The most important things you need to know to stay compliant with the General Data Protection Regulation and why it is so significant for individuals and businesses.
The era of advanced technologies and digital communication contributed to the increasing significance of personal data. Almost all modern organizations have digital platforms that involve the collection, analysis, and storing of information. However, the rising importance of data has led to multiple issues, and privacy protection belongs to the most important ones. Digitalization of the global market and the rapid development of e-commerce around the world intensified this concern. To quickly respond to data-related issues, it was necessary to establish a comprehensive legal framework applicable for personal and business environments on a national and global scale.
The European Union is the pioneer in developing rules and principles for general data regulation. The EU possesses an exceptional place in this segment because it recognizes personal data protection as a fundamental right and separates it from the right to privacy. Based on this fact, the European Council initiated the EU Data Protection Reform in 2012. The key component of the reform was General Data Protection Regulation (GDPR), as it contained implications for individuals and businesses across and beyond Europe as long as they target or collect data related to EU residents. As such, owing to its comprehensiveness, GDPR has become the toughest privacy and security law in the world, though it was drafted and passed by the EU.
The GDPR was agreed upon by the European Parliament and Council in April 2016 and came into force on May 25, 2018. Its provisions provide EU residents with better rights over their personal data and, at the same time, simplify the regulatory environment for business. To stay compliant with the GDPR, companies have not only to ensure legal conditions of personal data processing but also to protect it from misuse. In other words, the GDPR defined the rights of data owners as the most respected in the digital world.
The GDPR proposes seven key principles that lie at the heart of the legislation and summarise its many requirements. Accepting and following these principles underlie successful GDPR compliance for organizations and businesses. Indeed, they are also useful for individuals who want to understand the means and principles of using their data.
These principles do not provide hard rules, but rather reflect the essence of the modern general data protection regime according to the EU approach. Acceptance of this spirit is a cornerstone for good data protection practice and a key to compliance with the GDPR requirements.
To ensure compliance with GDPR, the EU member states must respond to the key requirements that are united under umbrellas of lawful basis and transparency, data security, accountability, and governance, as well as privacy rights. The extensive explanations of the key requirements are provided below:
GDPR requires businesses to protect personal data according to the principle of “data protection by design and by default”. As such, data protection must be the company’s top priority whenever they collect, process, or store personal information. Furthermore, the GDPR requires organizations to use encryption or pseudonymization of data whenever feasible. Notably, even if the company possesses a strong technical security infrastructure, operational security may be inferior. Thus, to ensure comprehensive security, organizations must build awareness of data protection and create internal security policies and processes addressing sensitive data handling. It is also necessary to conduct data protection assessments to understand how privacy and security of personal information could be jeopardized in the scope of the company’s operations. Finally, the GDPR requires to inform EU supervisory authorities and data subjects (individuals) about any personal data breach events within 72 hours.
Accountability for GDPR compliance is another part of the principle to protect data “by design and by default”. According to it, the companies are required to designate a person responsible for GDPR compliance and sign data processing agreements with their third-party service providers. Organizations are required to have a Data Protection Officer (DPO) in case of three main circumstances: when they act as public authorities or bodies (except for courts); when their activities require monitoring of individuals; or when their core activities involve a large scale processing of special categories of data. It is a good practice, however, to have the DPO even if the organization does not meet one of these conditions.
According to GDPR provisions, individuals have the right to see what personal data companies have about them, how these data are used, as well as the reason for collecting and keeping their personal data. GDPR makes it easy for people to ask for correcting, updating, or deleting data about them. Companies have to honor their customers’ requests within a month and there are only several grounds on which customers’ requests can be denied. The main of them refer to legal obligation compliances and exercising freedom of speech.
Answering GDPR requirements is essential for staying compliant with EU regulation and conducting all relevant data activities legally. Other countries and states have been establishing similar laws to protect the personal data of their residents. Apple CEO Tim Cook called on the US government to develop a data protection regulation, similar to the EU. He said it was time “for the rest of the world” to take a page from the EU and create a comprehensive framework to protect the personal information of consumers. This was not long in coming when a new privacy law, similar to that developed in the EU was introduced overseas, particularly in the US. The California Consumer Privacy Act (CCPA) was adopted on June 28, 2018, in California and established one of the most comprehensive data privacy laws in the country. As such, CCPA could be considered as an American response to European GDPR.
Failure to achieve GDPR compliance may leave a company open to substantial penalties and fines. According to Article 83(5) of GDPR, infringements of the key principles for personal data processing are subject to administrative penalties and fines. These could mean up to € 20 million, or 4% of an organization’s annual turnover. Eventually, not all companies achieved GDPR compliance and many infringements continue to be documented across Europe. According to European Data Protection Supervisor, the main types of violations, alleged in complaints in 2019, were confidentiality and security processing, right of access, change of purpose, data retention, restriction of data subject rights, web-tracking, etc. At the same time, the total number of all privacy protection violations has significantly decreased in comparison to the previous years and this was achieved owing to GDPR.
Even the world’s most recognized companies were among the companies that failed to comply with GDPR requirements were. For instance, NOYB – European Center for Digital Rights – found Apple, Amazon, Spotify, and Google’s YouTube non-compliant with some GDPR requirements. Specifically, these streaming giants let people download their personal information quickly while data consents were supplied in a non-understandable form. All these companies also failed to supply additional information to which individuals were entitled, particularly, a list of other companies with whom personal data was shared. Potentially, Apple could be penalized £7bn if the regulatory authorities and data protection officers recognized a breach of the law. Therefore, the fines and requirements of GDPR induced big companies and non-European states to increase data protection standards in order to stay compliant with GDPR.
As such, the role of the GDPR in conditions of rising digital single market and e-commerce in Europe cannot be overestimated. The regulation is an important tool that helps protect personal data and simplify business environments in our rapidly-developing world. Therefore, the legal and moral obligation of all organizations that operate on European territory or collect and process data related to EU residents is to stay compliant with GDPR and respect individual’s privacy rights.
If you need any help with GDPR compliance or other information security and compliance services, we’ll be happy to assist: