GDPR Overview

This document provides a concise summary of the General Data Protection Regulation, outlining the law and its broader implications.

What does GDPR entail?

GDPR is a regulation enacted by the EU that establishes compulsory guidelines for organizations and businesses regarding the ethical use of personal data. Personal data refers to any information that can, either directly or indirectly, identify an individual. Examples of personal data include name, phone number, and address. Additionally, details such as interests, past purchase history, health information, and online activities are also classified as personal data since they can be used to identify a person.

Processing data involves the collection, structuring, organization, utilization, storage, sharing, disclosure, erasure, and destruction of data. Every organization that handles personal data (which includes all organizations with employees and customers) is required to ensure that the personal data it processes complies with GDPR standards. In summary, the primary requirements of the GDPR are as follows:

  • A unified law across Europe. The GDPR is applicable in all EU Member states, simplifying matters for both businesses and citizens.
  • The use of personal data must align with principles of integrity and fairness. For instance, processing must have a specific purpose. Therefore, collecting personal information “just in case” it may be needed later is not permissible. It is essential to be honest, open, and transparent regarding data usage. In other words, individuals have the right to understand how their data is utilized, and they should have a voice in this process. Organizations are required to retain personal data only for as long as necessary. Furthermore, the processing must be conducted in a safe and secure manner. Organizations must possess and maintain appropriate documentation that demonstrates their compliance with the regulations.
  • The utilization of personal data must adhere to legal standards. The General Data Protection Regulation (GDPR) outlines six legal bases for processing personal data, such as consent or contractual obligations. If your data processing does not align with any of these bases, it is deemed unlawful. Processing personal data may be essential for fulfilling a contract, and it may also be necessary to utilize personal data to avert fraud and conduct marketing activities.
  • Furthermore, the use of personal data must honor the rights of individuals. The GDPR grants individuals specific rights concerning their personal data. They are entitled to access their personal data and to be informed about how an organization utilizes this data, as well as to object to its processing, among other rights.
  • A requirement under the GDPR stipulates that personal data breaches must be reported within 72 hours. If personal data is disclosed, accessed, altered, or stolen, you are obligated to take action, even if the breach occurred at one of your suppliers. If you can ascertain that no personal data was compromised, it is likely not an incident that requires reporting. However, in cases of sensitive data loss, such as health or financial information, the incident must be reported to the relevant authority and to each affected individual within 72 hours.
  • Companies are accountable for their suppliers. The recent legislation imposes duties on the controller to ensure that its suppliers adhere to data protection requirements through contractual agreements. Should the supplier jeopardize data, the controller will bear the responsibility.
  • The magnitude of the penalties is considerable. Organizations that breach the law could incur fines amounting to either 4% of their global revenue (calculated over the past 12 months) or €20 million, whichever is greater.


What is the rationale behind the GDPR?

Personal data holds significant value; this is indisputable. It enables the creation of business models, enhances understanding of customers, facilitates effective marketing strategies, and aids in the development of products and services. However, similar to other valuable assets, there is a necessity for responsible management governed by shared regulations. In recent years, we have witnessed numerous reports of personal data breaches and scandals involving companies such as Facebook, eBay, Equifax, and Uber. The personal information of hundreds of millions of individuals—including social security numbers, addresses, and credit scores—has been compromised. The GDPR explicitly asserts that an individual’s personal data is owned by that individual; furthermore, it imposes significant penalties on companies that fail to comply with its regulations. In Europe, privacy and data protection are regarded as essential elements for a thriving democracy. The GDPR aims to protect these essential rights and represents an advancement over the previous EU data protection directive.


The primary practical implications

The essence of the GDPR is that it imposes responsibilities on businesses while granting rights to citizens. It is prudent for businesses to either update or create their data protection compliance programs. Below are several recommended actions:

– Notify citizens and customers about your operations in a clear and transparent manner. Individuals whose personal data you handle (data subjects) must be made aware of your data processing activities. To achieve this, organizations typically utilize Privacy Notices and various Privacy Policies on their websites, as well as in service agreements, among other means.

– Designate a Data Protection Officer (DPO) within your organization, who will serve as the primary operator and expert on your organization’s privacy initiatives. The DPO should be accountable to the relevant data protection authority in the country where your organization is based. The regulations concerning the DPO are outlined in Articles 37-39 of the GDPR.

– Effectively manage the rights of citizens and individuals. When a data subject reaches out to you to exercise their rights under the GDPR, which encompass a variety of provisions, it is imperative that you respond promptly. The data subject is entitled to access their personal data and obtain a record of the information you possess, to rectify any inaccuracies in the data, to request deletion of the data when specific conditions are satisfied, to have their data transferred under particular circumstances, and to object to or limit certain uses of their personal data. It is essential to adhere to the stipulated timeframes when addressing these requests.

– Establish the responsibilities between the Buyer (Controller) and the Supplier (Processor). If your organization has engaged another entity to process data on your behalf (for instance, an IT firm providing cloud services), you assume the role of the “Controller” of the personal data. The entity you have contracted will be designated as the “Processor.” In this business arrangement, it is necessary to have a Data Processing Agreement (“DPA”) in addition to the primary contract. A DPA delineates the regulations governing how the Processor may utilize personal data to achieve the objectives of the commercial agreement.

– Maintain a comprehensive data inventory. Every Controller and Processor is required to document information regarding data usage. The stipulations for maintaining processing records are outlined in Article 30 of the GDPR.

– Establish procedures to address personal data breaches within a 72-hour period. In the event of a data breach affecting your organization, it is imperative to implement measures to mitigate potential risks. In certain situations, it is also necessary to notify your supervisory authority and the affected individuals. A breach may involve loss, destruction, or unauthorized access to personal data.

– Evaluate potential risks and the implications for citizens’ rights concerning the intended use of personal data. Organizations are obligated to conduct a risk assessment when they plan to utilize personal data in a novel and innovative manner, switch cloud service providers, or develop new services. If the proposed use of personal data is deemed risky, considering factors such as data sensitivity and the extent of processing, it is essential to review the processing activities and evaluate the potential impacts on data subjects. This evaluation process is referred to as a Data Protection Impact Assessment (“DPIA”) and is detailed in Article 35 of the GDPR.

This overview of the GDPR serves as an introduction to the principles of data protection in Europe. It is based on the article provided at https://www.gdprsummary.com/gdpr-summary/

To make this site GDPR consent, the Real Cookie Banner Pro is implemented, which is shown at visiting this site the first time, and again after a longer period of absence.