Employ
Recruit
Summary: The General Data Protection Regulation (GDPR) is a law on personal data protection that applies to all companies doing business in the EU.
The General Data Protection Regulation (GDPR) is a comprehensive data privacy law that governs how companies collect, process, and store personal data of EU citizens. Compliance with GDPR is essential for protecting user data and avoiding significant fines.
Note, the GDPR is only concerned with personal data protection, and there are other rules and standards for dealing with information security more generally like ISO27001 and SOC-2.
Core Components of GDPR
As the world attempts to meet the challenges of protecting personal and sensitive data in an increasingly connected and digital landscape, GDPR is how the European Union (EU) has chosen to address the concerns of data security for its citizens and businesses. This all-encompassing framework of regulations lays out a number of key considerations for which every business operating in or with the EU must achieve and maintain compliance.
Among these core components are:
1. Explicit Consent and Lawful Processing
The first thing GDPR seeks to address is ensuring all data is used lawfully and with the permission of the subject it concerns. To this end, the framework decrees that any data-holding organization must achieve explicit consent from every data subject before using their information for any purpose. This means relying on a pre-ticked selection box or vague terms is considered insufficient and that consent must be “freely given, specific, informed, and unambiguous.”
Even when free consent has been established, GDPR mandates all data must be processed lawfully, that its use should be necessary for the performance of a contract, and that it is compliant with all legal obligations regarding the legitimate interests of the data handler or any third parties who may be granted access. Any use, no matter how valid the interest or purpose, is considered unlawful by GDPR if it infringes on the rights and freedoms of its subject.
2. Control and Rights of the Data Subject
At the heart of GDPR is the assertion every individual should have the right to control the use of their personal data. The framework then goes on to clearly define several specific rights which every data subject in the EU is assumed to have, and which cannot be removed.
These include:
1. Right to be Informed
Individuals have the right to be informed when their personal data is collected. They should also be told how it will be used.
2. Right to Access
Every individual has the right to access their own data. They also have the right to understand the purpose of its processing, the type of data being processed, how it is processed, and the details of all parties given access to any part of their data.
3. Right to Rectification
Individuals have the right to know the information kept about them is accurate and complete and, where it is not, the right to have the data rectified without delay.
4. Right to Erasure
Also referred to as the “right to be forgotten,” this states that, in certain circumstances, every individual has the right to request their data be deleted completely. This includes when the data subject withdraws their consent when the data has been unlawfully processed, or when the data is no longer needed for the specific purpose it was collected for.
5. Right to Restrict Processing
GDPR states that individuals have the right to restrict or suppress the processing of their information in certain circumstances, particularly when a query over the accuracy of their data has been raised or when the data subject has an objection to the processing.
6. Right to Data Portability
As an extension to being granted access to their personal information, GDPR dictates every individual has the right to receive that information in a structured, commonly used, and machine-readable format. They also have the right to transfer it to another controller without hindrance.
7. Right to Object
Under GDPR, individuals also have the right to object to their data being processed for purposes such as legitimate interests, direct marketing, and research for scientific, historical, or statistical purposes.
3. Obligations for Data Controllers and Processors
In addition to the rights granted to data subjects, GDPR also places a series of obligations on those who handle data. This includes data controllers, who set the purpose and method of processing personal information, and data processors, who carry out those actions.
Among other requirements, GDPR states processors should only use data on the instructions of its controller and should ensure it is protected through the implementation of all appropriate technical and systematic measures. Records of activities must be maintained by both controllers and processors and, if the organization is large enough or the data is sensitive enough, it may also be mandated that a Data Protection Officer (DPO) is appointed.
One of the most important obligations for data controllers is the requirement to administer data breach notifications. This states that should a data controller become aware of a breach that poses a risk to the rights of data subjects, they must inform the relevant authorities within 72 hours and communicate the breach to those affected without undue delay.
Challenges in Achieving GDPR Compliance
While GDPR brings clarity to the expectations and obligations placed on data-handling organizations, the challenges of achieving compliance with these regulations can be significant. GDPR requirements are complex and exist across multiple jurisdictions. The protection of personal data requires the implementation of robust security measures and ensuring ongoing compliance requires regular audits and diligent updating of procedures.
Among the key aspects of GDPR that organizations should be aware of is that it applies not just to businesses operating within the EU, but to any entity that handles the data of EU citizens, no matter where their base of operations is. For many, this means being aware of and compliant with both the domestic regulations in the business’ home country and the international rules of the EU.
Within this, some of the biggest challenges of GDPR compliance are understanding the nuances of what represents explicit consent, what is specifically considered a legal reason for processing data, and how to ensure full compliance with the rights given to individual data subjects. Achieving all this while delivering transparent processes, clear communication, and straightforward access to every appropriate individual can place incredible demands on any business.
In addition to maintaining compliance with all these aspects of data processing, GDPR also requires organizations to maintain robust data security and ensure breaches occur neither as a result of malicious intent or negligence. Preventing unauthorized access or information leaks requires regular risk assessments, testing, and updating processes and physical systems. Effective data security also requires ongoing training, auditing, and timely responsiveness to changing environments or threat levels. Where data breaches are not prevented, they should be mitigated through efficient response plans before processes are appraised and refined to prevent similar incidents from reoccurring.
The need for continuous monitoring and updating of data protection systems is further complicated by the need to react to evolving regulatory landscapes and developing technology, both of which can expose data managing entities to new obligations and threats. Furthermore, businesses that work with third-party processors are liable for ensuring those parties are also fully compliant with GDPR and that communication channels allow for the swift and complete reporting of issues or breaches.
Consequences of Non-Compliance with GDPR
GDPR in the EU has created clear standards by which data-handling organizations can be judged. As a result, any business that does not achieve compliance becomes exposed to severe consequences.
In the first instance, any business found to be non-compliant with GDPR faces significant fines. These are laid out upfront in the framework and usually communicated in the training of company personnel who are responsible for maintaining GDPR requirements. The scale of these fines is almost unlimited, and the more severe the infringement, the higher the fine is likely to be. For instance, in the case of failing to obtain proper consent or lapses in data security, fines can reach up to €20 million, or 4% of a company’s annual global revenue, whichever is higher. For lesser failings, like poor record keeping, offenders can receive fines of up to €10 million, or 2% of global revenue.
Beyond the official fines are the consequences that come when failure to comply with GDPR leads to misuse of personal data or, as is more likely to hit the headlines, a data breach. The requirement to report any significant failings, and to communicate breaches to the individuals affected, makes it difficult for any organization to keep its GDPR failings quiet and exposes non-GDPR compliant businesses to reputational damage, loss of customer trust, and negative media coverage. Rebuilding this trust can be a lengthy and costly process.
In addition to official financial penalties and a loss of reputation in the market, data breaches or misuse caused by non-compliance with GDPR also leave organizations open to being sued for compensation by those whose information rights have been violated. The damages that can be demanded from such legal cases and the negative press that goes with them can be devastating to those found liable.
Best Practices for GDPR Compliance
To avoid the negative consequences of non-compliance with GDP, there are several best practices any data-handling organization should put in place. These include conducting a thorough data protection impact assessment (DPIA), implementing safeguarding protocols such as data minimization and encryption, delivering regular training to all appropriate employees, and maintaining clear records of compliance efforts.
A DPIA is an invaluable tool in assessing an organization’s data process, identifying failings or risks, and creating a plan to achieve compliance. GDPR mandates that DPIAs should be carried out wherever significant risk to the data rights of individuals exists, particularly for large-scale data processing, handling sensitive or confidential data, or data that exists in publicly accessible areas. Once a DPIA has been completed, its findings should be implemented completely and without undue delay.
Another key principle of GDPR is data minimization. This means only collecting and processing the specific data needed. The less data that is handled, the less risk there is of a breach or misuse, either intentional or accidental. GDPR also recommends that data is kept safe through encryption, both in its stored state and while it is being transferred, to protect it from unauthorized viewing, access, or modification. Where identifying data is stored alongside sensitive data, it is suggested businesses consider pseudonymization, which involves replacing the identifying data so the sensitive information cannot be connected with the real individual from whom it has been collected.
Finally, as with many aspects of business, training and record-keeping are vital. When data is used throughout the operations of an organization, GDPR is rarely the responsibility of a select few and must generally be maintained by most, if not all, employees. Therefore, regular training should take place to properly communicate the principles of GDPR, the responsibility of the organization, and the procedures in place to ensure compliance. Proper record-keeping processes should be installed throughout the organization, and every employee should be made aware of their role in keeping these accurate and complete.
Conclusion
GDPR is a comprehensive legal framework designed to govern the proper handling of data within any organization. It protects the rights of individuals to have their information handled correctly, sensitively, and in accordance with their wishes. Failure to comply with GDPR can have serious consequences in the form of financial punishments, reputational damage, and exposure to lawsuits. Maintaining compliance is a complex and challenging task but can be achieved by implementing best practices such as thorough risk assessments, data minimization, and complete training of all employees.
