Introduction

The General Data Protection Regulation (GDPR) is recognized as the most stringent privacy and security law globally. While it was developed and enacted by the European Union (EU), it extends its obligations to organizations worldwide that target or collect data from individuals within the EU. The regulation came into force on May 25, 2018. GDPR imposes significant fines on those who breach its privacy and security standards, with penalties reaching into the tens of millions of euros.

With the GDPR, Europe emphasizes its strong position on data privacy and security during an era where personal data is increasingly stored on cloud services, and data breaches are a common occurrence. The regulation is extensive and complex, which can make GDPR compliance challenging, particularly for small and medium-sized enterprises (SMEs).

When Did the GDPR Come Into Effect?

The GDPR was approved in April 2016, but it took two years to establish its framework, becoming fully effective on May 25, 2018.

History of the GDPR

The right to privacy is rooted in the 1950 European Convention on Human Rights, which asserts, “Everyone has the right to respect for his private and family life, his home and his correspondence.” Building on this foundation, the European Union has worked to protect this right through legislation.

As technology advanced and the Internet was developed, the EU identified the need for modern data protection measures. In 1995, it passed the European Data Protection Directive, setting minimum data privacy and security standards, which each member state implemented through their laws. However, as the Internet rapidly evolved, so did the need for stronger data protection. Notably, in 2011, a Google user sued the company for scanning her emails, which precipitate the EU’s decision to overhaul its data protection laws, leading to the creation of the GDPR.

Key Principles of the GDPR

The GDPR is based on several fundamental principles that dictate how personal data should be handled:

1. Lawfulness, Fairness, and Transparency: Organizations must process personal data lawfully, fairly, and transparently. Individuals must be informed about how their data is used, by whom, and for what purpose.
2. Purpose Limitation: Personal data should only be collected for specific, explicit, and legitimate purposes and should not be processed in ways incompatible with those purposes.
3. Data Minimization: The data collected should be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
4. Accuracy: Personal data must be accurate and, when necessary, kept up to date. Any inaccurate personal data must be corrected or erased without delay.
5. Storage Limitation: Personal data should be stored in a manner that permits the identification of individuals for no longer than necessary for the purposes for which the data is processed.
6. Integrity and Confidentiality: Personal data must be processed in a way that ensures appropriate security, including protection against unauthorized or unlawful processing, and against accidental loss, destruction, or damage.
7. Accountability: Data controllers are responsible for ensuring and demonstrating compliance with all GDPR principles.

How Does the GDPR Define ‘Personal Data’?

The GDPR expanded the definition of personal data to include any information related to an identifiable individual. This encompasses obviously personal details such as names and addresses, as well as any other information that could be used to identify someone, such as IP addresses and certain cookie identifiers.

What Are the GDPR Requirements for Data Controllers and Data Processors?

The GDPR defines data controllers as entities that make decisions about the means and purposes of collecting and processing personal data. Data processors, on the other hand, are entities that process personal data on behalf of a data controller.

The GDPR outlines seven key principles for data controllers and processors:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

In addition to these principles, the GDPR mandates several specific actions for data controllers and processors, including:

• Record Keeping: Data processors must maintain records of their processing activities.
• Security Measures: Data controllers and processors must regularly implement and test appropriate security measures to protect collected and processed data.
• Data Breach Notification: Data controllers must notify appropriate authorities within 72 hours of a personal data breach, with certain exceptions. They must also notify the individuals affected by the breach.
• Data Protection Officer (DPO): Companies that process significant amounts of data may need to appoint a DPO to lead and oversee GDPR compliance efforts.

Scope, Penalties, and Key Definitions

First, if you process the personal data of EU citizens or residents, or offer goods or services to them, then the GDPR applies to you, even if you are not located in the EU.

Second, the fines for violating the GDPR are substantial, with two tiers of penalties that can reach up to €20 million or 4% of global revenue (whichever is higher). Data subjects also have the right to seek compensation for damages.

The GDPR defines various legal terms, including:

• Personal Data: Any information that relates to an identifiable individual, such as names, email addresses, location data, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions.
• Data Processing: Any action performed on data, whether automated or manual, including collecting, recording, organizing, structuring, storing, using, or erasing data.
• Data Subject: The person whose data is processed, such as customers or site visitors.
• Data Controller: The person or entity that decides why and how personal data will be processed.
• Data Processor: A third party that processes personal data on behalf of a data controller.

Who Is Covered Under the General Data Protection Regulation?

The GDPR protects any individual who visits websites based in the EU, including individuals both within and outside the union. It also applies to EU citizens whose data exists outside the EU. Additionally, if you are a citizen of another country living in the EU, your data is protected under the law.

Criticism of the GDPR

The GDPR has faced criticism from various quarters. Some argue that the requirement to appoint DPOs or assess the need for them places an undue administrative burden on certain companies. Others contend that the guidelines are too vague, particularly regarding the handling of employee data.

Furthermore, data cannot be transferred to a country outside the EU unless the receiving company guarantees the same level of protection as required by the EU. 

There are also concerns that the costs associated with GDPR compliance will increase over time, partly due to the growing need to educate customers and employees about data protection threats and solutions.

Another criticism is the doubt over whether data protection agencies across the EU and beyond can consistently enforce and interpret the regulations, ensuring a level playing field as the GDPR is fully implemented.

How Do Companies Become Compliant Under the General Data Protection Regulation?

Companies can achieve GDPR compliance through various steps, including auditing personal data, maintaining records of all data collected and processed, updating privacy notices, and correcting any errors in their databases.

What Rights Do Data Subjects Have Under the GDPR?

The GDPR grants data subjects (defined as “an identified or identifiable natural person”) several rights:

• Right to Be Informed: Data subjects must be provided with clear information about how their personal data is collected and processed.
• Right to Data Portability: Data subjects can transfer their data from one data controller to another.
• Right of Access: Data subjects have the right to obtain a copy of their collected personal data.
• Right to Rectification: Data subjects can correct inaccurate data about themselves.
• Right to Erasure: Data subjects can request the deletion of their data (also known as the right to be forgotten).
• Right to Restrict Processing: Under certain circumstances, data subjects can limit how their personal data is processed.
• Right to Object: Data subjects have the right to object to the processing of their personal data, and in certain cases, the data controller or processor must comply with the objection.
• Right to Object to Automated Processing: Data subjects can object to decisions affecting them that are based solely on automated data processing.

Obligations for Organizations

The GDPR imposes several obligations on organizations (both data controllers and processors) to ensure compliance:

1. Data Protection by Design and by Default: Organizations must implement appropriate technical and organizational measures to ensure data protection is integral to all processing activities.
2. Data Protection Impact Assessments (DPIAs): When processing activities are likely to result in a high risk to individuals’ rights and freedoms, organizations must conduct DPIAs to assess the impact.
3. Appointment of Data Protection Officers (DPOs): Organizations that engage in large-scale processing of sensitive data or regularly monitor individuals on a large scale must appoint a DPO to oversee GDPR compliance.
4. Breach Notification: In the event of a data breach, organizations must notify the relevant supervisory authority within 72 hours and, in some cases, inform affected individuals.
5. International Data Transfers: Transfers of personal data outside the EU are only allowed if the destination country ensures an adequate level of data protection or if specific safeguards are in place.

What Are the Penalties for Violating the GDPR?

The GDPR prescribes two tiers of fines for violations, each corresponding to a different category of infringement:

• First Tier: A violation results in a maximum fine of either €10 million or 2% of the business’s worldwide annual revenue, whichever is higher.
• Second Tier: A violation results in a maximum fine of either €20 million or 4% of the business’s worldwide annual revenue, whichever is higher.

In addition to these fines, data subjects can seek compensation for damages resulting from a GDPR violation.

Conclusion

The General Data Protection Regulation (GDPR) represents a monumental shift in data privacy and security, setting a global benchmark for the protection of personal data. By imposing stringent requirements on organizations worldwide, the GDPR ensures that individuals’ rights to privacy are upheld in an increasingly digital world. Despite challenges and criticisms, the regulation’s comprehensive framework has led to significant improvements in how personal data is managed and safeguarded, encouraging transparency, accountability, and responsibility. As data continues to drive the global economy, GDPR compliance remains crucial for maintaining trust and avoiding severe penalties. Organizations must continue to evolve and adapt their data protection practices to meet the high standards set by the GDPR, ensuring the privacy and security of personal data in all their operations.