What Is General Data Protection Regulation (GDPR)?

Key Takeaways:

Businesses and organizations have always collected vast amounts of personal information from consumers, even before the internet era. This data is crucial for decision-making that leads to the delivery of quality products and services. However, handling pseudonymous data has become an increasingly significant concern. Consumer information should be managed with care, protected from bad actors, and not used for purposes other than what was intended. But is this always the case? Certainly not.

The risks associated with data handling have long existed, but the rise of the internet has amplified these risks, leading to more data breaches and misuse by both large tech companies and smaller businesses. As a result, stricter regulations are necessary to ensure consumer data is properly managed. GDPR is one such law, introduced to address these challenges. As of 2023, GDPR has influenced privacy laws globally, with over 150 countries adopting similar data protection regulations. Countries like Brazil and the U.S. (California’s CCPA) have modeled parts of their laws after GDPR to enhance data protection.

History of GDPR

The right to privacy has long been a fundamental aspect of European Union (EU) law. All member states of the Council of Europe (CoE) adhere to the European Convention on Human Rights (ECHR), which enshrines privacy rights in its articles. Specifically, Article 8 addresses the right to privacy in personal and family life, home, and correspondence, while allowing certain lawful and necessary restrictions in a democratic society.

To ensure these rights were upheld, the European Parliament and Council enacted the 1995 Data Protection Directive. This directive aimed to regulate personal data processing and the free movement of data within the EU, creating a common framework for data protection. Member states were required to implement national laws to safeguard personal data in line with the directive.

However, the 1995 Data Protection Directive became outdated due to the rapid evolution of data collection and management technologies. In response, the EU introduced the General Data Protection Regulation (GDPR), which expanded on the previous directive. GDPR brought stricter consent requirements, higher penalties for non-compliance, and enhanced territorial scope to address modern data privacy concerns.

In 2012, the European Commission proposed a comprehensive reform of the EU’s data protection framework. After extensive consultations and negotiations, the GDPR was adopted on April 14, 2016, and became enforceable on May 25, 2018. This two-year transition period allowed organizations to update their data protection policies, procedures, and technologies to comply with the new regulations.

What Is GDPR?

The General Data Protection Regulation (GDPR) is a regulation designed to safeguard the privacy and rights of European Union (EU) citizens by giving them greater control over their personal data. It modernizes the EU’s data protection laws by imposing strict requirements on organizations handling personal information, ensuring a transparent, fair, and legal framework for managing personal data.

As one of the world’s most comprehensive data protection regulations, GDPR is often compared to laws like the California Privacy Rights Act (CPRA). It applies to any organization processing the personal data of EU citizens, regardless of the organization’s location. This includes both within and outside the EU and European Economic Area (EEA) member states, covering cross-border data transfers. GDPR governs all aspects of data processing, whether automated or manual, including the collection, storage, modification, and erasure of personal data.

What Does Collecting Personal Information Mean?

Collecting personal information refers to gathering any data that can identify an individual, either directly or indirectly. Under GDPR, personal data encompasses any information relating to an identified or identifiable natural person, known as the data subject. This includes a wide range of data types, from basic identification to more sensitive information.

Key categories of personal data include:

• Basic Identification Information: Names, addresses, phone numbers, and email addresses.
• Sensitive Personal Data: Information such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health records, and sexual orientation. Due to its sensitive nature, this data is subject to stricter regulations under GDPR.
• Financial and Employment Data: Bank account numbers, credit card information, income, employment history, job title, and salary.
• Online Identifiers: Data that tracks online activity, such as IP addresses, cookies, and device IDs.
• Behavioral Data: Information on online and offline behaviors, including browsing history, search history, and purchase history.

Pseudonymous data, while anonymized to a degree, can still be classified as personal data under GDPR if it can be traced back to an individual with additional information.

GDPR Principles

The General Data Protection Regulation (GDPR) outlines seven core principles that organizations must adhere to when processing personal data. These principles form the foundation of GDPR compliance:

• Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and in a transparent manner, ensuring that data subjects understand how their information is being used.
• Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not processed further in any way that is incompatible with those purposes.
• Data Minimization: Personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed, reducing unnecessary data collection.
• Accuracy: Personal data must be accurate and, where necessary, kept up to date. Any inaccurate personal data should be rectified or erased without delay.
• Storage Limitation: Personal data should not be kept longer than necessary for the purposes for which it is processed. Organizations must ensure data is retained only for the required duration.
• Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security, protecting it against unauthorized or unlawful processing, accidental loss, destruction, or damage, using suitable technical and organizational measures.
• Accountability: Data controllers are responsible for ensuring compliance with these principles and must be able to demonstrate their adherence to the GDPR.

Key Roles in GDPR

The GDPR recognizes three main roles in data processing: data subjects, data controllers, and data processors.

1. Data Subjects

Data subjects are the individuals who own the personal data being processed. These include consumers, customers, and site visitors whose personal information is collected and used. Under GDPR, data subjects have several rights, such as the right to access, rectify, erase, and restrict the processing of their personal data.

2. Data Controllers

A data controller is a legal or natural person, agency, public authority, or other body that determines the purposes and means of processing personal data. Controllers are responsible for ensuring GDPR compliance for the data they handle, whether collected directly from data subjects or obtained from other sources. They play a central role in establishing data processing practices.

3. Data Processors

When Does GDPR Not Apply?

While the General Data Protection Regulation (GDPR) provides robust protections for personal data within the EU and EEA, there are specific situations where certain data is exempt from its requirements. It’s important not to rely on these exemptions as a standard practice, but rather to use them only when applicable. Key exemptions include:

• National Security and Law Enforcement: Personal data processed for national security, defense, or law enforcement purposes.
• Domestic Purposes: Personal data processed solely for personal or household activities.
• Manual Paper Records: Data processed manually using paper records that are part of or intended to be part of an organized filing system.

Additionally, the GDPR does not apply if you don’t offer goods or services or monitor people’s behavior within the EU. It also doesn’t cover situations where the data processed does not directly or indirectly identify a living person, or if the data has been anonymized.

What Are the GDPR Data Subject Rights?

Under the GDPR, individuals within the EU are granted greater control over their personal data. These rights include:

1. Right to Be Informed: Organizations must provide clear, concise, and accessible information about the collection and processing of personal data. This includes the purposes of processing, data retention periods, and any third-party sharing, presented in transparent, easily understandable language.
2. Right of Access: Data subjects can request access to their personal data and receive a copy, along with detailed information on how and why it’s being processed. Requests can be made verbally or in writing, including through social media.
3. Right to Rectification: Individuals can request corrections to inaccurate personal data or complete incomplete information from the data controller without delay.
4. Right to Erasure: Also known as the right to be forgotten, individuals can request the deletion of their personal data in certain circumstances.
5. Right to Restrict Processing: Data subjects can request the restriction of their personal data processing under specific conditions.
6. Right to Data Portability: Individuals have the right to obtain and reuse their personal data across different services. This allows data subjects to receive their data from one controller and transfer it to another without interference.
7. Right to Object: Data subjects can object to the processing of their personal data, particularly for direct marketing purposes.
8. Rights Related to Automated Decision-Making: GDPR limits organizations from making automated decisions, including those based on profiling, that have legal or significant effects on individuals. Such decisions require human involvement to ensure fairness.

Many of these rights are not absolute and depend on the circumstances covered under the GDPR. 

GDPR Obligations of Data Controllers

Under the GDPR, data controllers have several key responsibilities to ensure compliance with the law:

• Implementing appropriate technical and organizational measures to ensure GDPR compliance and demonstrate that data processing is conducted in line with the regulation.
• Integrating necessary safeguards into the data processing activities to protect the rights of data subjects.
• Ensuring that only the personal data necessary for each specific purpose is collected and processed, adhering to data minimization principles.
• Ensuring that the scope of processing and retention of personal data comply with GDPR guidelines.
• Maintaining detailed and accurate records of all data processing activities.
• Facilitating the ability of data subjects to exercise their rights as outlined under GDPR.
• Obtaining freely given, specific, informed, and unambiguous consent from data subjects for data processing, and halting processing when consent is withdrawn.
• Notifying relevant authorities of a data breach within 72 hours and alerting data subjects when necessary.
• Conducting a Data Protection Impact Assessment (DPIA) for any processing activities likely to pose a high risk to individuals’ rights and freedoms.

GDPR Obligations of Data Processors

Data processors also have specific obligations under GDPR, including:

• Processing personal data only based on documented instructions from the data controller.
• Implementing appropriate technical and organizational measures to ensure that data processing complies with GDPR requirements.
• Ensuring that all individuals involved in handling personal data are committed to confidentiality.
• Assisting the data controller in ensuring GDPR compliance.
• Notifying the data controller of any data breaches without undue delay and assisting in notifying relevant authorities and data subjects when necessary.

Data Protection Impact Assessment (DPIA)

When the use of new technologies poses a high risk to the rights and freedoms of data subjects, the GDPR mandates that organizations conduct a Data Protection Impact Assessment (DPIA). A DPIA must be performed before processing to evaluate the impact on personal data protection. This is a crucial requirement under GDPR to ensure compliance with data protection principles.

A DPIA allows organizations to proactively identify and address privacy risks, preventing data breaches and enhancing compliance with data protection laws. It also helps build public trust in an organization’s data handling practices. While mandatory for certain high-risk activities, such as processing sensitive personal data or large-scale data processing, conducting a DPIA for all activities is considered a best practice.

Data Breach Notifications

A personal data breach occurs when personal data is accidentally or unlawfully destroyed, lost, altered, disclosed, or accessed. Such breaches can result from human error, cyber-attacks, or hacking. Data breaches can cause significant harm to data subjects, especially if not handled appropriately. The GDPR outlines strict provisions for reporting and addressing these breaches.

Under GDPR, organizations must report a personal data breach to the relevant supervisory authority within 72 hours of becoming aware of the incident. If the breach poses a high risk to the rights and freedoms of individuals, organizations must also notify the affected individuals without undue delay. Notifications should include details such as the nature of the breach, the potential consequences, and the actions taken to mitigate it.

How to be GDPR Compliant

To achieve GDPR compliance, organizations must take several steps to guarantee that the personal data they collect and process follow the regulation’s legal requirements. These steps include: 

• Understand the data collected: Maintain records of all processing activities and make them available upon request.
• Update privacy policies: Ensure transparency regarding data processing purposes, legal justification, retention periods, and other GDPR requirements.
• Obtain valid consent: Collect and process personal data only with informed, freely given consent.
• Appoint a Data Protection Officer (DPO): If required, appoint a DPO with the necessary technical and legal expertise to monitor compliance.
• Report data breaches: Ensure robust procedures are in place for detecting, investigating, and reporting breaches within the required 72-hour timeframe.
• Conduct DPIAs: Identify and mitigate risks by conducting DPIAs when necessary.
• Implement security policies: Raise awareness within the organization and implement security policies for data protection.
• Sign data processing agreements: Ensure third-party processors comply with GDPR by signing formal agreements.
• Maintain data security: Implement technical and organizational measures to protect personal data.
• Appoint an EU representative: If located outside the EU, appoint a representative in an EU member state.
• Integrate privacy by design: Embed data protection measures into systems and processes from the outset.

Cost of GDPR Compliance

The GDPR compliance depends on the size and complexity of the organization and its data processing activities. For small and medium-sized enterprises, these costs can be significant, covering staff training, technical measures, and organizational adjustments. However, the cost of non-compliance is often far greater, with potential fines and reputational damage.

Penalties and Fines Under the GDPR

Non-compliance with GDPR can result in severe financial penalties and other consequences. The GDPR establishes two tiers of fines based on the seriousness of the violation:

• Tier 1 Infringements: These include violations by controllers, processors, or certification/monitoring bodies. Fines can reach up to €10 million or 2% of global annual turnover, whichever is higher.
• Tier 2 Infringements: These include more severe breaches, such as violating data subject rights, data processing principles, or transferring data to unauthorized countries. Fines can be as high as €20 million or 4% of global annual turnover, whichever is higher.

In addition to financial penalties, non-compliance may result in warnings, reprimands, orders to rectify violations, processing bans, and even criminal prosecution. The damage to an organization’s reputation and loss of customer trust can also be significant, further impacting business opportunities.

The Future of GDPR

The General Data Protection Regulation (GDPR) has set a global standard for data privacy, ensuring organizations are accountable for the personal data they collect and process. While it has faced criticism for high compliance costs and potential impacts on innovation, GDPR remains essential in safeguarding privacy. Looking ahead, GDPR is likely to evolve in response to emerging technologies such as artificial intelligence and big data, continuing to influence global data protection laws.

In conclusion, GDPR not only strengthens individual rights but also serves as a model for future regulations, adapting to an increasingly data-driven world.

Identity.com

With tech giants reportedly mishandling users’ data, the EU’s GDPR legislation emerged as one of the earliest and most remarkable efforts to address data management issues. It’s encouraging to see governments acknowledging the significance of individual data control, a principle that Identity.com also embraces. Our company envisions a user-centric internet where individuals maintain control over their data. This commitment drives Identity.com to actively contribute to this future through innovative identity management systems and protocols. As members of the World Wide Web Consortium (W3C), we uphold the standards for the World Wide Web and work towards a more secure and user-friendly online experience.

The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please get in touch for more info about how we can help you with identity verification and general KYC processes.