What does the GDPR actually do?

What is the GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that was implemented by the European Union (EU) on May 25, 2018. The GDPR aims to protect the fundamental rights and privacy of individuals within the EU by providing a framework for the processing and transfer of personal data. It introduces new rules and requirements for organizations that handle personal data, regardless of their location, and imposes significant penalties for non-compliance. The GDPR is designed to enhance individuals' control over their personal data and to ensure that organizations handle such data in a secure and transparent manner. This article will explore what the GDPR actually does and the key provisions within the regulation.

Understanding the impact of GDPR

The General Data Protection Regulation (GDPR) has had a profound impact on global businesses and has significantly increased the focus on data privacy and security. Implemented in May 2018, GDPR has propelled countries around the world to adopt similar privacy standards to protect the personal data of their citizens.

GDPR has brought about a seismic shift in the way organizations handle personal data. It requires businesses to be transparent about their data processing activities, obtain explicit consent for data collection and use, and ensure the security and confidentiality of individuals' personal information. It also grants individuals several rights, such as the right to access, rectify, and erase their personal data.

The impact of non-compliance with GDPR can be substantial. Several high-profile cases have resulted in hefty fines for organizations failing to meet the requirements of the regulation. For example, British Airways and Marriott International faced penalties of £183 million and £99 million, respectively, for data breaches that affected millions of customers. These fines not only demonstrate the seriousness of non-compliance but also underscore the importance of implementing robust data privacy measures.

The introduction of GDPR has not only led to increased protection of personal data but has also prompted businesses to prioritize privacy and security. It has become crucial for organizations to align their practices with the regulation and ensure compliance to avoid jeopardizing their reputation and facing potentially massive financial penalties.

In a data-driven world, understanding the impact of GDPR is paramount for businesses aiming to build trust with their customers and navigate the complex landscape of data privacy and security.

Overview of GDPR requirements

The General Data Protection Regulation (GDPR) imposes a number of requirements on organizations that process personal data. These requirements are aimed at enhancing data protection and privacy for individuals. Under the GDPR, businesses are required to be transparent about how they collect and process personal data, obtain explicit consent from individuals for data processing activities, and ensure the security and confidentiality of personal information. Individuals also have several rights under the GDPR, including the right to access, rectify, and erase their personal data. Non-compliance with the GDPR can result in hefty fines, as demonstrated by high-profile cases such as British Airways and Marriott International. Consequently, organizations are now prioritizing privacy and security, aligning their practices with the GDPR to avoid reputational damage and financial penalties.

Protection officers & supervisory authorities

Protection officers and supervisory authorities play vital roles in the implementation and enforcement of the General Data Protection Regulation (GDPR).

Protection officers, also known as data protection officers (DPOs), are individuals appointed by organizations to oversee their data protection efforts. They act as a point of contact for both individuals and authorities regarding the processing of personal data. DPOs ensure that their organizations comply with the GDPR and other relevant data protection laws and policies. They provide guidance on data protection practices, conduct privacy impact assessments, and monitor compliance within the organization.

Supervisory authorities are governmental bodies or agencies designated by each European Union (EU) member state to enforce and monitor compliance with the GDPR. These authorities have the power to investigate complaints, issue warnings, reprimands, and orders, and impose administrative fines for non-compliance. They also play a crucial role in promoting awareness of data protection rights and providing guidance to individuals and organizations.

Some of the supervisory authorities responsible for enforcing and monitoring compliance with the GDPR include the Information Commissioner's Office (ICO) in the UK, the Commission Nationale de l'Informatique et des Libertés (CNIL) in France, the Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) in Germany, and the Autoriteit Persoonsgegevens (AP) in the Netherlands.

Privacy laws & legal obligations

Under the General Data Protection Regulation (GDPR), privacy laws and legal obligations ensure that individuals have control over their personal data. The GDPR sets out principles for the processing of personal data, including the requirement to obtain consent, the obligation to provide transparent information, and the responsibility to implement appropriate security measures.

One significant aspect of the GDPR is its extraterritorial reach. It applies not only to organizations within the European Union (EU) but also to non-EU organizations that process the personal data of individuals within the EU. This extension of privacy protection ensures that Europeans' personal data is safeguarded, regardless of where it is processed.

NGOs like noyb (None Of Your Business) and La Quadrature du Net play a crucial role in enforcing privacy rights. They raise complaints against major tech companies for alleged GDPR violations, advocating for the protection of individuals' personal data.

While the GDPR has brought several successes, including increased awareness of data protection rights, it also has some shortcomings. One area of concern is informed consent. Although the GDPR sets a high standard for obtaining informed consent, there have been cases where it is arguable whether users truly understand the extent of data processing when giving consent.

British airways example

British Airways serves as a notable example of the consequences faced by organizations for non-compliance with GDPR regulations and failure to adequately protect personal data. In July 2019, the Information Commissioner's Office (ICO), the UK's data protection authority, announced its intention to fine British Airways a record-breaking £183.39 million ($230 million) for a data breach that occurred in 2018. This incident affected approximately 500,000 customers who booked flights on the airline's website or app.

The ICO found that British Airways had violated GDPR requirements by failing to implement appropriate security measures to protect customer data, leading to a breach where users' personal and financial information, including names, addresses, email addresses, and credit card details, were compromised. This breach exposed individuals to the risk of identity theft and financial fraud.

This enforcement action against British Airways demonstrates the serious consequences of non-compliance with GDPR regulations. The significant fine imposed on the airline serves as a clear deterrent and emphasizes the importance of implementing robust data protection measures. It highlights the obligation of organizations to prioritize the security and privacy of individuals' data, as well as the potential impact on their reputation and trust if proper measures are not in place.

The British Airways example underscores the need for all organizations to diligently adhere to GDPR requirements to safeguard personal data effectively. With the threat of hefty fines and reputational damage, businesses must prioritize data protection and implement robust security measures to avoid falling foul of GDPR regulations.

Public authority & their legal basis for processing data

Under the General Data Protection Regulation (GDPR), public authorities are required to process personal data in accordance with specific legal bases and under the principles of data protection. As a primary concern for citizen data protection and the expansion of privacy rights, the GDPR sets out clear guidelines for public authorities when processing personal data.

The legal bases for processing data by public authorities under the GDPR include the performance of a task carried out in the public interest or in the exercise of official authority vested in the public authority. This means that public authorities can process personal data if it is necessary to fulfill their official duties or to carry out tasks that serve the public interest. Public authorities must ensure that they have a clear legal basis for every processing activity they undertake.

Furthermore, the GDPR extends the scope of privacy protection to non-EU organizations processing Europeans' personal data. This means that if a non-EU organization is processing personal data of individuals residing in the EU, they must comply with the GDPR's requirements. This extension of privacy protection ensures consistency and a high level of data protection for individuals, regardless of where their data is being processed.

Public authorities have specific requirements and obligations when processing personal data. They must implement appropriate technical and organizational measures to ensure the security of the data and protect individuals' rights. Public authorities are also obligated to conduct data protection impact assessments for certain processing activities that may present higher privacy risks. Additionally, they must appoint data protection officers who are responsible for overseeing compliance with data protection laws and regulations.

Undue delay & explicit consent requirements

Undue delay is an important concept under the General Data Protection Regulation (GDPR) that relates to data processing. According to the GDPR, data controllers are required to take action without undue delay when processing personal data. This means that they should promptly and efficiently respond to requests or changes in circumstances related to data processing.

Explicit consent is another key requirement under the GDPR. It is necessary for data controllers to obtain explicit consent from the data subject before processing their personal data, unless there is another lawful basis for doing so. Explicit consent should be freely given, specific, informed, and unambiguous.

To ensure explicit consent is obtained properly, data controllers need to provide clear and concise information to data subjects about the processing activities. This information should include the purposes of the processing, the categories of personal data being processed, the recipients or categories of recipients, the storage period, and the rights of the data subjects. Consent should also be obtained through a clear, affirmative action that signifies agreement (e.g. ticking a box).

If a data subject withdraws their consent, the data controller must take prompt action. They should stop processing the personal data for which consent was withdrawn and delete the data, unless there is another lawful basis for the processing. It is crucial for data controllers to respect the rights of data subjects and comply with their withdrawal of consent without undue delay.

Privacy rights, protection regulations & principles

The General Data Protection Regulation (GDPR) outlines privacy rights, protection regulations, and principles that aim to protect individuals' personal data and privacy. These regulations provide individuals with greater control over their personal information and establish guidelines for organizations processing this data.

One key aspect of the GDPR is the right to information. Individuals have the right to know how their data is being collected, used, and stored. Organizations must provide clear and concise information about their data processing activities, including the purposes of processing, categories of personal data being processed, recipients or categories of recipients, storage period, and the rights of data subjects.

The GDPR also recognizes the right to erasure, also known as the right to be forgotten. Individuals can request the permanent deletion or removal of their personal data when it is no longer necessary for the purposes it was collected, when the data subject withdraws consent, or when the processing is unlawful.

Additionally, individuals have the right to limit data usage. They can request organizations to restrict the processing of their personal data under certain circumstances, such as when the accuracy of the data is contested or the processing is unlawful.

By establishing these privacy rights and protection regulations, the GDPR aims to ensure individuals' personal data is processed lawfully, transparently, and securely. It encourages organizations to implement measures to protect personal data, such as privacy by design and security practices, and empowers individuals to exercise control over their own information.

Protection impact assessments (PIAs)

Protection Impact Assessments (PIAs) are a mandatory requirement under the GDPR when processing personal data poses a high risk to individuals' rights and freedoms. This assessment helps organizations identify and minimize privacy risks associated with their processing activities.

A PIA consists of four basic components. Firstly, organizations must provide a comprehensive description of the processing operations involved, including the types of personal data being processed and the purposes for which it is being used. This step ensures transparency and allows individuals to understand how their data is being handled.

Secondly, the PIA should highlight the necessity of the processing. Organizations need to justify why the processing of personal data is required and demonstrate that it is proportionate to achieve the intended purpose. This ensures that data is not being unnecessarily collected or used.

The third component involves identifying and implementing measures to mitigate the risks to individuals' rights and freedoms. This may include implementing technical and organizational measures to ensure the security and confidentiality of the data, as well as measures to address any potential negative impact on individuals.

Finally, the PIA should include an assessment of the risks versus the benefits of the processing operation. This allows organizations to weigh the potential benefits against the risks involved and determine whether the processing can be justified from a privacy perspective.

Organizational measures for adhering to GDPR

Organizational measures play a crucial role in adhering to the General Data Protection Regulation (GDPR). Under the GDPR, organizations are required to implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data. These measures include ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services. Additionally, organizations must implement measures to regularly test, assess, and evaluate the effectiveness of their security measures to ensure the protection of personal data against any unauthorized access, disclosure, alteration, or destruction. Furthermore, organizations must provide training and awareness programs to their staff members regarding data protection obligations and best practices. By implementing these organizational measures, organizations can demonstrate their commitment to safeguarding personal data and complying with the GDPR's requirements.

Security measures

The General Data Protection Regulation (GDPR) has laid out strict security measures that organizations must implement to protect personal data. Adhering to a risk-based approach, controllers and processors are required to assess the potential risks associated with processing personal data and take appropriate measures to mitigate those risks.

One key aspect of this risk-based approach is conducting a Data Protection Impact Assessment (DPIA) for high-risk processing activities. This assessment helps identify and address any potential privacy concerns and enables organizations to implement necessary safeguards.

To ensure the security of personal data, controllers and processors must also implement appropriate technical and organizational measures. These measures encompass a range of actions, such as implementing access controls, encryption, regular data backups, and secure data storage.

Furthermore, the GDPR encourages organizations to design and build their business processes with privacy in mind. This involves incorporating privacy-enhancing techniques such as pseudonymization or full anonymization where applicable. By implementing these techniques, organizations can protect the privacy of individuals while still being able to use and process their data.

When processing personal data, organizations must have a lawful basis under the GDPR. The regulation specifies six lawful bases, including consent, the performance of a contract, legal obligation, protection of vital interests, the performance of a task carried out in the public interest or the exercise of official authority, and legitimate interests pursued by the controller or a third party.

By emphasizing a risk-based approach, conducting DPIAs, implementing technical and organizational measures, and incorporating privacy into business processes, the GDPR aims to ensure the security and protection of personal data.

Organizational measures

To adhere to the regulations set forth by the General Data Protection Regulation (GDPR), companies must implement various organizational measures. These measures aim to protect the privacy and security of personal data and ensure compliance with GDPR requirements.

Firstly, organizations need to maintain records of their processing activities. This involves documenting the types of personal data being processed, the purposes of processing, the categories of data subjects, any transfers of data, and the retention periods. These records help demonstrate accountability and facilitate compliance with GDPR obligations.

Additionally, some organizations may be required to appoint a Data Protection Officer (DPO). While not mandatory for all businesses, a DPO is necessary for public authorities and companies that engage in large-scale regular monitoring of individuals or process sensitive personal data. The DPO is responsible for overseeing GDPR compliance, providing advice and guidance, and acting as a point of contact for supervisory authorities and data subjects.

The role of a DPO may overlap with various functions within the organization, such as cybersecurity, privacy, legal, audit, and technology risk. This overlap ensures the integration of data protection principles into different areas, enhancing privacy and security practices throughout the organization.

Processing activities involving natural persons

Processing activities involving natural persons, as defined by the GDPR, pertain to any operation or set of operations performed on personal data. These activities can include the collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction of personal data.

The types of data processed can vary widely, ranging from basic identification information such as names and addresses to more sensitive data like political opinions, religious beliefs, or sexual orientation. The purposes of processing can also differ, depending on the nature of the organization and the specific context. This can include activities such as customer management, marketing, recruitment, contractual obligations, or compliance with legal requirements.

It is essential to note that the GDPR places significant emphasis on obtaining explicit consent from individuals when processing their personal data. Organizations must ensure that they have a proper legal basis for processing, such as the necessity of processing for the performance of a contract or compliance with a legal obligation.

Furthermore, the GDPR introduces specific rules regarding profiling, which refers to any form of automated processing of personal data to evaluate certain aspects relating to an individual's performance, behavior, location, or economic situation. Profiling must be based on clear legal criteria, including the necessity of processing for the performance of a contract, compliance with a legal obligation, protection of vital interests, consent, or legitimate interests pursued by the data controller.

To reduce privacy impacts, the GDPR encourages pseudonymisation, which involves replacing identifying information with fictitious identifiers. Pseudonymized data still allows for data analysis and processing while reducing the likelihood of re-identification and the potential for harm to individuals.

Hefty fines for non-compliance

Non-compliance with the GDPR can result in hefty fines and penalties. The GDPR provides for two levels of fines, depending on the severity of the breach. The first level can lead to fines of up to €10 million or 2% of the global annual turnover of the preceding financial year, whichever is higher. The second level carries fines of up to €20 million or 4% of the global annual turnover, whichever is higher.

When assessing the appropriate penalty, several criteria are considered. These include the severity and duration of the breach, the number of data subjects affected, and the degree of damage incurred. Additionally, factors such as the intentional or negligent character of the infringement, any previous violations, and the degree of cooperation with supervisory authorities are taken into account.

Notable fines have been levied under the GDPR, including those imposed on British Airways, Marriot Hotels, and Google. British Airways was fined £20 million ($26 million) for a data breach that affected the personal and financial details of approximately 400,000 customers. Marriot Hotels faced a fine of £18.4 million ($24 million) following a cyber attack that exposed the personal information of 339 million guests. Google received a fine of €50 million ($56.6 million) for lack of transparency and inadequate consent regarding its data processing activities.

The fines for non-compliance with the GDPR serve as a strong deterrent and emphasize the importance of organizations prioritizing the protection of personal data and implementing robust security measures.