Yulia Landbo
This guide will delve deeper into the specifics of this data protection law, explaining what GDPR is, its founding principles, its enforcement date, its main concepts, and the roles involved. We'll also provide what's most valuable: a step-by-step guide on how businesses can ensure GDPR compliance with this law.
First, let's demystify this acronym and explore some details of the concept.
The General Data Protection Regulation (GDPR) is a privacy and security regulation in the European Union law setting the guidelines for collecting, processing, storing, and transferring personal data of individuals living in the European Economic Area.
This data protection law is considered one of the strictest globally. Even though this law is enforced within the European Union, it also obligates businesses worldwide to comply. GDPR enforcement is triggered when a company begins interacting with the personal data of EU users in a manner that breaches any of its numerous clauses.
The complexity and extensive nature of this hundred-page document, paired with severe penalties, make General Data Protection Regulation compliance a significant challenge. Even with the aid of specialized software tools, this regulation has proved to be a considerable revenue source for the EU, contributing at least $4 billion from 1,653 penalty incidents.
Under Art. 83, violating the fundamental principles of personal data protection stipulated in GDPR can lead to severe penalties of up to $20 million, or up to 4% of the company's global yearly revenue. This latter option can be substantially higher in some cases, as demonstrated by the fines on Meta and Amazon.
Infringements relating to the control, processing, certification, and monitoring activities can lead to fines of up to $10 million or up to 2% of the company's annual revenue.
Both art. 2 and art. 3 define the material and territorial scope of the GDPR appliance.
GDPR covers all companies or any other entities which process personal data (we’ll talk about this concept a bit below) of citizens or residents of the European Union or European Economic Area, offering them products or services. No matter where your business is located, which jurisdiction it belongs to, or whether these products or services are paid.
There are several cases where GDPR isn’t applicable:
to any data processing activities done by individuals for personal or household purposes;
to process data for the purposes of law enforcement and covered by Law Enforcement Directive (LED);
to data processing activities related to national security purposes;
to non-EU organizations processing the personal data of non-EU residents.
An integral part of the GDPR law which we already mentioned above is personal data. Let’s define this concept and review the main types of personal data under the General Data Protection Regulation. You can find this and other essential definitions in Art. 4.
Personal data under GDPR is any information related to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.
In other words, personal data is any information that can be attributed to an identifiable person, including address, name, e-mail, phone number, personal taxation number, photos, etc. As you can see, this can include a wide array of different types of information. Let’s review them in the next block.
Generally, all the personal data covered by GDPR can be divided into two categories — regular data and special (or sensitive) data.
When a piece of personal data can be attributed, directly or indirectly, to a natural person who can be identified or already identified, this personal data is considered regular. This category of personal data consists of:
names and surnames;
any identification numbers like taxation numbers, driver’s licenses ID, etc.;
data about a location like GPS coordinates, address, or IP address;
contact information, including phone numbers, e-mails, or messenger profiles;
online identifiers like credentials, usernames, etc.;
information about physical appearances like photos or text descriptions.
There are several types of more sensitive personal data that require better protection. The rule of thumb is to process data only upon special conditions occurrence, such as special consent from the subject, or request from a legal authority. Below are the main sensitive data categories:
information about the racial or ethnic origin;
personal political beliefs or affiliations;
religious and philosophical beliefs;
memberships in trade unions;
genetic and biometric data;
any health records;
data about sexual activity and orientation.
Criminal information on convictions and offenses is also considered personal data under the General Data Protection Regulation. This information can be processed by public data controllers only in case of its strict necessity for public or regulatory tasks. The only reasons for the disclosure of this data are explicit consent from the data subject and the safeguarding of private or public interests which are overwhelming over secrecy and privacy.
We’ve already mentioned an entity called “Data subject” and left it without explanation. Now it’s time to review this and other key roles within GDPR in order to understand them and stay GDPR-compliant.
As you might already guess, the data subject is simply a natural person who is identifiable or already identified and whose personal data is collected and processed. A natural person here means a living individual, not a legal person (which is a company or any other organization).
Being an integral role in GDPR, the data subject has some specific rights. These rights must be upheld by organizations collecting, storing, or processing their personal data.
Right to access. Once any personal data is being processed, its subject has the right to become aware of the fact of processing, its place and purpose, as well as to receive a copy of all the processed data for free.
Right to rectification. This right means data subjects are able to ask for corrections or completion of their personal data in cases it is incorrect or incomplete.
Right to be forgotten. Data subjects have the right to ask for the deletion of their personal data in certain circumstances.
Right to restrict processing. Similarly, subjects also have the right to restrict the processing of their personal data in some cases.
Right to data portability. Data subjects are always allowed to request their personal data in a machine-readable form, as well as to move the data to another provider.
Right to object. Processing personal data solely for marketing purposes initially requires special consent from the data subject. And vice versa, data subjects have the right to object to the processing of their personal data for marketing purposes, at any moment.
Right related to automated decision-making, including profiling. Data subjects can prevent others from making decisions related to them, based on automated personal data processing, including profiling. However, this right holds true only when such decisions affect them significantly or produce any legal effects.
The next essential role is the data controller — a natural or legal person, including public authorities and agencies, determining the purposes and means of personal data processing.
The main responsibility of this role is to take effective measures in order to ensure the processing complies with GDPR and to demonstrate it to data subjects. The selected measures must be based on different processing parameters, including their scope, nature, goals, background, and risks.
Controllers can unite their efforts, which are called joint controllers. Such controllers must distribute their responsibilities transparently, setting a special arrangement for this purpose.
Data controllers often rely on third-party data subjects' arsenal in terms of personal data processing. Within the General Data Protection Regulation, these subjects are called data processors.
The main selection criterion is that data processors must be able to set everything up to adhere to the regulatory requirements in full. And the duty of the data controller is to ensure it. Another important requirement is that the processor cannot engage any other processor without written permission issued by the data controller. If the permission is general, the processor must also notify the controller about any intended changes in terms of adding or replacing any data processors.
Quite often, the processing of personal data requires an additional role of the data protection officer (DPO). This is a person who must be appointed by the data controller or processor in order to assist in ensuring GDPR compliance. There are three situations when DPO is required:
When public authorities (except courts) play the role of the controller, processor, or both.
When the processing is tied to large-scale monitoring of data subjects within special categories or criminal information.
When the core activities require regular monitoring of data subjects on a large scale.
There are some significant nuances in DPO usage regulated by GDPR. First of all, several data controllers and data processors can appoint a single DPO in case the specialist will be able to access their data remotely. Second, the officer should be appointed based on professional skills. Third, they can be whether an in-state employee or external service provider.
You can find more important details related to data protection officers in the Art. 37.
As we said before, General Data Protection Regulation is complex and comprehensive, so it has various legal terms that we should unscramble here. As the main roles are defined, let’s continue with the other concepts that are not less important.
Under GDPR, to process data means a specific operation or set of operations, performed on personal data. GDPR defines the list of such operations, including
data collection;
data recording;
data organization;
data structuring;
data storage;
data adaptation or alteration;
data retrieval;
data consultation;
data use;
data disclosure by transmission, dissemination or otherwise making available;
data alignment or combination;
data restriction, erasure, or destruction.
Simply put, data protection means a set of measures for keeping the data safe from any unauthorized access. The idea is to follow the seven main data protection and accountability principles depicted in the next block.
The data protection principles mentioned above and outlined in Art. 5 are an integral part of the philosophy the regulation is based on. These principles must be strictly followed by those who process personal data.
Lawfulness, Fairness, and Transparency. Personal data must be processed lawfully, fairly, and in a transparent manner, in relation to the data subject.
Purpose Limitation. Personal data must be collected only for previously specified, explicit, and legitimate purposes.
Data Minimization. Apart from being relevant and adequate, the data you’re referring to must be in an amount not more than necessary.
Accuracy. You must ensure that the personal data is accurate and up-to-date, immediately rectifying all the outdated pieces or deleting them if it’s unable to rectify.
Storage Limitation. Do not store personal data collected longer than you need under your overarching purpose.
Integrity and Confidentiality. You must ensure the data collected cannot be identified, stolen, lost, destroyed, damaged, or unlawfully processed by third parties.
Accountability. The data-controlling person must be able to demonstrate their adherence to all the principles above.
Identification of a natural person is also possible through analysis of some behavioral, physical, or physiological features of this person. For instance, it could be fingerprints, face images, or iris scans. Under the General Data Protection Regulation, these features are called biometric data.
As the other types of sensitive personal data, biometrics require additional protection measures. Generally, this means a prohibition of processing the biometric data for a single purpose of data subject identification. There is, however, a string of exceptions, from having explicit consent of the data subject to substantial public interest. You can find a full list in the Art. 9.
GDPR considers international data transfers as all the transfers of personal data to or from a country outside the European Economic Area (EEA).
The general requirement for all international transfers is that they may only be carried out in full GDPR compliance. This means the level of protection must be kept at the required level and some conditions must be met:
the EU representatives must decide that the third country, territory, or international organization, ensures adequate data protection level;
if there is no decision, a controller or processor may process data using international transfers after providing some protective measures and ensuring that effective legal remedies and enforceable subject rights exist;
in the absence of both a decision on the adequacy and protective measures, the international transfer use cases are limited to the explicit consent of the data subject, the performance of a contract, reasons of public interest, the establishment of legal claims, protection of vital interests, or availability from a public register.
GDPR encourages organizations operating with personal data to think about proper measures for personal data protection right from the earliest stage of the product or service development lifecycle.
In other words, these privacy measures should be incorporated into their design specifications, business processes, and work environment. These privacy measures should effectively protect users' personal data by limiting its collection, accessibility, and retention time, as well as ensuring data accuracy.
As the fines for breaching GDPR compliance are enormous, it’s crucial to analyze, detect, and mitigate data protection risks. The systematical process of GDPR non-compliance risk management is called data protection impact assessment (DPIA).
Art. 35 describes three cases when DPIA is required:
in case of an automated and steady process of natural persons' personal aspects evaluation, which result affects natural person whether legally or similarly significantly;
when conducting systematic publicly accessible data monitoring at a large scale.
You should conduct DPIA even before starting to process data and then review and update it on a regular basis.
One of the crucial duties of data controllers is maintaining a record of their processing activities. Every single record must contain the following pieces of data:
controller’s name and contact information;
processing purpose;
personal data and data subject categories’ descriptions;
data recipient’s categories’ descriptions;
transfers to third countries/international organizations, with applicable safeguards (where possible);
timeframes for storing different personal data categories (where possible).
You can find a complete list of requirements for records maintenance in Art. 30.
Now, it’s time to form your own successful GDPR compliance checklist within your organization. You can use this one as a base and modify it to your needs along the way.
Appoint a data protection officer (DPO)
Ensure all the affected people within your company are aware of GDPR's importance and of requirements
Audit all your data and identify which is GDPR-protected
Review your privacy policies and make them GDPR-compliant
Set the processes for covering the rights of individuals and requests from data subjects
Identify the legal basis, document It, and add it to your policy
Review how you seek, obtain, and record consent
Review how you handle children’s data
Set data protection by design and privacy impact assessment protocols
Create or update your protocols for detecting, reporting, and investigating data breaches
___________________________________________________________________________
This article was developed for information purposes only. For legal advice, contact your trusted advisor. Alternatively, Whistleblower Software can connect you with a local legal expert.
5/5 stars on G2
