What is GDPR?
GDPR stands for General Data Protection Regulation. It’s a comprehensive data protection regulation introduced by the European Union in 2016 and enforced in 2018. It gives individuals greater control over their personal data and unifies data protection laws across the EU member states.
The GDPR applies to all organizations that process data of EU citizens, regardless of where the organization is based. It sets forth strict rules that organizations must abide by when handling personal data. In addition, the GDPR outlines the rights that individuals have over their personal data.
Principles relating to the processing of personal data
The fundamental rules and values of the GDPR are contained in seven key data protection principles. They were created to ensure that personal data is handled in an appropriate manner. These principles include the following:
- ‘Lawfulness, fairness, and transparency
Personal data is to be processed according to the law and in a fair manner. Moreover, the process must be transparent and not misleading to the people.
- ‘Purpose limitation’
Personal data must be collected for specified and legitimate purposes. It is prohibited to use it for any other purposes without obtaining additional consent.
- ‘Data minimization’
Only the minimum amount of personal data necessary to achieve processing purposes is allowed to be collected.
It is required to take reasonable steps to ensure that personal data is accurate.
- ‘Storage limitation’
Personal data must be kept for no longer than necessary for the purposes for which it is processed.
- ‘Integrity and confidentiality’
Personal data must be processed in a manner that ensures appropriate security, so as to ensure no data leak or data breach occurs.
Companies must be accountable for their data processing activities and remain compliant with the GDPR.
Who is subject to the GDPR?
The GDPR applies to two main groups—data controllers and data processors.
Data controllers are organizations or individuals that determine the purposes and means of processing personal data. In other words, they decide what data will be collected, how it will be used, and who it will be shared with. Any organization that processes personal data in the European Union, regardless of where it is located, is subject to the GDPR if it is a data controller. This includes both for-profit and non-profit organizations, as well as public bodies.
Any organization that acts as a data controller, or indeed any other organization that handles information relating to data subjects, must attain and maintain GDPR compliance. This is essential not only to avoid a personal data breach but also to mitigate any risk of mishandling sensitive personal data. Failure to do so can result in hefty fines and irreparable damage to an organization’s reputation.
Data processors are organizations or individuals that process personal data on behalf of a data controller. These are any third-party service providers that process personal data on behalf of a data controller. Examples include cloud service providers, payroll service providers, and marketing agencies.
What’s also worth noting is that under certain circumstances, data controllers and data processors must designate a data protection officer (DPO). This happens if:
- The process is carried out by a public authority or body (except for courts acting in their judicial capacity).
- Their core activities involve regular and systematic monitoring of individuals on a large scale.
- Their core activities involve processing special categories of data on a large scale (e.g., health data, biometric data, etc.).
What information does the GDPR protect?
Broadly speaking, the GDPR protects personal data. GDPR Article 4 provides this definition of what constitutes personal data:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Apart from general personal data relating to an individual, such as a name, address, contact information, or IP addresses, the GDPR also mentions information subject to a higher level of protection, like:
- Genetic data
- Biometric data
- Health data
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
The GDPR applies to all personal data, both held electronically and in hard copy, as well as that collected directly from an individual and from other sources. And finally, it also applies to pseudonymized data and data that has been encrypted, as this data can still be used to identify someone in certain circumstances.
What rights do EU citizens have under the GDPR?
EU citizens have several rights with regard to their personal data. These rights are:
- Right to be informed about who, how, and why is processing your data. This information also needs to be presented in clear and plain language and be easily accessible, through a privacy notice or a similar form of communication.
- Right of access to personal data and right to request information about how it is being processed.
- Right to rectification, meaning individuals have the right to request that their personal data be corrected if it is inaccurate or incomplete.
- Right to erasure, or the right to be forgotten, is a right providing an individual with the possibility to request that their personal data be erased. It’s applicable in certain circumstances, such as when the personal data is no longer necessary for the purposes for which it was collected or processed, or when consent is withdrawn.
- Right to restrict processing applies when an individual requests that the processing of their personal data be restricted. Essentially, this means that the data can be stored but not processed. This right applies in certain circumstances, such as when the accuracy of the personal data is contested, or when the processing is unlawful.
- Right to data portability gives an individual the right to receive their personal data in a structured, commonly used, and machine-readable format. This data should be then transferred to another data controller without hindrance. This right applies in certain circumstances, like when the personal data is processed based on consent or when the processing is carried out by automated means.
- Right to object grants the individual the right to object to the processing of their personal data on grounds relating to their particular situation. This right applies when the personal data is processed for direct marketing purposes or when the processing is based on the legitimate interests of the data controller.
- Rights in relation to automated decision-making and profiling—Individuals have the right to object to automated decision-making, including profiling, which has legal or similarly significant effects on them. They also have the right to obtain human intervention in such decision-making, express their point of view, and challenge the decision.
Data privacy laws in the US
While the European Union has one, extensive regulation on the subject of data privacy and data protection, the US doesn’t have such a comprehensive law on the federal level. Instead, there are multiple federal laws addressing specific sectors, such as financial and medical sectors, as well as state-level laws that provide additional regulations.
As for federal laws, the most notable include:
- U.S. Privacy Act of 1974: regulates how federal agencies handle personal data
- Health Insurance Portability and Accountability Act (HIPAA): establishes regulations on the privacy and security of healthcare information, thus setting appropriate standards for patient confidentiality
- Gramm-Leach-Bliley Act (GLBA):requires financial institutions to provide clients with a privacy notice and provides clients with means to protect personal information
- Children’s Online Privacy Protection Act (COPPA): protects the online privacy of children under the age of 13 and requires website owners to obtain parental consent from minors, before collecting personal information
- Fair Credit Reporting Act (FCRA): regulates the collection, use, and dissemination of consumer credit information, and provides individuals with the right to access and correct their credit reports
Apart from the aforementioned federal laws, some states have passed their own data privacy laws, including:
- The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
- The Virginia Consumer Data Protection Act (CDPA)
- The Colorado Privacy Act (which will go into effect July 1, 2023)
- The Connecticut Personal Data Privacy and Online Monitoring Act (will be effective July 1, 2023)
- The Utah Consumer Privacy Act (which goes into effect December 31, 2023)
What are the Data Protection Impact Assessments?
A Data Protection Impact Assessment (DPIA) is a process that helps organizations identify and mitigate potential risks to individuals’ personal data.
When did GDPR go into effect?
The General Data Protection Regulation on 25 May, 2018.