Major Highlights of Data Protection In EU (GDPR)
Mritunjay Kumar Verma
Strategy | Lawyer | Product Management | Digital Transformation | Cloud | Compliance
Whether you are a multinational business or a startup with limited resources, operational in Europe (even when your website is accessed)?
It would help if you were up to date with the latest data on EU protection laws or GDPR.
The GDPR was designed to harmonize data privacy laws across Europe, protect and empower all EU citizens' data privacy, and reshape how organizations across the region approach data privacy.
Key Highlights of GDPR:
1. Companies must get explicit consent from individuals before collecting, using, or sharing their personal data.
2. Individuals have the right to access their personal data at any time, and companies must provide them with a copy of their data upon request.
3. Individuals have the right to have their personal data erased ("the right to be forgotten"), and companies must comply with such requests within one month.
4. Companies must disclose data breaches within 72 hours of becoming aware of them.
5. Companies must appoint a data protection officer (DPO) if they collect or process large amounts of data, if their core activities involve processing sensitive data, or if they monitor the behavior of individuals on a large scale.
6. The GDPR imposes strict fines for companies that violate its provisions, including up to 4% of a company's global annual revenue or €20 million (whichever is greater), whichever is greater.
7. The GDPR applies to any company that processes the personal data of individuals in the EU, regardless of whether the company is based inside or outside the EU.
So let's demystify the underlying key concepts.
Let's learn from an example. Imagine you are a small business owner, and you want to start using customers' email addresses to send them promotional offers for your products. To do this, you first need to collect those email addresses from your customers. Once you have collected the email addresses, you will need to store them in a database. After that, you will need to create promotional emails, and finally, you will need to send the emails to your customers. All of these steps involve the processing of personal data.
What is meant by personal data?
Under the GDPR, personal data is any information that can be used to identify an individual. This includes, but is not limited to, a person's name, email address, physical address, IP address, and online activity.
However, there are a few conditions that must be met for data to be considered personal data.
Sometimes in law, it's better to only consider how the makers of law fundamentally wanted you to understand, so let's look at what the above two sentences could mean strictly in accordance with GDPR.
What is "processed by automated means"?
Under the GDPR, "processed by automated means" refers to any data that is processed by a computer or other electronic device. This includes, but is not limited to, data that is stored in a database, transferred over a network, or even just displayed on a screen. Data generated by IoT devices such as wearables or smart home devices is also considered to be "processed by automated means."
What does "structured, organized, and easily accessible" mean?
In order for data to be "structured, organized, and easily accessible," it must be stored in a way that makes it easy to find and use. This typically means that data is stored in a database or some other type of electronic format. Structured data is those data that are organized into fields, records, or some other type of logical structure. This makes it easy to access and use the data when needed, so that insight can be gleaned from it.
领英推荐
'Organised data' is one that is placed in an orderly fashion. This could be putting similar items together or arranging things by date. So under data protection law, 'organized data' would cover both paper and electronic records.
'Accessible data' - It gets a bit tricky when you try to define accessible data merely because of who is necessarily accessing it, but in simple terms, it is data that can be retreieved and used upon request.For example, you might have a paper filing system that only you can access. In this case, the data is organized and accessible to you, but not to anyone else.On the other hand, if you have an electronic database that can be accessed by anyone with the correct login details, then the data is organized and accessible to everyone who has those login details.
So in order for data to be considered "structured, organized, and easily accessible," it must be stored in a way that makes it easy to find and use. This typically means that data is stored in a database or some other type of electronic format.
How does GDPR define 'data processing'?
The processing of data is defined under the GDPR as any operation or set of operations that are performed on personal data or on sets of personal data. These operations can be performed by automated or non-automated means.
The GDPR sets out the following principles with regard to the processing of personal data:
1.????Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner.
2.???? Purpose limitation: Personal data must be collected for specified, explicit, and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
3.???? Data minimization: Personal data must be adequate, relevant, and limited to what is necessary for relation to the purposes for which it is processed.
4.???? Accuracy: Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
5.???? Storage limitation: Personal data must be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR, subject to the implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
6.???? Integrity and confidentiality("security of processing" ): Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
7.???? Accountability: The controller must be able to demonstrate compliance with the principles listed above.
So, In a nutshell...
Regardless of location or size, whether your website is collecting email addresses for a newsletter or other purposes, you will be held responsible under GDPR. In general, any business that handles or retains the data of EU residents must adhere to GDPR, regardless of where they are located. Penalties could be huge and a big hit to your revenue so it's best to take precautionary steps now.
There are 4 key points to consider when preparing for GDPR:
1. Get explicit consent from people before you collect, process, or store their data.
2. Keep detailed records of the consent you have received.
3. Allow people to easily withdraw their consent at any time.
4. Make sure you protect the data you collect and store.
Following these steps will help you avoid penalties and ensure that you are compliant with GDPR.
**Note: The article and definitions are for educational purposes only and represent the opinion of the author. It should not be used for legal purposes.