The GDPR: A New Era for Data Protection

Introduction

The GDPR (General Data Protection Regulation) came into effect on May 25, 2018. Since then, companies that process the personal data of EU citizens have been required to comply with the GDPR. This act requires businesses to get explicit consent from individuals before collecting, using, or sharing their personal data. Companies must also provide individuals with clear and concise information about their rights under the GDPR.

The privacy landscape has changed under the GDPR for companies that process the personal data of EU citizens. Violations of the GDPR can result in significant fines.

The following list indicates the actions of the GDPR act:

  • GDPR protects the personal data of EU citizens. Personal data includes any information that can be used to identify an individual, such as a name, email address, physical address, or phone number.
  • The GDPR gives individuals the right to know what personal data is being collected about them, why it’s being collected, and how it will be used.
  • GDPR sets strict standards for how companies must protect personal data. Companies that process personal data must ensure that it is kept secure from unauthorized access, use, or disclosure.
  • GDPR gives individuals the right to know what personal data is being collected about them, why it’s being collected, and how it will be used.
  • GDPR gives individuals the right to access their personal data and to request that it be corrected if it is inaccurate.
  • GDPR gives individuals the right to be erased.
  • GDPR gives individuals the right to object to the processing of their personal data.
  • GDPR gives individuals the right to file a complaint if they believe their rights have been violated.
  • GDPR imposes significant fines on companies that violate its provisions.
  • GDPR creates a level playing field for companies operating in the EU.
  • GDPR sets a high standard for data protection that other countries are likely to follow.
  • GDPR provides individuals with a mechanism to enforce their rights.
  • GDPR requires companies to take steps to protect personal data from unauthorized access, use, or disclosure.

Explicit consent

Personal data cannot be collected, used, or shared without the individual's permission. Companies must also provide individuals with clear and concise information about their rights under the GDPR. They must also obtain consent from individuals in a way that is easy for them to understand and allow them to withdraw their consent at any time. Consent must be provided in a way that is easy to understand for individuals and must be voluntary. Companies cannot use pre-checked boxes or make consent a condition of using their services. Individuals must be able to withdraw their consent at any time, and companies must make it easy for them to do so. Companies must also stop using personal data if they no longer have consent.

7 Principles

The regulation sets out seven principles for personal data protection. These principles are designed to protect the privacy of digital data and ensure that data is processed lawfully, fairly, and transparently.

  1. Lawfulness, fairness, and transparency: personal data must be collected and processed lawfully, fairly, and transparently. This means that people must be informed about how their data will be used.
  2. Purpose limitation: data must be collected for specific, explicit, and legitimate purposes and not further processed in a way that is incompatible with those purposes.
  3. Data minimization: data must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
  4. Accuracy: data must be accurate and, where necessary, kept up to date.
  5. Storage limitation: data must be kept in a form that permits the identification of data subjects for no longer than is necessary for the data's processing purposes.
  6. Integrity and confidentiality: data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.
  7. Accountability: data controllers must demonstrate their compliance with the GDPR. They must take responsibility for their processing activities and implement appropriate measures, policies, and procedures to ensure compliance.

The GDPR is the EU’s most well-known technology law, and it will continue until the AI act comes into force. The Commission released the GDPR draft with an impact assessment that stated the law would save the European economy €2.3B annually. Not only does it unify the previously separated data protection laws across member states, but it has also been beneficial for Big Tech companies as well as startups located in many different European countries.

Penalties

The GDPR imposes significant fines for companies that violate its provisions, including up to 4% of a company’s global annual revenue or €20 million, whichever is greater. The GDPR also gives individuals the right to file a complaint with the supervisory authority if they believe their rights have been violated.

How do companies violate the GDPR act?

There are many ways companies can violate the GDPR, but some of the most common include the following:

  • Failing to get explicit consent from individuals before collecting, using, or sharing their personal data.
  • Failing to provide individuals with clear and concise information about their rights under the GDPR.
  • Violating the GDPR can result in significant fines.

What can companies do to avoid these penalties?

  • Get explicit consent from individuals before collecting, using, or sharing their personal data.
  • Provide individuals with about their rights under the GDPR.
  • Comply with the GDPR.

Top 10 GDPR fines

Companies that process the personal data of EU citizens must take steps to ensure their compliance with the GDPR. Failure to do so can result in significant fines.

Amazon: €746 million for tracking users' data without users' consent.

WhatsApp: €225 million for unclear privacy policy and transparency in using user data.

Google: €90 million for failing to give users an easy way to refuse cookies

Google: €60 million for failing to provide users appropriate way to refuse cookies on Youtube

Facebook: €60 million for failing to give users an easy way to refuse cookies

Google: €50 million for confusing and poorly structured privacy consent agreements that prevented users from understanding what they agreed to.

H&M: €35.3 million for collecting and storing information about its employees' families, religions, and health histories for no reason.

TIM: €27.8 million Tim is the Italian telecom that was fined for using customer data without consent to perform telemarketing calls and storing customer data the way it risked security breaches.

Enel Energia: €26.5 million. This electric and gas supplier was fined for failing to get user consent for telemarketing calls.

British Airways: £20 million for failing to prevent a massive data breach that exposed the data of 400 thousand of customers

How can a company avoid fines?

There are a few key things that organizations need to do to avoid being fined by GDPR. Firstly, they must ensure that they are properly collecting and storing data. They also need to ensure that they are correctly informing individuals about their rights under GDPR and that they are obtaining consent for the storage and use of data. Finally, they need to regularly monitor their data collection and storage practices to ensure that they comply with GDPR.

Customers rights

The GDPR grants customers a number of rights with regard to their personal data. These include the right to access their data, the right to change their data, the right to delete their data, and the right to object to the processing of their data. Customers also have the right to file a complaint with the supervisory authority if they believe their rights have been violated.

1. The right to be forgotten

Article 17 and 19 of the GDPR creates the right to the erasure. As a European citizen, you have the right to have your data erased without undue delay by the data controller if:

  • your personal data are no longer necessary for which it was collected or processed
  • you decide to withdraw your consent
  • you object to the processing, and there are no overriding legitimate grounds for continuing the processing
  • you object to the processing, and your personal data are being processed for direct marketing purposes
  • your personal data have been unlawfully processed.
  • your personal data have to be erased to comply with a legal obligation
  • your personal data have been collected about the offer of information society services to a child.

If individuals request that their data be erased, companies must take steps to ensure that it is erased. This may include deleting the data from company servers and ensuring that personal data is not collected in the future.

2. The right to be informed

Companies must provide individuals with the following information before collecting their personal data:

  • The identity and contact details of the data controller
  • The purpose for which the data is being collected
  • Any recipients or categories of recipients of the data
  • The existence of the individual’s right to request the erasure of the data or restriction of processing
  • The source of the data if it was not collected from the individual
  • The existence of any automated decision-making, including profiling
  • Right to access their personal data that is being processed by companies. This includes the right to know what data is being collected, why it is being collected, and how it is being used.
  • Individuals also have the right to receive a copy of their personal data. Companies must provide this copy in a format that is easy to understand and free of

The customer has the right to be informed if the company was hacked according to GDPR. The customer should be told about the incident as soon as possible, and the customer has a right to know what personal data was involved in the breach. The customer also has a right to know what steps the company is taking to protect their personal data. Finally, the customer has a right to know what steps the company is taking to ensure that the incident does not happen again.

3. The right to access

Individuals have the right to access their personal data at any time. Companies must provide individuals with a way to access their data and must provide this access free of charge. Individuals can also request that their data be provided to them in a format that is easy to understand.

4. The right to file a complaint

If a customer feels that his or her rights have been violated, he or she has the right to file a complaint with the supervisory authority. The supervisory authority will investigate the complaint and may take action against the company if it finds that the company has violated GDPR.

Data controller and data processor

Let's break down the two terms that GDPR creates: a data controller defined as "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data". And data processor defined as "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller".

Example

An office hires employees. It signs a contract with a payroll company to pay the salary. The office tells the payroll company when the salaries should be paid, when an employee leaves or has a pay rise, and provides all other details for the salary slip and payment. The payroll company runs the system and stores the employees’ data.

The office = data controller,

the payroll company = data processor.

The data controller is the one who collects or possesses the data, and the processor is a third party hired by the controller to do work with that data.

Data Controller

Data controllers are responsible for ensuring that personal data is processed in a fair, transparent, and lawful manner. The data controller is responsible for controlling the procedures and purposes of data usage within a company or organization. This person decides how and why personal data will be used and is typically the owner or manager. Data Controller can be:

  • A government department or agency
  • A local authority
  • A company
  • An individual

Data Processor

Data processor processes personal data on behalf of the data controller. Data processors are required to follow the instructions of the data controller and to take appropriate measures to ensure the security of personal data.

Data processor processes any data that the controller provides. In short, the data processor processes data on behalf of the controller and does not own or control the data they process.

This is usually a third-party external to the company e.g. Google, Facebook, LinkedIn etc.

Data Protection Officer (DPO)

Data controllers and processors must appoint a DPO if they are:

  • a public authority or body
  • engaged in large-scale processing of sensitive personal data
  • engaged in large-scale processing of personal data relating to criminal convictions or offenses
  • The DPO is responsible for monitoring the data controller's or processor's compliance with GDPR and for providing advice on data protection issues.

Differences: data processor and data collector

The main difference between a data controller and a data processor is that the controller determines the purposes, means, and methods of processing personal data, while the processor is only responsible for carrying out the actions of the controller. Controllers are required to appoint a Data Protection Officer, while processors are not.

Data controllers are subject to more stringent requirements under GDPR than data processors. For example, data controllers must implement risk management processes and establish an incident response plan, while data processors are not required to do so.

Data controllers must comply with all GDPR requirements, including appointing a Data Protection Officer. If they are data processors, they must only comply with the requirements that pertain to them.

Personal data

In GDPR understanding personal data can include, but is not limited to:

  • name
  • email address
  • physical address
  • IP address
  • cookies
  • other web-tracking technologies

This data may be collected when an individual visits a website, signs up for a newsletter or fills out a form. It is important to note that GDPR does not only apply to personal data, but also to any other type of data that can identify an individual, such as online identifiers. They must also ensure that they are regularly monitoring their data collection and storage practices to ensure compliance with GDPR.

How to report GDPR violence?

There are a few ways that somebody can report a GDPR violation. The first is to contact the data controller or processor directly. The second is to contact the supervisory authority. The third is to contact the European Commission's online complaint portal. Finally, you can get a law enforcement agency if you believe a crime has been committed.

If an authority receives a GDPR complaint, they will investigate the complaint, respond to it, take action to resolve it, and finally, they will keep records of the complaint and any actions taken in response to it.

Source of knowledge

The following resources can help companies understand and comply with the GDPR:

1. The European Commission’s GDPR website
2. The EU Data Protection Board’s Guidelines on Consent under the GDPR
3. The ICO’s Guide to the General Data Protection Regulation
4. The IAB Europe’s Toolkit on Consent under the GDPR
5. The EDPS’s Guidelines on Data Protection Officers
6. The EDPB’s Guidelines on Data Protection Impact Assessments
7. The EDPB’s Guidelines on the Right to Erasure (‘Right to be Forgotten’)
8. The EDPB’s Guidelines on the Right to Object to Processing
9. WP29’s Opinion on Anonymisation Techniques
10. The Article 29 Working Party’s Opinion on Cloud Computing
11. The Article 29 Working Party’s Opinion on the Internet of Things
12. The European Commission’s Factsheet on the GDPR
13. The European Commission’s FAQs on the GDPR
14. The EU Data Protection Board’s Register of DPAs
15. The European Commission’s e-Privacy Regulation proposal
16. The European Commission’s e-Privacy Regulation impact assessment
17. The European Data Protection Supervisor’s e-Privacy Regulation Opinion
18. The Council of Europe’s Convention 108+
19. The UN Guiding Principles on Business and Human Rights
20. The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data