General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) was enforced in May 2018. GDPR was initially implemented in 2016 wherein, organizations were given a 2-year grace period for applying the regulation. The regulation was then launched by European Union to protect the personal data of their citizens. The data protection laws designed within GDPR offer more rights to the data subjects. This prevents businesses from misusing the personal data collected from individuals while offering their services and products. Furthermore, businesses catering to the needs of EU citizens need to comply with GDPR irrespective of their location.
What are data subjects?
Data subjects in this context are citizens of the European Union. The data-driven world has necessitated individuals to secure their personal data which can be used for unregulated purposes. As a result, European Union, European Parliament, and European Commission came up with the idea of protecting the data of their citizens by giving them authority to decide. This further necessitated every organization conducting its activities with EU citizens to ask for their approval before collecting personal data. Organizations that do not comply with the regulation need to pay huge fines based on the extent of the data breach.
What is considered as personal data as per GDPR?
Identifiable information or data which can be traced back to a specific individual is considered as personal data by GDPR. The may include name, address, date of birth, telephone numbers, photographs, location data, bank details, passport numbers, etc. The data which cannot be identified to a person is not covered under the regulation. the regulation further specifies that personal data can only be stored till businesses accomplish the goals for which the personal data was collected. Also, organizations need to securely get rid of the information stored.
In addition to personal data, GDPR has also specified the special categories. These special categories carry highly sensitive data which makes a data subject vulnerable during the data breach. Such data may include religion, medical data, genetic data, and gender identity. Under GDPR, these categories have to be given more importance and protected with top-notch information security programs.
Application of GDPR
Businesses that conduct their operations by involving EU citizens have to mandatorily implement GDPR, or can face penalties for non-compliance. After GDPR came into effect, several nations have formulated their data privacy regulation laws. Each country has its own regulation to protect the personal data of its citizens. These regulations change from one country to another, necessitating organizations to carefully comply with the laws.
Even after UK’s exit from the European Union, the Data Protection Laws of UK resembles that of the EU GDPR. Changes in UK laws concern UK citizens and not citizens of EU. Likewise, companies residing in UK need to follow GDPR laws while offering their services to EU citizens.
Key Principles of GDPR
The General Data Protection Regulation sets out 8 core principles which have to be applied by organizations and entities serving the citizens of the European Union. These principles are as follows:
- Downstream protection
- Access and Rights
- Breach Notification
What is GDPR non-compliance penalty?
Businesses that do not follow the regulation face penalties or huge fine amounts. These fine amounts can range from 4% of global turnover or 20 million Euros whichever is highest based on the extent of the breach. Further, data subjects also possess the right to sue companies/individuals who have violated their data privacy as per GDPR.
Organizations that have faced data breaches due to external forces are required to notify the data subjects within 72 hours of such breach. In addition, businesses need to provide data subjects with a notification stating how the personal data is being used and whether it is accessible by a third party. This entitles data subjects to exercise their rights and withhold their consent and prevent the organization from using the data for other purposes.
Exceptions of GDPR
A separate article under the regulation specifies the list of organizations that need not comply with EU GDPR. Under this article, the law states a list of circumstances when personal data cannot be protected. Some examples of these situations include defense, financial security, crime prevention, public health concerns, and so on. Also, EU members are permitted to apply for specific exemptions.
The extensive articles and chapters of GDPR require organizations to hire professionals certified with EU GDPR Practitioners for instilling the compliance process. These professionals execute best practices within the organization to secure sensitive data whilst aligning them with the regulation. In addition to the practices, GDPR Practitioners can train and create awareness among employees regarding the security of highly sensitive information acquired by the organization. Besides, entities are further required to comply with separate regulations imposed by member states of the European Union.