In today’s digital age, businesses and organizations collect vast amounts of personal information from consumers. The required data are crucial for the decision-making that results in the delivery of quality products and services. Therefore, handling pseudonymous data becomes a significant concern. Consumer information should be handled with care, protected from bad actors, and not used for purposes other than what was intended. But is this the case? Certainly not.
Data handling risks have always existed, even before internet use, so laws were needed to enforce things to be done correctly. The internet changed the way things are, but, unfortunately, its continued progress has also led to more data breaches and mishandling by some big tech companies and small businesses alike. More stringent regulatory laws must be enacted to ensure consumer data is handled properly. GDPR is one of these laws.
History of GDPR
The right to privacy is a crucial aspect for countries within the European Union. All member states of the Council of Europe (CoE) adhere to the European Convention on Human Rights (ECHR), which enshrines this right in its articles. Article 8 specifically addresses the right to privacy in one’s personal and family life, home, and correspondence, while acknowledging certain lawful and necessary restrictions in a democratic society. The European Parliament and Council enacted the 1995 Data Protection Directive. to ensure the application and enforcement of these rights. This directive aimed to regulate personal data processing and free movement within the European Union. By establishing a common framework for data protection across the EU, the Data Protection Directive required member states to implement national laws safeguarding personal data.
Although the 1995 Data Protection Directive provided numerous benefits, it had limitations due to the evolving nature of data collection, usage, and management. As a result, the European Union introduced the General Data Protection Regulation (GDPR) as a much-needed update. The GDPR expands its scope and territorial reach, enforces stricter consent requirements, imposes higher penalties, and introduces new regulations. In 2012, the European Commission proposed a comprehensive EU data protection framework reform. After extensive consultations and negotiations, the GDPR was adopted on April 14, 2016, and became enforceable on May 25, 2018. This two-year transition period allowed organizations to update their data protection policies, procedures, and technologies to ensure compliance with the new regulations.
What is GDPR?
As the world continues to evolve, data has become increasingly important. Rapid advancements in technology, such as social media, cloud computing, and the Internet of Things (IoT), have led to a surge in personal data collection and processing by companies. Consequently, instances of data misuse have risen, including high-profile data breaches, hyper-personalized advertising bordering on intrusive, and growing concerns over surveillance by major tech applications. Extensive data collection efforts increasingly worry consumers about their privacy rights and implications. It is crucial for organizations to be transparent, accountable, and adhere to legal requirements when handling consumer data.
The General Data Protection Regulation (GDPR) was introduced to safeguard the privacy and rights of European Union (EU) citizens by granting them greater control over their personal data. This regulation modernized the EU’s existing data protection laws by imposing strict guidelines on organizations that process personal data. The GDPR aims to create a more transparent, fair, and legal framework for managing personal information.
Regarding data protection and privacy, the GDPR is considered one of the strictest sets of regulations, closely followed by the California Privacy Rights Act (CPRA). The jurisdiction of the GDPR extends beyond physical locations of organizations. It covers processing personal data belonging to individuals in the European Economic Area (EEA). GDPR applies to any organization processing personal data of EU citizens, regardless of its location. It covers personal data processing both within and outside the EU and EEA member states. It also includes cross-border transfers of personal data.
Under GDPR, data processing covers all operations related to personal data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, erasure, or modification, whether automated or not.
What is Personal Data?
Personal data is any information that relates to an identified or identifiable natural person (data subject). It comprises any information that belongs to or is linked to an individual. Personal data includes:
- Basic identification information like names, addresses, phone numbers, and email addresses;
- Sensitive personal data like racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health information, and sexual orientation;
- Financial information like financial status, bank account numbers, credit card information, and income;
- Employment information like employment history, job title, and salary;
- Online identifiers like online presence, IP addresses, cookies, and device ids;
- Behavioral data like browsing history, search history, and purchase history.
Pseudonymous data can also be classified as personal data if it is relatively easy to identify an individual from it. Pseudonymous data is processed to prevent attribution to a specific individual without additional information.
Principles of GDPR
These principles are binding for all organizations in processing personal data:
- Lawfulness, fairness, and transparency — Personal data must be lawfully, transparently, and fairly processed.
- Purpose limitation — Data collection and processing must have a legitimate, specified purpose and should not be used for unrelated purposes.
- Data minimization —Organizations should only collect personal data that is relevant, adequate, and necessary.
- Accuracy — Personal data must be accurate and updated as necessary; inaccuracies must be rectified or erased promptly.
- Storage limitation —Organizations should store personal data for identification purposes only as long as necessary.
- Integrity and confidentiality — Organizations must implement measures to protect data against unauthorized processing, accidental loss, destruction, or damage.
- Accountability — Data controllers must demonstrate their compliance with GDPR by showcasing the measures taken to ensure adherence.
Data subjects refer to the individual(s) that own the personal data being processed. They are the consumers, customers, site visitors, etc.
A data controller is the legal or natural person, agency, public authority, or other body determining the purposes and means of processing personal data. Controllers include organizations that collect personal data directly from data subjects or receive personal data from other sources.
A data processor refers to a legal or natural person, public authority, agency, or other body that processes personal data on behalf of the data controller. Data processors include organizations offering IT services, cloud storage, payment processing, and other services involving personal data handling.
Exemptions Under GDPR
Although the GDPR extensively protects the personal data of individuals within the EU and EEA, certain categories of data are exempt from its coverage. It is essential to exercise caution and avoid relying on exemptions as a standard practice. These exemptions include:
- Personal data processed for national security, defense, and law enforcement purposes.
- Personal data processed for domestic activities or purposes (purely personal or household activity).
- Manual processing of paper records that are part of an organized filing system or intended to be part of such a system.
Note that GDPR does not apply if you don’t offer goods or services or monitor people’s behavior in the EU. Furthermore, GDPR doesn’t cover cases where the data processed doesn’t directly or indirectly relate to a living person or contains anonymous personal data.
Rights of Data Subjects Under GDPR
Under the GDPR, individuals within the EU gain greater control over their personal data. The rights and privileges they are entitled to include the following:
- The right to be informed – Organizations must provide individuals with information about the collection and processing of their personal data. This information should be in a concise, transparent, intelligible, and easily accessible format using clear and plain language. This information includes the purpose(s) of processing, data retention periods, and any third-party sharing.
- The right of access — Data subjects can access and receive a copy of their personal data, along with other processing details. This information should be readily available upon request for awareness and verification of the processing’s lawfulness. Requests can be made verbally or in writing, including through social media.
- The right to rectification — Data subjects can request to correct inaccuracies in their personal data. They can also complete any incomplete information from the data controller without delay.
- The right to erasure — Data subjects can request prompt deletion of their data, known as the right to be forgotten.
- The right to restrict processing — Data subjects can restrict the processing of their personal data under specific circumstances.
- The right to data portability — This right allows data subjects to obtain and reuse their personal data across different services. Data subjects have the right to receive their personal data, which they have provided to a controller, and to transmit that data to another controller without hindrance from the initial controller.
- The right to object – Data subjects can object to processing of their personal data, especially for direct marketing purposes.
- Rights in relation to automated decision-making —The GDPR restricts controllers from making solely automated decisions, including those based on profiling, that have legal or similarly significant effects on individuals. Automated decision-making refers to decisions made without any human involvement.
Many of these rights are not absolute and depend on the circumstances covered under the GDPR.
Obligations of Data Controllers
Data controllers must adhere to various responsibilities under the GDPR, including:
- Organizations must implement appropriate technical and organizational measures to ensure compliance with GDPR and demonstrate that processing is conducted accordingly.
- Integrating necessary safeguards into the processing of personal data to meet GDPR requirements and protect data subjects’ rights.
- Ensuring that only personal data necessary for each specific purpose is collected and processed.
- Ensuring that the scope of processing and retention duration for personal data comply with GDPR guidelines.
- Maintaining detailed and accurate records of processing activities.
- Ensuring that data subjects can easily exercise their rights as outlined under the GDPR.
- Data controllers must obtain freely given, specific, informed, and unambiguous consent from data subjects for any form of data processing. If consent is withdrawn, data controllers must cease processing that data.
- Notifying relevant authorities within 74 hours of a data breach and alerting data subjects when necessary.
- Conducting a Data Protection Impact Assessment (DPIA) when processing activities are likely to pose a high risk to individuals’ rights and freedoms.
Obligations of Data Processors
Data processors must adhere to various responsibilities under the GDPR, including:
- Processing personal data only based on documented instructions from the controller.
- Implementing appropriate technical and organizational measures to ensure proper processing according to GDPR requirements.
- Ensuring that all individuals handling personal data commit themselves to confidentiality.
- Assisting the controller in ensuring compliance with GDPR.
- Notifying controllers of any data breaches without undue delay and assisting them in notifying relevant authorities and data subjects as necessary.
Data Protection Impact Assessment (DPIA)
When processing using new technologies poses a high risk to the rights and freedoms of data subjects, the GDPR mandates that the controller conducts an assessment. Organizations must conduct a Data Protection Impact Assessment (DPIA) before carrying out processing to evaluate its impact on personal data protection. Conducting a DPIA is an essential requirement under the GDPR to ensure compliance with data protection principles.
A DPIA helps organizations identify and address privacy risks proactively. It enables organizations to prevent data breaches, enhance compliance with data protection laws, and boost public trust in their data handling practices. Although mandatory for specific types of processing such as sensitive personal data or large-scale processing, organizations can also conduct a DPIA for all processing activities as a best practice.
Data Breach Notifications
During the processing of personal data, a security mishap may lead to a personal data breach. These breaches occur when personal data is accidentally or unlawfully destroyed, lost, altered, disclosed, or accessed. Various factors, such as human error, cyber-attacks, or hacking, can contribute to such breaches. It is crucial to recognize that data breaches can cause significant harm to data subjects, particularly if not handled appropriately. The GDPR outlines provisions for addressing these situations.
The GDPR mandates that organizations report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. Additionally, if the breach poses a high risk to the rights and freedoms of affected individuals, organizations must inform them as well. Organizations must make data breach notifications without undue delay, providing specific information such as the nature of the breach, the likely consequences, and the measures taken to address the breach.
How to be GDPR Compliant
To achieve GDPR compliance, organizations must take several steps to guarantee that the personal data they collect and process follow the regulation’s legal requirements. These steps include:
- Gaining a thorough understanding of all information collected from data subjects and maintaining records of all processing activities, making them available upon request.
- Updating privacy policies to provide transparent information about processing purposes, legal justification for processing activities, data retention duration, and other relevant information required under the GDPR for data subjects.
- Obtaining valid consent from individuals before collecting and processing their personal data.
- Appointing a Data Protection Officer (DPO) to monitor compliance and advise on data protection issues, if required. The DPO should have technical expertise in GDPR assessments and a legal understanding of privacy laws in all relevant jurisdictions.
- Reporting data breaches within the stipulated 72-hour timeframe and having robust breach detection, investigation, and internal reporting procedures in place.
- Identifying and mitigating risk by conducting DPIAs when necessary.
- Creating an internal security policy for team members and raising awareness about data protection.
- Signing data processing agreements with any third parties involved in personal data processing on your behalf.
- Maintaining data security by implementing appropriate technical and organizational measures to protect data.
- Appointing a representative within one of the EU member states if your organization is located outside the EU.
- When designing and implementing privacy by default, organizations should integrate data protection measures into the design of systems and processes from the start.
Cost of Compliance
GDPR compliance costs are determined by the size and complexity of an organization and the nature of its data processing activities. This cost can be high, especially for small and medium-sized enterprises with limited resources. Some factors that can influence this cost include the number of staff, training, and awareness required, and technical and organizational measures, amongst many others. However, the cost of non – compliance can be more significant.
Penalties and Fines Under the GDPR
Non-compliance with GDPR can result in significantly high penalties. Data subjects have the right to exercise certain rights in the event of an infringement. The severity of the violation determines the categorization of non-compliance fines into tier 1 and tier 2 infringements:
- Tier 1 infringements include violations by controllers and processors, certification bodies, and monitoring bodies. The penalty can go up to ten million Euros or 2% of the company’s global turnover from the previous year, whichever is higher.
- Tier 2 infringements cover severe breaches such as violating data subject rights, principles for data processing, transferring data to third countries, and failing to obtain consent. The penalty can be up to 4% of the company’s global turnover or twenty million Euros, whichever is higher.
Organizations may also face other penalties such as warnings, reprimands, orders to rectify, temporary or permanent bans on processing, and even criminal prosecution. The financial penalties are not the only consequences of non-compliance. Organizations that breach GDPR may suffer reputational damage, loss of customer trust, and a decline in business opportunities.
In conclusion, the General Data Protection Regulation (GDPR) is a crucial advancement in safeguarding the privacy and rights of individuals in today’s digital landscape. It establishes a legal framework that holds organizations accountable for collecting and processing personal data. GDPR has faced criticism for its compliance costs and potential impact on innovation. Nevertheless, it remains an essential regulation that is likely to influence data protection globally.
With tech giants reportedly mishandling users’ data, the EU’s GDPR legislation emerged as one of the earliest and most remarkable efforts to address data management issues. It’s encouraging to see governments acknowledging the significance of individual data control, a principle that Identity.com also embraces. Our company envisions a user-centric internet where individuals maintain control over their data. This commitment drives Identity.com to actively contribute to this future through innovative identity management systems and protocols. As members of the World Wide Web Consortium (W3C), we uphold the standards for the World Wide Web and work towards a more secure and user-friendly online experience.
The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please get in touch for more info about how we can help you with identity verification and general KYC processes.