The General Data Protection Regulation
The General Data Protection Regulation (GDPR) is one of the toughest global data protection laws released adopted in April 2016 that gives individuals the right to manage their personal information. Though it was passed by the European Parliament (EU), it applies to organizations outside of Europe that process the personal data of citizens and residents of EU member states. This includes internet monoliths such as Google and Facebook.
We’ll look at the data protection directive, what it means for your businesses, and how Compliant can help your website stay on the right side of the law.
The GDPR's requirements state that anyone who collects information from EU residents or processes that data, like cloud service providers, cannot sell or transfer personal information that can be used to identify an individual without their explicit permission unless the situation has at least one exempting aspect involved.
Personal data of EU citizens are recognized as specific location data, biometric data, and any information stored in third-party data storage facilities.
The purpose of the data privacy laws was to enable European Union citizens to feel that their online data is safe, private, and protected. The goal is to stop the sale of personal information online without the subject’s consent.
It is also to empower citizens and give them the right to ask organizations to get rid of their personal information if they decide they no longer consent to share their information.
The GDPR protects personal information that relates to natural EU citizens. This is a broad range of information that includes everything from names to cookies and IP addresses. Anything used to single out an individual is personal identifying information and is therefore protected data.
Some data is more heavily protected, and the penalties for violations by sharing these data types are more severe. Data can include sexual orientation, medical information, race or ethnicity, religious or political opinions, and genetic data.
The GDPR set up the European Data Protection Board, or the EDPB, to monitor and issue clarifying data protection rules and enforce them wherever necessary. They exist to clarify compliance with the GDPR, explain best practices for companies, and oversee and adopt new decisions about legislation.
There are seven key principles named in the GDPR. They aren’t laws as much as guidelines for companies when designing their data transferring and collecting policies. By following the spirit of these principles, businesses can feel confident that they’re following the GDPR without violation.
Individuals should be aware of when their data is being collected and should be able to consent or opt out of sharing their personal information. They should also be aware of how their data is shared to make informed decisions about whether or not to participate in the future.
Companies need to explain exactly what they plan to use the collected data for and not use the data for anything outside of the initially defined purpose. The purpose must not be too broad or difficult for the average person to understand, or they don’t have to provide informed consent.
Note that this does not restrict organizations from archiving information for the public interest, scientific, or historical research.
This principle asks that companies only gather the information strictly needed for their stated purpose. Because someone agrees to allow their personal data to be collected should not mean that they also agree to allow irrelevant data to be stored.
The GDPR asks that organizations figure out the minimum amount of data needed for their purpose and collect nothing outside of that.
Organizations have an incentive to ensure that their collected data remains up to date. Still, the GDPR reiterates the importance of removing out-of-date information and replacing it with current data. When people agree to have their data collected and stored, part of their agreement is that the data should be accurate, and it is the organization’s responsibility to make sure that stays true.
In the same way that the data minimization principle asks that organizations not collect data outside of their specified focus, the storage limitation principle asks that data is not stored for any longer than it needs to be for the company’s purposes. This includes the right to data portability or rectification and erasure (limited right to be forgotten).
Exceptions are made if the personal data is archived for historical or scientific research, statistical research, or public interest.
The GDPR lists best practices to follow to maintain the security of personal data. Ideally, organizations should follow all of them and implement technologies to prevent data breaches through hacking or any accidental leaks. Security measures will differ based on the company, types of information they gather, and industry, but there are some general rules to consider.
Encrypting your collected personal data, using pseudonyms or removing identifiable information from people if possible, and restricting access through codes and credentials are all good ways to keep personal data secure and prevent hackers from stealing it.
Although the GDPR does not present any explicit instructions for protecting data, it relies on good judgment. Law enforcement will not hesitate to penalize a company if a breach happens and their security is found to be lacking in good judgment, which can become costly.
This principle requires that organizations take responsibility for their actions.
Your organization must show proof that you comply with the GDPR and incorporate the principles in your data collecting. These principles place the honus on the company to prove that they are compliant rather than on private individuals or law enforcement to prove non-compliance.
Accountability also mandates that companies provide notification on hacking or personal data breaches to those who it might affect and the country’s data protection regulator within 72 hours after discovering the issue.
Another aspect of accountability is the citizen’s right to file a Subject Access Request or SAR where they ask for access to the information you have collected about them. From there, they can then withdraw their consent and require that you erase their data from your systems and alert anyone else you might have previously shared the data with to do the same.
The GDPR mandates that personal, identifiable data can only be accessed when you give that information to a company or if you explicitly give that company consent to share your information.
Otherwise, your data can only be accessed under the following conditions:
GDPR compliance means:
Many companies also have routine training for their staff about data protection integrity and confidentiality. They frequently review the privacy protection technologies to look for better ways to stay compliant with GDPR legislation.
Companies must designate a Data Protection Officer or DPO to monitor sensitive private information. The DPO:
Non-compliance with GDPR is an expensive endeavor and can result in massive penalties for companies. The highest tier of administrative fines in the EU are acceptable for GDPR violations and will result in the higher number of either 4% of your company’s total worldwide annual income, or 17.5 million pounds, the equivalent of over 24 million US dollars.
You must prove your GDPR compliance has been restored by conducting data protection impact assessments to ensure ongoing compliance moving forward.
The GDPR’s comprehensive and strict regulations about data privacy are necessary in an increasingly digital world. Children and adults are often unaware of when their data is being collected or what purposes it might be used for, as well as who else might see it.
With the GDPR, people can rest easy knowing their information cannot be collected or shared without explicit consent. Contact us today to see how we can help your website stay Compliant with changing laws.