GDPR is a much-needed data protection law enrolled in the EU for the protection of personal data that businesses collect and process while doing business operations within EU member states or outside. GDPR gives more control to people over their personal data and an environment of safer interaction with online platforms. But it ensures hefty penalties for businesses who are found non-compliance with GDPR data protection principles. This blog provides an overview of GDPR and all the basic details that general people and businesses need to know.
What is the GDPR?
General Data Protection Regulation (GDPR) is an extensive set of regulations meant for the handling of EU consumers’ data. It was adopted by the European Parliament in April 2016 and replaced the Data Protection Directive (DPD) from 1995. The law enforcement enforced GDPR on 25 May 2018. Thereby, it gained the main headline of the data protection act 2018 that the general public desperately needed to ensure data privacy and protection.
GDPR is set up to have a unified and strong data protection laws across all the EU member states. It provides more control and rights to EU citizens and residents over how their data is handled, processed, and stored by organizations. The European data protection board has broadened the personal data definition in GDPR compared to what it was earlier in DPD.
Another point to note here is that as UK is no longer the part of EU, so it has set up its own UK GDPR, which means the EU GDPR no longer applies domestically in the UK.
Types of Personal Data Protected by GDPR
The main application of the General Data Protection Regulation (GDPR) is the way it addresses personal data. As per the GDPR, personal data implies any type of data that could be used to identify the user. The growing use of the internet, digital tech developments, and social media have broadened the term personal data. So, the primary personal data protection by GDPR include:
- General identity data including name, ID numbers, address, credit card numbers, emails, etc.
- Biometric data.
- Political opinions.
- Racial or ethnic data.
- Sexual orientation.
Types of Organizations that come under GDPR
In simple words, all those organizations running within or outside the EU that are processing personal data of EU citizens/residents are required to comply with the EU. So, if an organization is involved in the processing of personal data of EU residents no matter from which territory it is operating, it has to comply with GDPR.
There are wide industrial sectors that come under GDPR compliance requirements, but the most affected one is the technology sector. Next in line are online retailers, software firms, financial institutions, SaaS, and the list goes on.
Compliance Responsible within an Organization
There are different roles set up by GDPR who are responsible for compliance within an organization, as follow:
- Data Controllers: They narrate the mechanism of personal data processing and why it is being processed. They also ensure that third-party contractors also comply with the measures.
- Data Processers: They can be an internal group or an outsourced group responsible for processing and maintaining personal data records. In case of a breach, GPDR considers them liable for non-compliance.
- Data Protection Officer: As per GDPR, the processors and controllers are required to set up a data protection officer that keeps an eagle eye on all data security measures and compliance with GDPR. Data protection officers are mandatory for organizations that deal with an immense amount of EU citizen data.
GDPR Penalties and Fines
Organizations dealing with the personal data of EU citizens and residents have no other choice than to comply with GDPR because the non-compliance can cause hefty fines with no rescue from public bodies. GDPR is developed to ensure public interest and set up a supervisory authority over public personal data, therefore no compromise is possible if an organization is found guilty of GDPR non-compliance. But not all violations of the GDPR will cause serious fines.
There are two tiers of maximum administrative fines that can be issued against non-compliance, as follow:
- Tier 1: €10 million or 2% of the organization’s annual turnover (whichever is higher). It is applicable if:
- An organization fails to provide adequate security.
- An organization fails to appoint a data protection officer.
- An organization fails to establish the data processor agreement.
- Tier 2: €20 million or 4% of the organization’s annual turnover (whichever is higher). It is applicable if:
- Infringement of privacy rights of individuals.
- Breaching of core principles of processing.
- Uncompliant transfer of data internationally.
The above hefty fines are not must-follow regulatory orders but depend on the specific case scenario. Before applying such fines, there can be a series of corrective measures. Such measures can be issued by information commissioner office, such as issuing warnings, issuing temporary/permanent ban on data processing, ordering data deletion, restriction, or rectification, blocking international data transfer, and similar other measures.
Organizations not only have to bear the administrative fines in case of non-compliance with GDPR, but the GDPR Article 82 gives the right to an individual who has faced any kind of damage (material/non-material) to get compensation against the damage. There are serious concerns associated with non-compliance with the GDPR, so organizations should never take any risk.
GDPR and the Future
With every passing year, more people are becoming concerned about the transparency of the organization regarding the user data they collect. Users are demanding more transparency and control of personal data that organizations can collect and use. In present times, experts consider data to be more valuable than oil. As GDPR is meant to safeguard data subject and regulate the data that organizations collect and process, so the future of organizations is linked with what level of intelligence services they deploy to ensure data transparency, privacy, and protection.