Table of Contents
- 1 History of GDPR
- 2 What Is GDPR?
- 3 What Is Personal Data?
- 4 Principles of GDPR
- 5 Key Roles in GDPR
- 6 Exemptions Under GDPR
- 7 Rights of Data Subjects Under GDPR
- 8 Obligations of Data Controllers
- 9 Obligations of Data Processors
- 10 Data Protection Impact Assessment (DPIA)
- 11 Data Breach Notifications
- 12 How to be GDPR Compliant
- 13 Cost of Compliance
- 14 Penalties and Fines Under the GDPR
- 15 Conclusions
- 16 Identity.com
In today’s digital age, businesses and organizations collect vast amounts of personal information from consumers. The required data are crucial for the decision-making that results in the delivery of quality products and services. Therefore, handling pseudonymous data becomes a significant concern. Consumer information should be handled with care, protected from bad actors, and not used for purposes other than what was intended. But is this the case? Certainly not.
Data handling risks have always existed, even before internet use, so laws were needed to enforce things to be done correctly. The internet changed the way things are, but, unfortunately, its continued progress has also led to more data breaches and mishandling by some big tech companies and small businesses alike. More stringent regulatory laws must be enacted to ensure consumer data is handled properly. GDPR is one of these laws.
History of GDPR
The right to privacy is a crucial aspect for countries within the European Union. All member states of the Council of Europe (CoE) adhere to the European Convention on Human Rights (ECHR), which enshrines this right in its articles. Article 8 specifically addresses the right to privacy in one’s personal and family life, home, and correspondence, while acknowledging certain lawful and necessary restrictions in a democratic society. The European Parliament and Council enacted the 1995 Data Protection Directive. to ensure the application and enforcement of these rights. This directive aimed to regulate personal data processing and free movement within the European Union. By establishing a common framework for data protection across the EU, the Data Protection Directive required member states to implement national laws safeguarding personal data.
Although the 1995 Data Protection Directive provided numerous benefits, it had limitations due to the evolving nature of data collection, usage, and management. As a result, the European Union introduced the General Data Protection Regulation (GDPR) as a much-needed update. The GDPR expands its scope and territorial reach, enforces stricter consent requirements, imposes higher penalties, and introduces new regulations. In 2012, the European Commission proposed a comprehensive EU data protection framework reform. After extensive consultations and negotiations, the GDPR was adopted on April 14, 2016, and became enforceable on May 25, 2018. This two-year transition period allowed organizations to update their data protection policies, procedures, and technologies to ensure compliance with the new regulations.
What Is GDPR?
The General Data Protection Regulation (GDPR) is a regulation that safeguards the privacy and rights of European Union (EU) citizens by granting them greater control over their personal data. It modernizes the EU’s data protection laws by imposing strict requirements for organizations handling personal data. The GDPR aims to create a more transparent, fair, and legal framework for managing personal information.
The GDPR is considered one of the strictest sets of regulations for data protection and privacy, similar to the California Privacy Rights Act (CPRA). It applies to any organization processing the personal data of EU citizens, regardless of the organization’s location. This covers personal data processing both within and outside the EU and EEA member states, including cross-border transfers. Under GDPR, data processing covers all operations related to personal data, whether automated or not, from collection and storage to modification and erasure.
What Is Personal Data?
Personal data is any information that relates to an identified or identifiable natural person (data subject). It encompasses any information that belongs to or is linked to an individual. Here are some of the key categories of personal data:
- Basic Identification Information: This includes names, addresses, phone numbers, and email addresses.
- Sensitive Personal Data: This category includes information like racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health information, and sexual orientation. Due to its sensitive nature, this type of data is typically subject to stricter regulations.
- Financial and Employment Data: This category includes financial status, bank account numbers, credit card information, income, employment history, job title, and salary.
- Online Identifiers: These identifiers track your online activity and include online presence, IP addresses, cookies, and device IDs.
- Behavioral Data: This data reflects your online and offline behavior, such as browsing history, search history, and purchase history.
Pseudonymous data can also be classified as personal data if it is relatively easy to identify an individual from it. This type of data is processed to prevent attribution to a specific person without additional information.
Principles of GDPR
The GDPR lays out seven core principles that organizations must follow when processing personal data:
- Lawfulness, fairness, and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.
- Data minimization: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
- Accuracy: Personal data shall be accurate and, where necessary, kept up to date; inaccurate personal data shall be rectified or erased without delay.
- Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
- Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Accountability: The controller shall be responsible for, and be able to demonstrate, compliance with these principles.
Key Roles in GDPR
Data Subjects
Data subjects refer to the individual(s) that own the personal data being processed. They are the consumers, customers, site visitors, etc., whose personal information is collected and used. Under GDPR, data subjects have various rights, including the right to access, rectify, erase, and restrict processing of their personal data.
Data Controllers
A data controller is the legal or natural person, agency, public authority, or other body determining the purposes and means of processing personal data. Controllers include organizations that collect personal data directly from data subjects or receive personal data from other sources. They are ultimately responsible for ensuring compliance with GDPR for the data they control.
Data Processors
A data processor refers to a legal or natural person, public authority, agency, or other body that processes personal data on behalf of the data controller. Data processors include organizations offering IT services, cloud storage, payment processing, and other services involving personal data handling. They act under the instructions of the data controller and have specific obligations under GDPR.
Exemptions Under GDPR
While the GDPR offers extensive protections for the personal data of individuals within the EU and EEA, certain data is exempt from its coverage. It is important to be cautious and avoid relying on exemptions as a standard practice. These exemptions include:
- Personal data processed for national security, defense, and law enforcement purposes.
- Personal data processed for domestic activities or purposes (purely personal or household activity).
- Manual processing of paper records that are part of an organized filing system or intended to be part of such a system.
Note that GDPR does not apply if you don’t offer goods or services or monitor people’s behavior in the EU. Furthermore, GDPR doesn’t cover cases where the data processed doesn’t directly or indirectly relate to a living person or contains anonymous personal data.
Rights of Data Subjects Under GDPR
Under the GDPR, individuals within the EU gain greater control over their personal data. The rights and privileges they are entitled to include the following:
- The right to be informed – Organizations must provide individuals with information about the collection and processing of their personal data. This information should be in a concise, transparent, intelligible, and easily accessible format using clear and plain language. This information includes the purpose(s) of processing, data retention periods, and any third-party sharing.
- The right of access — Data subjects can access and receive a copy of their personal data, along with other processing details. This information should be readily available upon request for awareness and verification of the processing’s lawfulness. Requests can be made verbally or in writing, including through social media.
- The right to rectification — Data subjects can request to correct inaccuracies in their personal data. They can also complete any incomplete information from the data controller without delay.
- The right to erasure — Data subjects can request prompt deletion of their data, known as the right to be forgotten.
- The right to restrict processing — Data subjects can restrict the processing of their personal data under specific circumstances.
- The right to data portability — This right allows data subjects to obtain and reuse their personal data across different services. Data subjects have the right to receive their personal data, which they have provided to a controller, and to transmit that data to another controller without hindrance from the initial controller.
- The right to object – Data subjects can object to processing of their personal data, especially for direct marketing purposes.
- Rights in relation to automated decision-making —The GDPR restricts controllers from making solely automated decisions, including those based on profiling, that have legal or similarly significant effects on individuals. Automated decision-making refers to decisions made without any human involvement.
Many of these rights are not absolute and depend on the circumstances covered under the GDPR.
Obligations of Data Controllers
Data controllers must adhere to various responsibilities under the GDPR, including:
- Organizations must implement appropriate technical and organizational measures to ensure compliance with GDPR and demonstrate that processing is conducted accordingly.
- Integrating necessary safeguards into the processing of personal data to meet GDPR requirements and protect data subjects’ rights.
- Ensuring that only personal data necessary for each specific purpose is collected and processed.
- Ensuring that the scope of processing and retention duration for personal data comply with GDPR guidelines.
- Maintaining detailed and accurate records of processing activities.
- Ensuring that data subjects can easily exercise their rights as outlined under the GDPR.
- Data controllers must obtain freely given, specific, informed, and unambiguous consent from data subjects for any form of data processing. If consent is withdrawn, data controllers must cease processing that data.
- Notifying relevant authorities within 74 hours of a data breach and alerting data subjects when necessary.
- Conducting a Data Protection Impact Assessment (DPIA) when processing activities are likely to pose a high risk to individuals’ rights and freedoms.
Obligations of Data Processors
Data processors must adhere to various responsibilities under the GDPR, including:
- Processing personal data only based on documented instructions from the controller.
- Implementing appropriate technical and organizational measures to ensure proper processing according to GDPR requirements.
- Ensuring that all individuals handling personal data commit themselves to confidentiality.
- Assisting the controller in ensuring compliance with GDPR.
- Notifying controllers of any data breaches without undue delay and assisting them in notifying relevant authorities and data subjects as necessary.
Data Protection Impact Assessment (DPIA)
When processing using new technologies poses a high risk to the rights and freedoms of data subjects, the GDPR mandates that the controller conducts an assessment. Organizations must conduct a Data Protection Impact Assessment (DPIA) before carrying out processing to evaluate its impact on personal data protection. Conducting a DPIA is an essential requirement under the GDPR to ensure compliance with data protection principles.
A DPIA helps organizations identify and address privacy risks proactively. It enables organizations to prevent data breaches, enhance compliance with data protection laws, and boost public trust in their data handling practices. Although mandatory for specific types of processing such as sensitive personal data or large-scale processing, organizations can also conduct a DPIA for all processing activities as a best practice.
Data Breach Notifications
During the processing of personal data, a security mishap may lead to a personal data breach. These breaches occur when personal data is accidentally or unlawfully destroyed, lost, altered, disclosed, or accessed. Various factors, such as human error, cyber-attacks, or hacking, can contribute to such breaches. It is crucial to recognize that data breaches can cause significant harm to data subjects, particularly if not handled appropriately. The GDPR outlines provisions for addressing these situations.
The GDPR mandates that organizations report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. Additionally, if the breach poses a high risk to the rights and freedoms of affected individuals, organizations must inform them as well. Organizations must make data breach notifications without undue delay, providing specific information such as the nature of the breach, the likely consequences, and the measures taken to address the breach.
How to be GDPR Compliant
To achieve GDPR compliance, organizations must take several steps to guarantee that the personal data they collect and process follow the regulation’s legal requirements. These steps include:
- Gaining a thorough understanding of all information collected from data subjects and maintaining records of all processing activities, making them available upon request.
- Updating privacy policies to provide transparent information about processing purposes, legal justification for processing activities, data retention duration, and other relevant information required under the GDPR for data subjects.
- Obtaining valid consent from individuals before collecting and processing their personal data.
- Appointing a Data Protection Officer (DPO) to monitor compliance and advise on data protection issues, if required. The DPO should have technical expertise in GDPR assessments and a legal understanding of privacy laws in all relevant jurisdictions.
- Reporting data breaches within the stipulated 72-hour timeframe and having robust breach detection, investigation, and internal reporting procedures in place.
- Identifying and mitigating risk by conducting DPIAs when necessary.
- Creating an internal security policy for team members and raising awareness about data protection.
- Signing data processing agreements with any third parties involved in personal data processing on your behalf.
- Maintaining data security by implementing appropriate technical and organizational measures to protect data.
- Appointing a representative within one of the EU member states if your organization is located outside the EU.
- When designing and implementing privacy by default, organizations should integrate data protection measures into the design of systems and processes from the start.
Cost of Compliance
GDPR compliance costs are determined by the size and complexity of an organization and the nature of its data processing activities. This cost can be high, especially for small and medium-sized enterprises with limited resources. Some factors that can influence this cost include the number of staff, training, and awareness required, and technical and organizational measures, amongst many others. However, the cost of non – compliance can be more significant.
Penalties and Fines Under the GDPR
Non-compliance with GDPR can result in significant financial penalties and other repercussions. Data subjects have the right to exercise certain rights in the event of an infringement. The GDPR establishes tiers for GDPR fines based on the severity of the violation:
Tier 1 Infringements
These include violations by controllers, processors, or their certification/monitoring bodies. The penalty for Tier 1 infringements can go up to €10 million or 2% of the company’s global annual turnover from the preceding financial year, whichever is higher.
Tier 2 Infringements
Tier 2 covers more severe breaches, such as violating data subject rights, data processing principles, transferring data to unauthorized countries, and failing to obtain proper consent. The penalty for Tier 2 infringements can be as high as €20 million or 4% of the company’s global annual turnover from the preceding financial year, whichever is higher.
In addition to financial penalties, organizations may face other consequences for non-compliance, such as warnings, reprimands, orders to rectify infringements, temporary or permanent bans on processing data, and even criminal prosecution. The financial penalties are not the only burden of non-compliance. Organizations that breach GDPR may also suffer reputational damage, loss of customer trust, and a decline in business opportunities.
Conclusions
In conclusion, the General Data Protection Regulation (GDPR) is a crucial advancement in safeguarding the privacy and rights of individuals in today’s digital landscape. It establishes a legal framework that holds organizations accountable for collecting and processing personal data. GDPR has faced criticism for its compliance costs and potential impact on innovation. Nevertheless, it remains an essential regulation that is likely to influence data protection globally.
Identity.com
With tech giants reportedly mishandling users’ data, the EU’s GDPR legislation emerged as one of the earliest and most remarkable efforts to address data management issues. It’s encouraging to see governments acknowledging the significance of individual data control, a principle that Identity.com also embraces. Our company envisions a user-centric internet where individuals maintain control over their data. This commitment drives Identity.com to actively contribute to this future through innovative identity management systems and protocols. As members of the World Wide Web Consortium (W3C), we uphold the standards for the World Wide Web and work towards a more secure and user-friendly online experience.
The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please get in touch for more info about how we can help you with identity verification and general KYC processes.