What is the GDPR and why is it so important?
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018.
The GDPR is significant as it enhances the safeguarding of personal data rights for EU citizens and outlines the obligations for companies processing such data. All entities handling EU citizen data must abide by the GDPR. With the widespread processing of personal information by companies, non-compliance with the GDPR can result in severe consequences such as substantial fines and harm to a company's reputation.
Who does GDPR apply to?
The GDPR applies to all organizations that process personal data of individuals within the EU, regardless of where the organization is located. This includes companies based outside of the EU if they offer goods or services to individuals within the EU or monitor the behavior of individuals within the EU.
More formal answer sounds like that. The GDPR applies if:
What is Personal Data?
The GDPR outlines that the personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data.
Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.
Frankly speaking, you never find an exhaustive list of what personal data is since it may be literally any information about an individual. As an example, personal data may embrace name, address, ID card/passport number, income, cultural profile, Internet Protocol (IP) address, data on how you interact with a website, etc. Personal information also covers some special categories that any businesses are basically prohibited to process without your consent: (1) racial or ethnic origin; (2) sexual orientation; (3) political opinions; (4) religious or philosophical beliefs; (5) trade-union membership; (6) genetic, biometric, or health data except in specific cases; (7) personal data related to criminal convictions and offenses unless this is authorized by EU or national law.
Who are Data Subject, Data Controller, and Data Processor?
Data Subject: A data subject refers to an individual whose personal data is being processed by a data controller or data processor. A dead person or a company cannot be a data subject for the purpose of data protection.
Under the GDPR, it is formally specified like an identified or identifiable natural person; where an identifiable natural person means one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Controller: A data controller is an individual or entity that determines the purposes and means of processing personal data. It is responsible for ensuring that personal data is processed in accordance with the GDPR.
Under the GDPR, it is formally specified like a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor: A data processor is an individual or entity that processes personal data on behalf of the data controller. A data processor must comply with the instructions of the data controller and ensure that appropriate technical and organizational measures are in place to secure personal data.
Under the GDPR, it is formally specified like a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
These definitions are important because they determine the responsibilities of each actor involved in the processing of personal data under the GDPR.
What is the legal basis for processing personal data?
Businesses must process data in a fair and lawful manner, for a specified and legitimate purpose and only process the data necessary to fulfill this purpose. They must ensure that businesses fulfill one of the following conditions to process the personal data:
- Consent. The data subject has given consent to the processing of their personal data for one or more specific purposes;
- Contractual Obligation. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Legal Obligation. Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Vital Interests. Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Task in Interest of Public. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Legitimate Interest. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
International transfer of personal data
The GDPR requires that personal data transferred outside the
European Economic Area (EEA) be protected as if it were still within the EU. This means that when a business exports data abroad, it must ensure that either:
- The non-EEA country has protections deemed adequate by the EU. Those countries are Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, Uruguay;
- Appropriate safeguards are put in place, such as adding formal Standard Contractual Clauses to the contract with the non-European data recipient; or
- The transfer is based on specific grounds, such as individual consent.
What are individual rights under the GDPR?
The GDPR lists several privacy rights for data subjects, which aim to give individuals more control over their data being processed by businesses. As a business, it is important to understand these rights to ensure GDPR compliance. The rights are:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object; and
- Rights in relation to automated decision making and profiling.
Please find out more about these rights and on how you can exercise them on our special page —
Data Subject Rights.
What are the seven GDPR Principles?
The GDPR outlines seven key principles for the protection of personal data. These principles are as follows:
- Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy — You must keep personal data accurate and up to date.
- Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
- Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
Adherence to these principles is fundamental for businesses processing personal data. You are welcome to find more information about the principles in an
official guideline of the Data Protection Commission (DPC), the Irish supervisory authority.
This article is for informational purposes only and is not a substitute for legal advice. We do not offer legal advice. Please always seek guidance from your own legal counsel.