General Data Protection Regulation (GDPR)

Photo Source: Computer Link

Introduction

The EU’s General Data Protection Regulation (GDPR) aims to extend data protection to the era of big data and cloud computing, ensuring that data protection is a fundamental fundamental right that will be regulated consistently throughout Europe. The GDPR is the most stringent privacy and security law globally. Although established by the European Union, the the GDPR applies to both european and non-european companies worldwide who serve European customers and collects their data. The GDPR imposes severe penalties for non-compliance, with fines reaching up to tens of millions of euros.

History of the GDPR

The European Convention on Human Rights (1950) enshrined the right to privacy, stating that "Everyone has the right to respect for his private and family life, his home, and his correspondence." The European Union has since developed laws to uphold this right. Technological advancements, such as the advent of the Internet, highlighted the need for updated safeguards. In 1995, the EU passed the European Data Protection Directive, which served as a foundational framework for member states to create their data protection laws. However, as technology progressed rapidly, the directive became outdated. 

By the early 2000s, the Internet had transformed: banner ads appeared in 1994, online banking proliferated in 2000, and social media platforms like Facebook emerged in 2006. Data privacy concerns grew, exemplified by a 2011 lawsuit against Google for scanning emails. Recognising these challenges, the EU initiated work to modernise its regulations. Europe’s data protection authority declared the EU needed “a comprehensive approach on personal data protection” and work began to update the 1995 directive.

In April, 2016, the GDPR was adopted by the European Parliament and came into effect on May 25, 2018.  The GDPR's primary goal is to protect the privacy of EU residents.

The Scope of GDPR

Firstly, even if you are not in the EU, you are still subject to the GDPR if you handle the personal data of EU citizens or residents or provide products or services to them. Secondly, there are steep penalties for breaking the GDPR. In addition to the two levels of fines, which have a maximum of €20 million or 4% of worldwide income, whichever is larger, data subjects are entitled to damages compensation. 

Photo Credit: Future Processing 

Photo Credit: EQS Group 

Meanwhile, the GDPR provides extensive definitions for a wide range of legal words. Listed below are a few of the more significant ones that this article discusses:

● Personal Data: Every piece of information pertaining to a person who can be directly or indirectly recognized is considered personal data. Clearly, email addresses and names are personal information. Other examples of personal information include location, gender, ethnicity, biometrics, religious beliefs, web cookies, and political views. The concept can also apply to pseudonymous data if it is reasonably possible to identify a person using it.

● Data Subject: The individual whose data is processed is known as the data subject. These are either site visitors or your customers.

● Data Controller: The individual who determines the purpose and method of processing personal data is known as the data controller. This applies to you whether you manage data as an employee or owner of your company.

● Data Processor: A third party that handles personal data on behalf of a data controller is known as a data processor. These people and organisations are subject to particular regulations under the GDPR. These can include email service providers like Proton Mail or cloud services like Google Drive, Proton Drive, or Microsoft OneDrive.

● Data Processing: Any action taken on data, whether automatic or manual, is referred to as data processing. The text gives examples of gathering, recording, structuring, organising, saving, using, erasing, and pretty much anything else.

What Information is Protected by GDPR?

Any business or organisation that wants to collect and utilise personal data must have the users' consent. Information pertaining to "an identified or identifiable natural person"—also known as a data subject—is considered personal data under the GDPR. 

The following categories of information are included in personal data: Name, identification number, location information, any details pertaining to "the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.",  biometric information obtained by a technical procedure, such as fingerprinting or facial imaging, details about a person's medical condition or treatment, information about an individual's race or ethnicity, religious convictions or political views, membership in a union.

Principles of the GDPR

Article 5.1-2 by GDPR lays out seven protection and accountability standards that must be followed when processing data.

Photo Source: URM Consulting 

1. Lawfulness, fairness and transparency — For the data subject, processing must be fair, legal, and transparent.

2. Purpose limitation — When you gather data, you must process it for the legitimate purposes that were clearly stated to the data subject. 

3. Data minimisation — You should only gather and use as much data as is strictly required for the stated goals.

4. Accuracy — You must maintain current and correct personal information.

5. Storage limitation — Personal information may only be kept for as long as is required to fulfil the stated purpose.

6. Integrity and confidentiality — Processing needs to be carried out with the proper security, integrity, and confidentiality in mind (e.g. by utilizing encryption).

7. Accountability —All of these principles must be demonstrated by the data controller in order for them to be in compliance with GDPR.

Implementing GDPR Security

In order to manage data safely, you must implement by “appropriate technical and organisational measures.”

• Technical steps can range from entering into contracts with cloud providers that use end-to-end encryption to mandating that your staff use two-factor authentication on accounts that store personal data.

• Staff trainings, incorporating a data privacy policy into your employee handbook, or restricting access to personal information to just those employees who require it are examples of organisational measures.

• You have 72 hours to notify the data subjects of a data breach, or else you risk fines. (If you employ technological measures, like encryption, to make data unusable to an attacker, this notice requirement can be waived).

• In practice, this means that while designing a new product or activity, you have to take data protection principles into account. This idea is covered in Article 25 of the GDPR. For instance, let's say you are introducing a new app for your business. You must examine what personal information the app could be able to gather from users, try to reduce the amount of data, and apply the newest technologies to safeguard it.

When Does GDPR Allow you to Process Data?

Article 6 enumerates the situations in which processing personal information is permitted. A person's personal information should never be touched, collected, stored, or sold to advertisements unless one of the following can be used as justification:

1. The data subject explicitly and unequivocally consented to the processing of the data. For example, they have chosen to be added to your marketing email list.

2. Executing or preparing to engage into a contract in which the data subject is a party requires processing. (For instance, you must run a background check on a potential renter before renting out your house.)

3. In order to fulfil a legal requirement, you must process it. (For instance, you obtain an order from the court within your jurisdiction.)

4. Processing the data is necessary in order to save a life. You'll likely be able to tell when this one applies.

5. To carry out an official function or a task in the public interest, processing is required. You are a private waste collection company, for example.

6. It is in your legitimate interest to handle someone's personal information. This is the most accommodating legal basis; however, your interests are always subordinated to the "fundamental rights and freedoms of the data subject," particularly when it comes to a child's data. 

7. Once the legal basis for your data processing has been established, you must record it and inform the data subject (transparency!). Additionally, if you later decide to modify your rationale, you must have a valid cause, record it, and let the data subject know.

GDPR Conditions for Consent

There are stringent new guidelines about what constitutes a data subject's consent to have their information processed.

1. "Freely given, specific, informed, and unambiguous" is the requirement for consent.

2. Consent requests must be made in "plain and unambiguous language" and be "clearly distinguishable from the other matters."

3. Data subjects have the right to revoke their permission at any time, and you must respect their choice. You cannot easily switch to one of the other explanations for the processing's legal basis.

4. Only with parental approval may a child under the age of thirteen give their consent.

5. Documentary proof of permission must be preserved.

GDPR and Privacy Rights

You are either a data processor or a data controller. However, you are also a data subject as an Internet user. In an effort to give people greater control over the data they provide to businesses, the GDPR acknowledges a long list of new privacy rights for data subjects. To make sure your company complies with GDPR, it's critical to comprehend these rights. A summary of the privacy rights of data subjects is provided below:

1. The right to information

2. The entitlement to access

3. The right to correction

4. Erasure rights

5. The authority to limit processing

6. The entitlement to data portability

7. The ability to protest

8. Rights pertaining to profiling and automated decision-making.

Conclusion

The GDPR is more than just a regulatory framework; it is a comprehensive approach that intertwines data protection with cybersecurity to safeguard individual privacy rights in the digital age. By setting rigorous standards, it ensures that organisations prioritise both personal data protection and robust cybersecurity practices. Complying with GDPR fosters a culture of accountability, where data protection is considered integral to any organisation’s cybersecurity strategy. This alignment not only protects individuals' data but also strengthens trust in the digital ecosystem. As cyber threats evolve, the synergy between data protection and cybersecurity under GDPR will remain essential to preserving privacy and security across borders.