The General Data Protection Regulation, or GDPR, has completely changed how companies manage and use data
On May 25, 2018, the years of planning came to a close. Long-planned data privacy improvements have begun to take effect across Europe. Since it was jointly adopted, the General Data Protection Regulation (GDPR) has modernised the regulations governing the protection of individuals’ personal information.
Europe’s prior data protection laws, some of which were first drafted in the 1990s, were nearly twenty years old and have been replaced by GDPR. Since then, people have developed data-intensive lives and regularly divulge their private information online.
According to the EU, GDPR was created to “harmonise” data privacy rules among all of its member states while also enhancing individual rights and protection. The GDPR was also developed to change how companies and other organisations handle the personal data of people who contact with them. Those caught in violation of the guidelines risk receiving significant fines and reputational harm.
Although the rule makes significant modifications, it draws on earlier data protection concepts. Due to this, many in the data protection community compare GDPR to evolution rather than a radical revision of rights. The regulation should have been a “step change” for companies that were already abiding by pre-GDPR requirements.
There was a pre-GDPR transition period that gave companies and organisations time to modify their policies, but there is still a lot of ambiguity surrounding the regulations. This is our explanation of what GDPR actually implies.
So, What is GDPR?
The GDPR, which strengthens how people may access details concerning them and establishes restrictions on what organisations can do with private information, can be regarded as the world’s strictest set of data protection laws. The GDPR is a cumbersome beast with 99 separate articles in its entirety.
The GDPR became effective on May 25, 2018. Europe’s nations were granted the freedom to implement minor adjustments that suited their unique circumstances. The Data Protection Act (2018), which replaced the preceding 1998 Data Protection Act in the UK, was created as a result of this flexibility.
Who is GDPR Applicable To?
The GDPR is centred around personal data. In general, this information refers to data that can be used to directly or indirectly identify a living individual. Personal data can be something obvious, like a person’s name, location information, or a clear online username, or it may be something that may be less immediately evident, like IP addresses and cookie identifiers.
A few particular types of sensitive personal data are afforded enhanced protections under GDPR. A person’s genetic information, biometric data, health information, political ideas, religious beliefs, trade union membership, and information regarding their sexual life or orientation are all examples of personal data.
The ability to identify a person is the key component of what makes up personal data; pseudonymized data can still be considered personal data. Because the GDPR applies to people, organisations, and businesses that are either “controllers” or “processors” of personal data, this makes personal data so crucial under the regulation.
The Information Commissioner’s Office (ICO), the UK’s data protection authority, states that “controllers are the main decision-makers” and that they “exercise complete authority over the purposes and ways in which the processing of personal data.” There may also be joint controllers of personal data, in which case two or more organisations jointly decide how to handle data. According to the ICO, “Processors act on behalf of, and only pursuant to, the directions of, the relevant Controller.” Under GDPR, controllers are subject to tougher requirements than processors.
Although it originated in the EU, GDPR may also be applicable to companies with locations outside of the continent. The GDPR may be applicable if a US-based company, for example, conducts business in the EU and is a controller of EU citizens.
What are The Fundamental Principles of The GDPR?
The seven fundamental tenets of GDPR, which are outlined in Article 5 of the regulation, are intended to govern how individuals’ personal data may be treated. They serve as a general framework to put out the underlying goals of GDPR rather than as strict requirements. The fundamental ideas are essentially unchanged from earlier data protection regulations.
The seven principles of the GDPR include: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. Actually, the only one of these concepts that are new to data protection laws is accountability. All other guiding principles in the UK are comparable to those found in the 1998 Data Protection Act.
What Are Your GDPR Rights?
Although the GDPR probably imposes the greatest costs on data controllers and processors, the law is intended to support the protection of individual rights. As a result, the GDPR lays out eight rights. These include giving customers easy access to the information businesses keep about them and enabling the deletion of such information in certain circumstances.
Individuals have the following full rights under the GDPR: the right to information, the right of access, the right to rectification or erasure, the right to restrict processing, the right to data portability, the right to object, as well as the right against automated decision-making and profiling.
Behind the Numbers: Shedding Light on Fines and Sanctions for GDPR Violations
The possibility of authorities slapping organisations that don’t comply with the GDPR with significant fines has been one of the greatest and most discussed aspects of the regulation. An organisation may face fines if it improperly processes a person’s data. It may be punished if it needs a data protection officer but does not have one. A security breach may result in penalties.
In the UK, the ICO makes these financial judgements, and any money that is recovered is returned via the Treasury. According to the GDPR, lesser offences are subject to fines of up to €10 million or 2% of a company’s global sales, whichever is higher. The most egregious GDPR violations can result in fines of up to €20 million or 4% of a company’s global sales, whichever is higher. The ICO could only impose fines of up to £500,000 under the previous data protection laws.
Google has received one of the largest fines under the GDPR to date: the National Data Protection Commission (CNIL), France’s data protection authority, fined the corporation €50 million (£43 million). According to CNIL, the fine was imposed for two primary reasons: first, Google failed to adequately notify people about how it uses the data it collects from 20 different services, and second, it failed to obtain adequate consent for the processing of user data.
However, the UK might levy the highest fines. Marriott and British Airways both received “notices of intent” from the ICO for violating the GDPR. There was talk of a £183 million sanction for BA and a £99 million fine for the hotel chain. Although neither corporation has made a payment, these are only notices of intent and not actual fines. In actuality, both companies are disputing the ICO’s notices.
Why Partner with a Managed Services Provider (MSP) for Compliance?
Although important, regulatory compliance is not a primary duty of the company. Few businesses have the internal resources and knowledge necessary to manage compliance, which leads to ineffective procedures and elevated risk. Compliance demands additional manpower and resources from organisations, which raises overhead costs and reduces output.
By contracting with an experienced MSP for compliance-related business tasks and processes, organisations can reduce the burden of complicated regulatory requirements. These duties may involve gathering pertinent data, keeping an eye on systems and procedures, and producing reports for both internal and external audiences.
Workplace Connect can help your organisation keep up with increasing compliance demands
You can benefit from our knowledge, best practises, strong IT security, and advanced analytics and reporting capabilities by working with Workplace Connect. This lowers the risk of non-compliance and increases the efficiency and precision of compliance reporting. Your own staff, assets, and funds can be distributed to key company activities and revenue-generating projects at the same time.