The General Data Protection Regulation is a European Law containing hundreds of pages of articles clarifying the data rights of the companies operating in the EU and their users/customers. This blog is going to give you a clear idea about GDPR.
Undoubtedly GDPR law is the strictest rule in the EU. It is so standard that even after ‘Brexit,’ the UK kept the law in effect (called ‘UK-GDPR’). Any violation of GDPR articles from enforcing countries must face the courts. Many US clients and business groups are facing trouble for the rule as historically, a US company (Facebook) was held responsible for the law.
GDPR law has become a role model for other countries as every tax-paying Citizen holds the right to have privacy about their data. The EU and UK have their law of GDPR to restrict the business groups, whether national or multinational, from manipulating Citizen’s data. The daunting fines for violating the articles are demoralising the enterprises. They get to sleep in peace, knowing their privacy is safe.
If you are reading this, then you must be looking for a complete training course. Enrol in The GDPR Training Course to do a certification course and be an expert.
Behind the Creation of GDPR
If you are thinking why after so many years of establishing the EU, they formed a fearsome law for businesses? This story is for you then.
The starting era of the 21st century is the boom of social media applications and the internet over every vital communication. The emergence of Google and Facebook is so important that they were forced to use each other as an ally. The intensity rose when Snowden (former US spy) opened a report about eavesdropping on the EU officials. The problem began when a Google user sued Facebook in 2011 to scan emails that were supposed to be private. After two months, the EU data protection authority declared the need for a data protection law.
The EU parliament passed the GDPR motion in 2016, and it is in effect from May 25, 2018. All operating organisations of the EU have to stay compliant with GDPR.
Is GDPR For Everyone?
If you are operating in a country enforced by GDPR and dealing with personal information, it applies to your company. It is not necessary to be on the EU territory to be convicted. If you deal with the EU or UK citizen information anywhere in the world, GDPR deals with you. This law is known to the EU as an ‘extra-territorial effect.’
Compliance Requirement
Article 3 of GDPR dictates-
- The Regulation applies to the processing of personal data in the context of activities of an establishment of controller or processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, payment of data subject is required, to data subjects in the Union; or
- monitoring of their behaviour as far as their behavior takes place within the Union.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies under public international law.
So Article 3.1 holds responsible for every domestic and international company that processes EU citizens’ data.
Article 3.2 has two sub-sections.
When Does GDPR Sue Outsiders?
According to Article 3.2, two types of outsiders have to maintain General data protection regulation, the GDPR.
1. Offering goods and services
E.g., Google, the giant tech company, gives online services to the EU extensively. So google is a compliant organisation that abides by GDPR rules. Huawei is an internet provider company in the EU that is headquartered in China but compliant with GDPR for dealing with EU citizen information.
2. Monitoring EU citizens' behavior
E.g. US web development company based in Los Angeles, California, selling websites mainly to US businesses. But if they try to track and analyse EU visitors to the company’s website, then this may be subject to the provisions of the GDPR guidelines.
Every Citizen is responsible!
No. Pure personal and household activity are outside the GDPR eligibility. Collecting email addresses for party invitations/ picnics is not a GDPR violation.
Another one is exempted, a company with below 250 employees. But small and medium-sized enterprises are not exempt from GDPR guidelines.
The Accuser, Accused and Accusing Content
GDPR guidelines use very formal and specific terms.
Accusing Content
Personal Data is the content for which an EU citizen can accuse you. Any company that deals with the EU citizens information is compliant to data protection protocol. The person, him/herself, doesn’t need to complain against any data privacy protocol. Local authorities also have the right to do so. Fake data input is also a crime in the privacy protocol (e.g. using someone’s picture to open a duplicate account).
The Accused
Usually, the company is held responsible for every employee’s action. So the data misuse or manipulation may happen by one or multiple employees or a branch, but the entire company will be sued for this. The probable personals are-
1. The data processors
Any action done on data is processing. These actions include collecting, recording, organising, structuring, storing, using, erasing. So whoever does such work with acquired personal data called a data processor.
2. The data controllers
The person or board that decides why and how data will be processed. The board of members of the owner of the company or a branch of the company or an employee can be the data controller.
3. The third party
If the data controller hires someone to process data on his behalf, then the hired company or person is a third party. GDPR has some special rules about third party data processing.
The Accuser
The person whose data is being processed. Usually, these people are the customers, users or visitors of the site. In GDPR fact, they are known as ‘the subject’.
GDPR Compliance Requirements
If you want to stay compliant to GDPR rules, Article 5.1-2 stated seven protection and accountability rules for you.
- Lawfulness, fairness and transparency: Data processing should be lawful, fair, and transparent.
- Purpose limitation: It’s like your social site wants access to all your online accounts.
- Data minimisation: A Facebook account requiring your parent’s name is unnecessary. A bank account requiring your life history is unnecessary.
- Accuracy: A good example is using a random(another person) profile picture to open an account or fake parent's name to open a bank account.
- Storage limitation: You cannot store an ex-customer/user’s data if all services and deals are done.
- Integrity and confidentiality: If it's up to your company to protect personal data, then you have to maintain privacy procedures and confidentiality. Yes, you have to maintain encryption pretty well.
- Accountability: Accuser/ the subject will not accuse an employee or a specific person if he/she wants to sue. Instead, the data controller will be sued so in a way, the company itself.
Accountability to Data Security
According to GDPR, you have to demonstrate how you are compliant to GDPR. Only signing a contract paper will not make you GDPR compliant. You have to appoint
- Data protection team
- Maintain detailed documentation of your data collection, usage, storing, employees responsible for it, etc
- Take the necessary measures and train your employees
- Appoint a Data Protection Officer according to article 38
- Third-party data protection contract in case of outsourcing
Data Protection Protocol
“Appropriate technical and organisational measures.” has to be implemented to handle data security. Technical measures indicate two-factor authentication and end-to-end encryption.
Organisational measures indicate staff training, privacy policy and access limitation of all employees to personal data.
If your site is compromised, you will have 72 hours to notify the subjects otherwise be fined. (This notification requirement may be waived if you use technological safeguards, such as encryption, to render data useless to an attacker.)
Process the Data If-
- There is a specific concession, e.g. various sites do personality check by processing social data.
- There is an urge to process data before a contract sign, e.g. dig up the background before a government job or leasing a property.
- You are legally obligated to share data, e.g. Authority checks. By far, Apple is the safest data privacy company among the tech giants (refused to share a video to the government of a murdered journalist). However, refusal can not happen in the EU or the UK.
- Life at stake or endangered, you will know when data processing is allowed.
- Processing is necessary to do an action in public service, e.g. an online study platform or job platform.
- You have a legitimate interest, e.g. this section is too complex to explain in an example.
Consent of the Subject
The consent of the subject is a prerequisite to process his/her data. The GDPR rules imply that consent must be-
- Freely given, specific, informed and unambiguous.
- Requested as clearly distinguishable from the other matters, in clear and understandable language.
- Owned by the subject and subject alone. The subject holds the right to withdraw this consent anytime, and the company is obliged to honour this.
- Granted from children above 13 or otherwise, parent’s concession is needed.
- Documented securely to show proof of the agreement.
Know Your Rights
A data subject has some right to claim if they use/visit a data processing site. There is a whole
chapter about data subjects’ rights (GDPR cp-3). In summary, they are-
- The right to be informed
- The right of access
- The right to rectify
- The right to restrict processing
- The right of erasure
- The right to data portability
- The right to object
- Rights concerning automated decision-making and profiling.
If there are any violations to any article of GDPR, the site or the company will be fined if found guilty.
GDPR Violation Fine
GDPR violation penalty is one of the toughest in the world. There are two tires of GDPR violation.
The less severe
This kind of infringement can result in maximum €10 million or 2% of a company’s global revenue (whichever is highest). The acts behind this huge fine are described-
➔ Controllers and Processors that manipulate personal data collected from customers and do not abide by Articles 8, 11, 25-39, 42, and 43.
➔ Certification bodies that do not/cannot certify the evaluation and assessment process of their certification programs and by that violating Articles 42 and 43.
Source: Privacy Affairs GDPR Fines Tracker
➔ Monitoring bodies that do not maintain a proper procedure in handling complaints or reported infringements impartially and transparently.
The more serious
This kind of infringement can result in a maximum €20 million or 4% of a company’s global revenue (whichever is highest). The acts behind this huge fine are described-
- Basic principles of data processing indicating lawfulness, fairness and transparency. Articles 5, 6 and 9 dictate the laws.
- The permission/consent of the users to use/manipulate data. Article 7 clarifies the rule.
- Articles 44-49 say that transfer of data to a third country without any legal notice is also a violation of GDPR law.
So to avoid such a huge fine, you need a data protection officer(DPO). A person to monitor all the personal data your company deals.
Some Biggest Fines and the Companies
Some multinational and national companies are fined a record amount in recent years. The big five companies are-
Source: PrivacyAffairsGDPRFinesTracker
Google- €50 million
The French authority sued google for lack of transparency in processing citizens’ data. Google failed to provide proof against user consent policy to show ads and control of data.
TIM- €27.8 million
This telecommunication giant invaded non-authorised personal information as an aggressive marketing policy. They contacted a few million individuals (150 times more per-month) who were not their customers by acquiring their name, surname or company name; tax code or VAT number; telephone line; address; contact details without permission. They violated some serious GDPR facts in this process.
Austrian Post- €18 million (additional 1.8 million for investigation)
Austrian Post had accounts of over one-third of the national population and sold their names to a third party. This crime was so grave that the authority invested an additional 1.8 million euro in finding the names of victims (political leaders were there too).
Deutsche Wohnen SE – €14.5 million
The German real estate company was accused of keeping their tenant’s unnecessary information and was not compliant to data retention law of GDPR facts. They actually could not provide any real use of their tenants’ information in their archive, which GDPR strictly implies.
1&1 Telecom GmbH – €9.5 million
This German telecom company did not have proper security of the customer data. As a result, it was easy for an outsider to access personal data which GDPR condemns.
Closing Note
So these penalty histories probably gave you an insight about General Data Protection Regulation, GDPR facts. Nowadays, every company that operates in GDPR enforced territory has a Data Protection Officer (DPO) to avoid a humongous fine. So career is bright if you are looking to be a GDPR expert instead of opening a company.
Read More Blogs
- From Junior Roles to SEO Experts: Career Growth in the UK’s SEO Industry
- 8 Steps For Perfect Print On Demand Product Launches
- Why accountability is important in business?
- How to Handle Math Assignments When Ideas Seem Too Complicated?
- How to Write a Good Lab Report
- The Role of Geotechnical Craft in Civil Design: Enhancing Business Efficiency and Project Outcomes
- Boost Your Fertility Journey: Top Tips for Getting Pregnant Faster
- Complete Instructions for Closing Your Chase Account: What You Need to Know
- How to Make College Textbooks Affordable: The BooksRun Perspective
- How to Network Successfully While Pursuing a Master of Management
- Exploring the Connection Between Integrative Health and Hormonal Balance
- How Does Maintaining Employee Devices Boost Performance?
- Best Ways to Find Email Addresses For Your Qualified Leads
- What Are Commodities and Understanding Their Role in the Stock Market?
- The Psychological Benefits of Blogging for Students: A Stress Relief Perspective
- Unlocking Learning: The Unseen Advantages of Online Education
- Finding Your Path: How to Choose the Right Career Using the RIASEC Model
- A Step-by-Step Guide to Applying for Training Programs in the U.K.
- Cybersecurity for Remote Work: Safeguarding Your Digital Workspace
- What is a Proposal Contract and Its Main Features
- Available Courses
- Marketing34
- Charity & Non-Profit Courses26
- Job Ready Programme28
- Animal care7
- Law8
- Quality Licence Scheme Endorsed111
- Teaching15
- Teaching & Academics Primary29
- Accounting & Finance Primary37
- Training4
- Design16
- IT & Software186
- Healthcare130
- Health and Safety419
- Career Bundles95
- Construction52
- Electronics28
- Hospitality24
- Health and Social Care248
- Child Psychology37
- Management384
- Business Skills283
- First Aid70
- Employability269
- Safeguarding77
- Food Hygiene106
- Personal Development1384