General Data Protection Regulation (GDPR): Data Protection & Privacy of Individuals in the European Union (EU)

In a globalized world, where data can transcend physical and national boundaries, the need to protect personal data is crucial. Companies have long been known to process personal data for commercial purposes, without keeping the consumers’ privacy and rights in mind. To address this issue, the European Union (EU) enacted the GDPR, which established a framework for the protection of personal data of individuals in the EU. 

In May of 2018, a new set of regulations called the General Data Protection Regulation (GDPR) went into effect in the European Union. The GDPR requires companies to take extra steps to protect consumers' data. If you're doing business in Europe or have customers from there, it's important to understand what the GDPR is and how it affects you. The GDPR at its center, aims to provide citizens with more control over their personal data and how it is used by companies. It also makes it easier for people to find out what data companies have on them, file complaints against companies that mishandle their data, and enforce their rights.

Background and the Data Protection Directive

Back in October 1995, the EU had passed a new law called the Data Protection Directive. This was enacted at the onset of the internet, with the aim of providing basic protection of personal data in the new, online world. The Directive placed strict controls on how businesses could collect and use personal data, and required each EU Member state to establish an independent national body to oversee any activity related to the collection and free movement of personal data.

The GDPR was introduced in 2018, as a replacement for this directive and was intended to strengthen data privacy and protection. It differs from the Data Protection Directive in that it is a regulation, rather than a directive. While a directive leaves room for individual countries to interpret and implement the law, a regulation requires all member states to comply with it, with no exceptions or loopholes. The GDPR makes no fundamental changes to the 1995 Data Protection Directive's core rules. Rather, it significantly expands the Directive's requirements by introducing a series of new requirements for organizations to reinforce those core rules. The biggest change introduced by the GDPR was the definition of personal data. The GDPR accounts for the latest changes in technology and the ways in which organizations collect personal information.

In this section, we’re breaking down some of the fundamental concepts of the data privacy regulation, and explaining what you need to know. The following list is a short overview of these core concepts and the way in which they can be applied to your business.  For a more detailed description of each section, refer to the official GDPR website.

Important Definitions to Understand the GDPR

The GDPR includes a ton of legal and technical jargon that makes it challenging to understand. Here’s a rundown of the most important definitions related to data collection that you need to know about the GDPR:

Data processing - Data processing includes any action or changes brought on the data - right from collection, recording, organizing, storing, modifying, using, transferring, erasing, destroying etc. 

Data subject - A data subject is an identifiable person whose personal data is being processed. This can include customers, clients, or people who visit your website. 

Data controller - A data controller is the entity that determines how and why personal data is processed. Basically, the person that is in charge of handling the data collected. 

Data processor - A data processor is a third-party that processes data on behalf of or for the benefit of the data controller. This could be a marketing agency or a cloud service provider.

If you fall under the category of a data controller or processor, it is your responsibility to ensure that you adhere to the GDPR and can prove that you have done so.

What is Considered Personal Data Under GDPR?

Personal data is defined in the GDPR as any information that could be used to identify an individual, either by itself or in conjunction with other data. This includes but is not limited to:

• Names
• Email addresses
• Location information
• Ethnicity
• Gender
• Biometric data 
• Religious beliefs
• Web cookies
• Political opinions
• IP addresses
• Mobile device identifiers

Data pertaining to a person's physical, psychological, genetic, mental, economic, cultural, or social identity is also considered personal data under the GDPR. 

Who Does GDPR Apply To?

The short answer is that the GDPR applies to any company that processes or intends to process the data of individuals in the European Union. Therefore, it includes companies based outside of the EU if they offer goods or services to, or monitor the behavior of, individuals in the EU. It also applies to companies processing EU citizens’ data on behalf of other businesses, no matter where those companies are located.

However, there are two significant exceptions to this rule: 

First, the GDPR is not applicable to any data collected for “purely personal or household activities”. This means that if you were to collect personal information to organize a birthday party, the GDPR does not apply to you. 

Second, the GDPR does not apply to organizations with less than 250 employees. While the GDPR does not completely exclude SMBs from its scope, they are exempt from most of its obligations. 

7 Principles of GDPR

If you process data, you must do it in accordance with the following 7 accountability and protection principles:

1. Lawfulness, fairness and transparency — Processing must be legitimate, fair, and open to the data subject.
2. Purpose limitation — You are only allowed to use data for the lawful reasons that were made clear to the data subject when it was collected.
3. Data minimization — You should only collect and process the minimum amount of data required to fulfill the outlined objectives.
4. Accuracy — Personal data collected must be accurate and up to date.
5. Storage limitation — You may only keep personally identifying information as long as it's required for the intended use.
6. Integrity and confidentiality — Processing must be carried out in a manner that provides the necessary security, integrity, and confidentiality
7. Accountability — It is the data controller's duty to demonstrate compliance with all of these GDPR tenets.
8. 
   

8 User Rights of Individuals Under GDPR

The data subject has 8 core rights under GDPR:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling
9. 
   

GDPR Non-Compliance Penalties

Fines for non-compliance recorded till date have run into millions of euros with companies such as Amazon and WhatsApp having to pay fines of €746 million and €225 million respectively. Other big companies such as Google and H&M have also come under fire of the EU regulators for not complying with GDPR. It’s clear - the price for not complying with the GDPR rules is steep.

Serious violations could result in fines of up to €20 million, or 4% of the firm’s global annual revenue from the previous financial year, whichever amount is higher. Whereas, less serious violations could lead to a penalty of up to €10 million, or 2% of the firm's global annual revenue from the previous financial year, whichever is greater.

Data protection regulators in the EU are responsible for administering fines under the GDPR. They decide whether a violation has occurred and if so how severe the penalty should be, based on the following criteria:

• Gravity and nature — This includes the why and how of the violation, its impact and how long it took to resolve.
• Intention — Was the violation intentional or a result of negligence?
• Mitigation — Were actions taken to minimize the impact?
• Precautionary measures — Was there enough technical and organizational preparation to stop the violation from happening?
• History — Have there been any pertinent prior violations of the GDPR and the Data Protection Directive before? Were the corrective actions in compliance with the GDPR?
• Cooperation — Was there enough cooperation and support from the company to help the supervisory authority to find the infringement and fix it? 
• Data category — What type of personal data did the infringement affect?
• Notification — Did the company notify the supervisory authority of the infringement?
• Certification — Did the company follow approved codes of conduct and certification procedures prior to the violation?
• Aggravating/mitigating factors — Did the violation cause any additional problems?