- What is GDPR compliance and how does it apply to your business?
- Which standards and principles have laid the foundation for GDPR? What are the business implications of GDPR?
- How will the geographical establishment of your business affect the process of GDPR compliance? And how can your business easily achieve GDPR compliance?
General Data Protection Regulation (GDPR)
With every interaction of an individual with an organization, the sharing of personal data is imperative – Name, Address, Contact Information, etc. This is majorly done with the intent to have easier and effective processes and serve each other better. However, organizations collecting and processing data must ensure that they have the essential controls for protection and security of this Personally Identifiable Information (PII) data.
This is where data protection laws like GDPR are defined to ensure that the data shared is used in a legally appropriate way. If an organization has the ability to capture personal data from any individual based within the European Union, then they are required to monitor, review and manage processes to comply with General Data Protection Regulation – GDPR, irrespective of where the organization is located in the world.
The GDPR was launched in 2016 with the intent to provide a set of data privacy laws to help attain higher levels of protection and rights to individuals.
GDPR – Background
The European Union started with the European Data Protection Directive back in 1995, to allow individual countries within the union to implement their own legislation to ensure minimum data privacy and security standards. However, because of this freedom in interpretation amongst the countries, the rights and freedoms of the European citizens varied totally depending on which member country they lived in.
Eventually, with exponential growth in Internet, it started becoming quite evident that personal data was indeed very valuable and that greater controls were needed to ensure security of data. Hence, the 1995 directive was further revised to attain a comprehensive approach on personal data protection and thus the GDPR was passed by the European Parliament in April 2016.
Understanding the applicability of GDPR compliance
The main purpose of the GDPR compliance is to protect personal data and information belonging to European citizens and residents that is controlled or processed by organizations located within or outside the European Union.
Do you need to comply to GDPR? Learn about the applicability of GDPR compliance.
There are majorly 2 instances in which non-European organizations will need to ensure GDPR compliance:
- Delivering goods or services: If an organization is offering its goods or services to citizens in the European Union with campaigns targeted towards them, then the organization requires GDPR compliance.
- Behaviour Monitoring: If an organization is monitoring EU citizen’s internet behaviour by tracking their cookies or IP addresses while they visit the website from EU countries, then the organization would fall within the boundaries for compliance with the GDPR regulation.
Data Controller and Processor
GDPR recognizes that not all organizations involved in processing personal data have an equal level of responsibility. They are either classified as controllers or processors. These classifications bring a certain level of difference between the compliance requirements for GDPR.
- Data Controller: A legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.
- Data Processor: A legal or a natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller.
NOTE: Data subject is the individual to whom the data relates.
Personal Data – Elements
To achieve protection of personal data of EU citizens, minimize data breaches, increase security and transparency between organizations and consumers, GDPR further defines “data elements” that are considered “Personal data”.
- Email addresses
- IP Addresses
- Unsubscribe confirmation URLs that contain email and/or names.
Additionally, the GDPR standard also addresses other “Special Category Data” that are particularly sensitive and require stringent controls to ensure its protection. This category includes data which covers information about:
- racial or ethnic origin
- political opinions
- trade union memberships
- biometric, etc.
Principles of GDPR
At the core of the GDPR standard, lie the principles that provide guidance and expectations for everyone who is required to be GDPR compliant. These GDPR compliance principles guide organizations in making decisions that ensure protection and appropriate use of data.
- Lawfulness and transparency
- Purpose limitations
- Data minimalization
- Storage limitation
- Integrity and confidentiality
Individual GDPR rights
In addition to defining requirements that organizations must meet, the regulation also addresses rights that have been provided to individuals in the management of their data.
- Right to be informed: Organizations must inform the user what is being collected, what it is being used for, how long it will be kept, and if and with whom it will be shared.
- Right to access: Organizations must provide a way in which individuals can contact them to request a copy of the data they hold on to them.
- Right to rectification: Individuals must be able to check that the information held is accurate. Further, individuals that find the information inaccurate, can raise a dispute to update.
- Right to erasure: Individuals can request that any data held about them is deleted.
- Right to restrict processing: An individual can state that they deny the consent for the processing of their data.
- Right to data portability: This is the right to take personal data which is held by one company and extracted for use elsewhere.
- Right to object: This provides an individual with the ability to demand that an organization stops using their data in a way in which they object to.
- Rights in relation to automated decision making and profiling: Individuals can object to or appeal against automated decisions, such as the use of targeted advertisements or content.
Motivation for complying to the GDPR standard
In account of a data breach, the General Data Protection Regulation (GDPR) requires an assessment to ensure there is no potential risk to the data subjects affected. It sets new standards for data protection and recognizes the fact that personal data has become of enormous value to companies who can eventually trade this with other third parties. Hence, the regulation defines limitations with regards to processing this data by organizations.