On 25 May 2018, the basic data protection regulation (GDPR) was introduced, which applied data protection rules to all companies worldwide, provided that they manage or store data of EU citizens. There are some rules to follow and it is advisable to implement them, otherwise high penalties are imminent.
On May 25, 2018, the General Data Protection Regulation (GDPR) came into effect. This regulation replaced the 1995 Data Protection Act in the European Union. The GDPR is a response to the digital age, and it aims to give individuals more control over their personal data and how it is used.
The GDPR applies to any company that processes the personal data of individuals in the European Union, regardless of where the company is located. This includes companies based outside of the EU that process the data of EU citizens. This overview and guide will help you understand the GDPR and how it affects you and your organization.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a set of rules that protect your personal data. This includes things like your name, address, and email. The regulation says that companies have to get your permission before they can collect and use this information. They also have to tell you how they plan to use it and give you the chance to change your mind.
The GDPR was passed by the European Parliament in April 2016, and it went into effect on May 25th, 2018. The regulation applies to any company that processes or intends to process the data of individuals in the European Union. This includes companies based outside of the EU, as long as they offer goods or services to people in the EU.
The GDPR replaces the 1995 Data Protection Directive. The directive was passed before the internet was widely used, and it didn’t take into account new technologies. The GDPR updates these rules to reflect the way data is collected and used today.
The GDPR has been criticized by some for being overly bureaucratic and placing unnecessary restrictions on businesses. However, it is widely seen as a step in the right direction towards better protecting the privacy of individuals online.
3 Key Principles of GDPR
The key principles of GDPR outlined in Article 5 are data minimization, integrity and confidentiality (security), and accountability. These principles are designed to protect the personal data of EU citizens.
Data minimization means that organizations must only collect and process the minimum amount of data necessary to fulfill their purposes. This is intended to prevent organizations from collecting excessive data that they do not need.
Integrity and confidentiality (security) means that organizations must take steps to protect the personal data they collect from accidental or unauthorized access, alteration, or destruction. This includes ensuring that data is properly encrypted when stored or transferred.
Accountability means that organizations must be able to demonstrate that they are complying with the GDPR principles. This includes keeping track of how personal data is collected, processed, and stored.
GDPR for Individuals
The GDPR sets out strict rules around how personal data must be collected, used, and protected. It gives individuals the right to know what personal data is being collected about them, the right to have that data erased, and the right to object to its use. It also requires companies to get explicit consent from individuals before collecting or using their data.
EU-GDPR gives every individual basic rights over their private data:
- The right to know what personal data is being collected about them
- The right to have that data erased
- The right to object to its use
- Requires companies to get explicit consent from individuals
GDPR compliance for Companies
The GDPR applies to all companies that process the personal data of EU citizens, regardless of where the company is located. Companies that process the personal data of EU citizens must comply with the GDPR unless they can demonstrate that they meet certain conditions.
Companies that are not compliant with the GDPR can be fined up to 4% of their global annual revenue or €20 million (whichever is greater), whichever is greater.
There are several steps companies can take to become compliant with the GDPR:
- Review your data processing activities and identify which ones are subject to the GDPR.
- Draft a data protection policy that reflects your company’s compliance with the GDPR.
- Implement appropriate technical and organizational measures to protect the personal data you process.
- Train your employees on how to comply with the GDPR.
- Review your contracts with third-party service providers to ensure they are also compliant with the GDPR.
- Create a mechanism for individuals to exercise their rights under the GDPR.
- Audit your systems regularly to ensure continued compliance with the GDPR.
The EU-GDPR can also be seen as an opportunity for companies. Better data protection is also good news for customers, data exchange is made easier between locations and a uniform standard also creates trust.
10 Important points of the General Data Protection Regulation (GDPR)
- The processing principles for data such as transparency, purpose limitation and proportionality also apply
- Valid consent must be available and it must be possible to withdraw the consent at any time
- Data processing requires a justification or consent
- Data subjects must be informed directly or, if not possible, via a publication such as a website (EU-DSGVO defines minimum content)
- Data subjects have extensive rights to information, return, correction, completion or deletion of their data. It is also possible to object to certain processing (e.g. marketing)
- Technical and organizational measures must ensure that personal data is secured; data processing must be designed in such a way that compliance with the Data Protection Act is ensured (Privacy by Design) and it is assumed that the standard of all settings already protects the data (Privacy by Default)
- Data protection violations must be reported to the competent authorities within 72 hours and if there are serious consequences, these violations must also be reported to the persons concerned. An error log must also be kept here.
- For high-risk projects, a data protection impact assessment and notification to the responsible supervisory authority is required if there are nevertheless high risks of the measures taken
- Data transfers to other countries that do not have recognized legal data protection regulations are only permitted under certain conditions.
- Contracts with external data processors (e.g. IT outsourcing, external data analyses) must meet the requirements of the GDPR. An approval or veto right with advance information is required for the agents.
Assigning a Data Protection Officer
The role of the data protection officer (DPO) is a new one under GDPR. The DPO is responsible for ensuring that an organization complies with GDPR, and must have adequate knowledge of GDPR and its requirements. The DPO is also responsible for training staff on GDPR requirements, and for conducting data audits. The DPO plays a vital role in ensuring GDPR compliance and must be given the necessary resources to fulfill this role. If your organization meets the criteria for appointing a DPO, make sure to appoint an individual who has the necessary knowledge and experience to fulfill this important role.
The DPO must be appointed by the organization’s management, and must report directly to the highest level of management. The DPO must also be independent from other departments within the organization.
Criteria when a Data Protection Officer (DPO) needs to be assigned:
- The organization must have more than 250 employees
- The organization must process the personal data of more than 5000 individuals per year
- The organization must have core activities that consist of processing special category data or criminal conviction data
If your organization meets any of these criteria, you will need to appoint a DPO. In appointing a DPO, you should consider an individual who has the necessary knowledge and experience to fulfill this role. You should also ensure that the DPO has adequate time to dedicate to this role, and that they are independent from other departments within the organization.
Appointing a DPO is a key step in ensuring GDPR compliance. By appointing a DPO, you are taking responsibility for ensuring that your organization complies with GDPR. This is an important commitment and one that should not be taken lightly.
Special Topic: Cookie Compliance
Many people ask themselves how to be compliant with website cookies, especially because of the recent EU ruling that forbids the use of e.g. Google Analytics. Cookies are small files that are placed on your computer or mobile device when you visit a website. They are used to help websites remember who you are and what you’ve done on the site, such as filling out a form.
There are two types of cookie compliance: first and third party. First-party cookies are set by your website to manage logins, language settings, or other technical reasons. Third-party cookies are set by another website, such as an advertising company. These cookies are used to track your activity across different websites and are set by Google, Facebook or other third-parties.
The new EU ruling states that websites must get explicit consent from users before setting third-party cookies. This means that you will see a message like this when you visit a website:
You can choose to accept or decline cookies by clicking on the appropriate button below. If you decline, we will not set third-party cookies on your device but some features of the site may not work as expected.
If you’re not sure whether your website is using third-party cookies, you can use an online tool like Cookiebot to find out.
More Information can be found in the official documents of the European Union.
This article was originally published in 2017, ahead of GDPR’s implementation but has since been updated to contain the latest information