This blogpost will try to explain in layman terms what is the GDPR and how can it affect your personal and professional life.
The European General Data Protection Regulation (GDPR) is applicable as of May 25th, 2018 in all EU member states to harmonise data privacy laws across Europe.
According to Article 1 of GDPR, “this Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.” Additionally, it “protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.”
All articles of the regulation, as well as key issues regarding compliance with GDPR may be found here.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
The term “personal data”, according to GDPR, includes any information which is related to an identified or identifiable natural person. Thus, GDPR only applies to individuals and does not apply to information about legal entities. In addition, GDPR refers to sensitive personal data, including all the special categories of personal data (such as genetic, biometric & health data, racial & ethnic origin, political opinions) which must be subject to a higher level of protection.
GDPR identifies two types of entities that can process personal data. The data controller (“controller”), who is the entity which, alone or jointly with others, determines the purposes and means of the personal data processing, and the data processor (“processor”), who is the entity which processes personal data on behalf of the controller. It is critical, when performing a data mapping to determine whether the entity processing personal data for each data processing activity is a controller or a processor.
A checklist in order to be used regarding the above issue may be found here.
Another important issue to be addressed is the context within a particular processing activity is considered to be GDPR-compliant. Specifically, GDPR introduces the criticality of the data subject’s consent. Consent must be freely given, specific, informed, and unambiguous. The data subject must also be informed about his or her right to withdraw consent anytime. The withdrawal process must be as easy as the one giving consent.
The basic requirements for the effectiveness of a valid legal consent are defined in Article 7 and specified further in recital 32 of the GDPR.
The GDPR sets out seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Under the GDPR, individuals are guaranteed certain basic rights with regard to their personal data. The data subject’s rights are depicted in the articles 12 – 23 of the regulation, while some additional details are provided here.
Some of the key steps that an organisation needs to follow for ensuring its compliance with the GDPR are as follows.
- Perform a Data Mapping in order to identify the way information flows in the company.
- Conduct a Data Protection Impact Assessment (DPIA) in order to check the criticality of the information processed by the company.
- Conduct GDPR training.
- Ensure that the right procedures are in place to detect, report and investigate not only internal but also external data breaches. Please note that data breaches must be reported to the Supervisory Authority within 72 hours.
- Designate a Data Protection Officer (DPO), if applicable for the organisation.
The above steps, as well as details regarding their implementation are described in the following links.
Please note, that non-compliance with the regulation will result to fines up to 4% of the organisation’s global revenue or 20 million EUR, whichever is higher. Certain other types of infringements carry a maximum fine of 2% of global revenue, or 10 million EUR, whichever is higher.
A comprehensive guide and other related information regarding GDPR may be found in the following links.
We hope the article helped you to grasp the basics regarding GDPR and gave you a starting point if you want to research the subject in depth.
Until next time.