual, public authority, agency, or another body that processes personal data on behalf of a controller.
Since processors are carrying out the data processing rules set by a controller, they’re not making decisions about how personal data is handled.
Taking the company’s customer database and its business analyst as an example. The company is the data controller because the customers’ data is stored in its database and the company determines how the data should be handle. The business analyst, in this case, is data processors: they carry out the company's processing instruction.
GDPR Key Concepts
The key concepts of the GDPR are: Data Protection Impact Assessments (DPIAs), Data Breach Notifications, Privacy and Rights, and Consent
Data Protection Impact Assessments (DPIAs)
A Data Protection Impact Assessment (DPIA) is required under the GDPR any time you begin a new project that is likely to involve “a high risk” to other people’s personal information. Simply explained, if a company’s data processing activities are high-risk and could affect people’s freedoms, they’ll need to fill out a DPIA.
According to Article 35 of the GDPR, some concrete examples of the types of conditions that would require a DPIA are:
New technologies usage
Tracking people’s location or behavior
Systematically monitoring a publicly accessible place
Genetic, biometric, demographics data (race, political opinions, religious or philosophical beliefs, DNA testing, etc.)
Make automated decisions about people that could have legal (or similarly significant) effects
Processing children’s data
Data Breach Notifications
When a data breach occurs, the affected company has 72 hours to inform their supervisory authority. They also have to tell users as quickly as possible.
Privacy and Rights
According to GDPR Article 12, all businesses are required to explain how you process data in “a concise, transparent, intelligible and easily accessible form, using clear and plain language” . Businesses must also make it easy for people to make requests to you (e.g., a right to erasure request, etc.) and respond to those requests quickly and adequately.
At the moment companies collect personal data from a user, directly or indirectly, they need to communicate specific information to them. The accuracy of the data companies process is only tangentially an aspect of data privacy, but people have a right to correct inaccurate or incomplete personal data that companies are processing.
Also known as the “right to be forgotten,” data subjects have the right to request that a company delete any information about them.
A data subject has the right to simply object to a company processing of their data. A data subject can request that a company temporarily change the way it processes their data if they believe the information is inaccurate, is being used illegally, or is no longer needed by the controller for the purposes claimed.
Data subjects have the right to object to a company processing their data.
According to GDPR Article 4(11), Consent of the data subject means data subjects are willing to, freely give their personal data relating to them. In other words, data subjects must willingly agree to the fact that their data will be processed.
Consent must be freely given
Consent must be specific
Consent must be informed
Consent must be unambiguous
Consent can be revoked