What is GDPR or General Data Protection Regulation?
Data privacy has become extremely important in recent times, especially with the growing trends of data collection and the way technology companies use such data. Right from the moment of the announcement, GDPR or General Data Protection Regulation has been the most significant and comprehensive type of data privacy regulation law brought into practice. GDPR has been able to balance the diverse and disparate data protection regulations that have been in use all across European Union. GDPR also extends to numerous non-EU organizations if they process and manage the personal data they have collected in the EU. The General Data Protection Regulation or GDPR currently applies to all companies and organizations irrespective of their geographical location in case these entities offer services and goods to the people living in the EU or works towards monitoring their behavior and activities within the EU.
Definition of personal data according to GDPR
The GDPR has categorically broadened the scope or definition of what constitutes personal data and has included any information associated with a naturally identifiable person. Such information includes details rather than personal details, like the name and address of a person. Additionally, it can include other information for identifying someone, like their IP address and cookie identifiers linked with web browsing sessions.
GDPR requirements meant for data processors and data controllers
According to GDPR, the data controllers are online entities. They manage the decision-making processes regarding the purposes and means of personal data collection. The data processors are the entities responsible for processing the personal data, and they act on behalf of the data controller.
There are also seven essential principles that the data processors and data controllers need to follow when collecting and handling personal data. These are mentioned below.
- Purpose limitation
- Lawfulness, transparency, and fairness
- Accuracy
- Data minimization
- Storage limitation
- Accountability
- Integrity and confidentiality or security
Apart from the above-mentioned principles, the GDPR requires the data controllers and data processors to undertake multiple specific actions. These are discussed below in brief.
Detailed record keeping
The data processors are required to keep records of all processing activities.
Security measures
Data controllers and data processors use and test proper security measures to ensure the data they gather and process remains protected and secure.
Data breach notification
If the data controllers suffer from any data security breach, they need to notify the appropriate authorities within 72 hours, barring some exceptions. They should notify the people whose personal data is compromised by the breach.
Data Protection Officer or DPO
The companies and organizations that need to process the data may require to hire the services and expertise offered by a Data Protection Officer or DPO. The Data Protection Officer has the responsibility of leading and overseeing the various GDPR compliance efforts.
What are the rights of data subjects under GDPR?
The data subject is an identifiable natural person whose data is being handled. According to the GDPR, a data subject has got the following rights.
Right to portability of data
The data subjects own the right to transfer their data from one specific data controller entity to another.
Right to stay informed
Data subjects are to be provided with information in an easy-to-understand format. The data subjects must know the way their data and information are being collected and processed.
Right to rectification
The data subjects have the right to correct any inaccurate data regarding themselves.
Right of access
The data subjects have the right to effectively obtain a copy of a document that states their collected personal data.
Right to erasure
The data subjects have the right to request their data to be deleted
Right to object
The data subjects can object to the processing of any personal data they do not want to share. Under certain circumstances, a data controller or a data processor is obligated to comply with the objection of the data subject.
Right to restrict processing
In some circumstances, the data subjects can effectively limit the methods in which their data and information are being processed
Right to object to automated processing
The data subjects have the right to object to any decision that affects them legally based solely on the automated data processing methods.
Penalties for GDPR violations
According to GDPR, any business organization or entity that violates the law should pay the fines associated with such violations.
There are two distinct tiers of fines described by GDPR. Each of these tiers is associated with a distinct category of violation.
- First-tier: It is ascribed to violations where the maximum fine can be either €10 million or two percent of the company’s worldwide annual revenue margin, whichever is higher.
- Second-tier: The second-tier violation can lead to a maximum fine of €20 million or about 4% of a company’s worldwide annual revenue margin, whichever is higher.
Along with these fines, the data subjects can seek compensation for the damages if a business firm violates the GDPR.
The above guidelines formally define the rules and regulations associated with GDPR that companies must follow at all times.