Lately, we have heard a lot about the term GDPR compliance and how it started to reshape the data protection framework, many debates around it, and how its impact reached business giants.
What Is GDPR?
GDPR is an abbreviation for General Data Protection Regulation. It’s a data privacy regulation that created a consolidated data protection legal framework across all European Union and EEA, but its impact was not limited to EU countries only; business owners worldwide are also included as they must apply and follow specific principles to process the data legally.
The European Union issued the regulations on 25 May 2018.
What Are GDPR’s Key Principles?
Such principles and regulations prioritise individual rights regarding personal data, whether they are sensitive and important data such as passport information, social security number, driver’s license, financial information, medical records, credit card information, income, race, etc., or non-sensitive details (full name, address, emails, physical address, etc.) which other entities can collect.
Lawfulness, Fairness, and Transparency
According to the GDPR rules, any time an organisation uses data, it needs to be done legally and in the best interests of the data subjects whose info is being used. Businesses can’t be tricky about how they’re using your data. They have to be straight-up and honest about what they’re doing with it, whether they’re sharing it with others or what rights they have.
For instance, if a business wants to collect information, they should provide the reasons and if they’re going to share it with others. No more shady stuff!
According to Article 6 of the GDPR, there are six legal bases listed in it that article, and it states that any business must follow these legal bases before processing personal data.
Let’s break down these 3 points:
Lawfulness
- Consent: the data subject must give their permission to process their data, and they should be “Free” to say yes or no, and the whole process of consent withdrawal should be performed easily as it was done for giving consent.
- Contract: personal data and any obligations should be assigned under a contract.
- Legal obligation: the law requires that any processing of personal data should be kept in official legal records.
- Vital interests: processing personal data to protect someone’s life or health (e.g., to provide personal details in a medical emergency).
- Public task: processing personal data for the public interest (e.g., students’ personal data for university registration).
- Legitimate interests: processing personal data to pursue a legitimate purpose (e.g., fraud detection).
Fairness
According to the UK’s data regulator, being fair means thinking hard about how the data is going to be used and whether it’s the right thing to do. It’s like being responsible with your data, not doing anything risky without a good reason, and using your info only how you’d expect them to.
Transparency
This part is all about being honest. Organisations should be clear and explain practically everything they will do with any personal data they have. They need to explain how and why they will use the data.
For example, if they’re making an app for your phone, they need to tell you all the ways they’re using your information.
Purpose Limitation
Businesses must be honest about why they’re gathering and using your personal info. If they say they’re getting your info for a certain reason, they can’t just go and use it for something totally different. This rule is called “purpose limitation.”
Being straightforward is key. They’ve got to clearly state why they’re collecting your info right from the start, and if they want to use it for something else, they’ve got to ask you again.
But here’s the twist: if they’re keeping data for the public good, research, history stuff, or making stats, they don’t have to stick to the normal rules. However, they’ve got to follow the guidelines in Chapter 9, Article 89 of GDPR.
The “purpose limitation” rule is like a two-part rule:
- Only gather info when you’ve got a good reason for it.
- Don’t use that info for something totally different or unrelated.
But these rules can be broken for history research or making stats.
For example, let’s say you’re building an app. You ask users for their phone numbers to make their accounts safe (that’s the reason). You can’t suddenly switch and use their number for advertising without asking them first. This rule is all about being fair and not changing plans without checking in with the users.
Data Minimisation
Organisations shouldn’t keep any kind of information for more than the stated purposes. Data should be limited to what is necessary, and thus only collecting the required. The key concepts for implementing this principle are “necessity” and “proportionality”.
If you think about it, why is it necessary for an online retailer to collect data on a subject’s political opinions? No need for sure, except if the organisation has suspicious intentions!
At last, your organisation should take into consideration these words: 1. limited to, 2. what is required, and 3. what is necessary when it applies this principle.
Accuracy
Organisations must take responsible actions to ensure that the collected personal data is up-to-date and accurate.
Storage Limitation
As it is outlined in Chapter 9, Article 89 of the GDPR, organisations must not keep personal data for longer than they need it; they could store it for a specific time (e.g. one year) or until a user deletes his account. But there is only one exception which is for purposes related to public interests or statistical purposes.
Integrity and Confidentiality (aka, security)
People’s data are like gold; they must be protected against “unauthorised or unlawful” processing or any accidental loss, destruction or damage. This means that your business/organisation has to be protected against the risk of data leaks or breaches.
This can be achieved by taking appropriate technical and organisational measures to put in place to protect personal data from being accessed by hackers or leaked as part of a data breach.
What will happen if any leaks or breaches occur? Once the organisation becomes aware of such a breach, it must notify data subjects and the applicable data protection authority without any delay. They have to be responsible, or they may get you into trouble!
So the organisation has to care for its information security setup because fines await it if any inadequacies occur. Cathay Pacific Airways is an example. The company was fined, under pre-GDPR laws, £500,000 for exposing 111,578 of its UK customers’ personal information. It was mentioned that the company had “basic security inadequacies” within its setup.
Accountability
This principle is the final one and was added to ensure that organisations comply with the previous principles that form the regulation.
The idea is that organisations must be in charge of gathering and handling personal data.
How to proof that your business is compatible with GDP?
There are some points that you must perform in order to prove Accountability:
- Use Data Subject Access Request (DSAR) forms on your platform so your data subjects can easily follow their privacy rights.
- Appoint a Data Protection Officer (DPO) if needed.
- Maintain a record of processing activities (RoPA)—a requirement under Article 30 of the GDPR.
- Ensure the usage of adequate Data Processing Agreements (DPAs) with any third parties with access to your user data following the contractual obligations outlined in Chapter 4, Article 28 of the regulation.
- Develop necessary documentation for the security measures used and how the personal data is handled to protect the users’ data.
What Is Personal Data Under the GDPR?
We always think of personal data as the data that we just care about the most, like passwords, phone numbers or addresses, but GDPR decided that it’s way broader than that.
According to Art. 4 (1), personal data are any information related to an identified or identifiable natural person.
Personal data include all data that can be assigned to a person in any form. There are:
- Data that identifies a person, such as names, phone numbers, email addresses, passwords and credit card numbers.
- Data with special characteristics like genetic, physiological, physical or biometric data (such as fingerprints).
Even if the organisation asks for more information that can lead it to know your IP address, at this moment, your IP address will be considered personal data.
What Are the GDPR Fines and Penalties for Non-Compliance?
What will happen if your business fails to comply with the GPDR regulation?
It all depends on the severity of the breach. As listed in Article 83(5) of the GDPR, your company will face a maximum penalty of €20 million ($22.5 million) or 4% of its annual worldwide turnover if it doesn’t consider taking compliance and regulations seriously enough like unauthorised international transfer of personal data.
For less severe infractions, as listed in Article 83(4) of the GDPR, a lower fine of 10 million euros or two per cent of worldwide turnover will be applied to companies that mishandle data in other ways, for example:
- Failure to design a project to ensure the privacy and data protection needed.
- Failure to handle a data breach.
We have many examples of significant penalties applied since GDPR started to come into force, the first being in January 2019. Google was fined $57 million by the French data protection watchdog for GDPR violation. The regulation has currently fined a total of ($4.5 billion) in fines overall. How devastating is that?
Do We Need to Appoint a Data Protection Officer?
According to Chapter 4, Article 37, your organisation must appoint a Data Protection Officer (DPO) if:
- The data processing is performed by a public authority.
- Your organisation carries out large-scale processing of sensitive and special categories of data like monitoring of individuals for behaviour tracking, health data collection, or political opinions.
But who should be a DPO? Are there any qualifications they should have? According to the Information Commissioner’s Office, there is no set of special traits that a DPO should have. However, they should have professional experience and full awareness of data protection law and how to apply it to what the organisation carries out.
Note that if it’s required to have a data protection officer by GDPR and the organisation fails to appoint one, this is considered to be non-compliance and will result in a fine.
As it is now clear that the GDPR data protection regulation has become a necessity and will certainly affect every business, we encourage everyone to take all the required measures and ensure that your organisation is fully compliant with its rules and laws to avoid large financial fines that will be applied in case of violation.