What is GDPR?
GDPR stands for General Data Protection Regulation which came into effect on 25th May 2018. GDPR makes companies liable on the use of personal data & gives consumers rights over their personal data. GDPR is the strictest data protection regime across the world, applies to private & government entities, and is applicable to both EU & Non- EU organizations. GDPR applies only in the context of personal data & anonymized data is out of the scope of GDPR.
What is personal data?
GDPR defines personal data as any information relating to an individual who can be directly or indirectly be identified. This definition is quite broad and would cover data like name, emails, web cookies, location data, etc.
Does GDPR apply to you?
GDPR can be applicable to your organization based on two criteria:
- Establishment: Do you have an establishment in EU like a branch, subsidiary, agent?
- Targetting: Do you target EU citizens by either monitoring them or offering goods or services like profiling EU users, accepting payments in Euros, supporting Spanish for your website?
Determining the applicability of GDPR is a complex topic and we covered it in more detail here.
Why should you care about GDPR?
- Non-compliance to GDPR can lead to fines up to 20 million Euros or 4% of your global turnover for severe violations & 10 million Euros or 2% of your global turnover for less severe violations. So far companies have already been fined 467 Million Euros for GDPR violations. In 2020 H&M fined €35 Million for GDPR violation
- For B2B companies GDPR compliance becomes a key customer requirement and not complying could lead to loss of business.
- Leverage GDPR compliance as a brand differentiator. Consumers across the world have responded
- Lawfulness, Fairness, and Transparency:
- Lawfulness requires you to establish a legal basis for processing. GDPR has six options that you can choose from. We covered lawfulness in detail here.
- Fairness requires you to ensure you to process data in ways people would reasonably expect. This means you hold your promise on what you informed users while giving the notice.
- Transparency requires you to give users a clear & intelligible notice so that users can make an informed decision. Please refer to this article to determine the requirements of the notice.
- Purpose Limitation: Requires you to clearly specify all purposes of processing at the time of data collection & limit processing to the purposes declared in a privacy notice. If you plan to process data for a new purpose not specified earlier, you can do so by doing a compatibility test or taking consent from the user for the new purpose.
- Data Minimisation: Requires you to collect minimum possible data to fulfil your stated purpose. Data Minimisation works in favor of the organization since it means less data to work with for security protection and responding to DSAR requests.
- Accuracy: Requires you to keep the data accurate and updated. This means updating details kept in databases wherever possible & deleting data which is inaccurate or misleading. This principle is linked to the Right to Rectification.
- Storage Limitation: Requires you to keep data only till its necessary for the purposes of the processing. This means creating a retention policy with specified reasons for the time period of storage and then either deleting the data or anonymizing it.
- Integrity and Confidentiality(Security): Requires you to have appropriate security safeguards for protecting the data you hold. This ties closely with Information Security and CIA triad.
- Accountability: Requires you to demonstrate compliance with the above 6 principles. This means you have appropriate measures, records & documentation in place to prove compliance.
Rights of Individuals in GDPR:
GDPR gives individuals rights over the data that an organization holds. Here is a list of rights under GDPR:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure or Right to be forgotten(RTBF)
- Right to restriction of processing
- Right to data portability
- Right to object
- Rights related to automated decision making including profiling
We have covered data subject rights and how you can operationalize responding to them in detail.
GDPR is complex, it’s an 88-page document with 173 recitals and 99 articles. We have tried to summarize that to give you an introduction to the same. Start your GDPR compliance journey by referring to GDPR Cheatsheet we created.