The European General Data Protection Regulation, known colloquially as GDPR, is arguably the most important change made to data privacy regulation in decades. It was adopted on April 14, 2016 and entered into force throughout the European Union (EU) and the European Economic Area (EEA) on May 25, 2018. GDPR replaces the severely outdated and insufficient 1995 Data Protection Directive, which was adopted during the early stages of the internet.
GDPR seeks to provide European citizens with more control over their personal data with the goal of helping both citizens and businesses alike utilize the many benefits provided by the digital economy. The regulation seeks to achieve this by means of simplifying the regulatory environment and providing similar obligations for all businesses.
Companies and organizations who fail to comply with the GDPR are to be sanctioned with sizable fines for their breach. The size of the fine is dependent on a variety of factors such as the severity of the breach as well as the size of the company and can be as large as €20 million or the equivalent of 4% of the company’s annual global revenue.
What is more, GDPR affects companies throughout the world irrespective of whether or not they are located in the EU insofar as they ‘deal with Europeans’. A company can be said to ‘deal with Europeans’ when it sells goods and services to or stores personal data about Europeans. Thus, GDPR has reformed the way in which data is handled worldwide and across every sector: spanning from marketing and consulting to healthcare, insurance, banking, and far beyond. Every company that is then bound by the GDPR must follow the requirements laid out therein whenever they are processing data. In practice, this means that the company is required to have a legal basis for processing all its data.
According to GDPR, personal data is defined as all data related to a person such as:
Personal data is defined in Art. 4(1) of the GDPR as any information which is related to an identified or identifiable natural person. Consequently, it is best to assume that personal data should be interpreted as broadly as possible.
The rules governing the handling of data prior to the GDPR were largely outdated and ill-equipped to keep up with the digital world we are currently living in. Consequently, the GDPR aims to reform and modernize these rules to reflect modern society by bringing laws and obligations on matters such as personal data, privacy, consent, and security up to date throughout Europe. The way we communicate has changed dramatically and almost every aspect of day-to-day life revolves around the use of data in one way or another. Nowadays, sending emails, sharing files, paying bills, and purchasing products happens largely online and sharing revealing personal data to do so has become the norm. This data is then collected, stored, analyzed, and in some cases exploited by businesses, therefore creating the need for regulations such as GDPR.
Consent is vital
Companies may not use personal data about a person unless this person has specifically and voluntarily given consent to such in a clear declaration or in a clearly affirmative action.
Right to access
People have the right to gain access to their personal data and subsequently how the company uses their data. If a person requests information about their personal data, the company is obliged to provide a copy of such electronically for free.
Right to erasure
People have a right to have their data deleted if they request to have it deleted, thereby taking back their consent. It is important to note that, in practice, this is not possible for all data that is necessarily required by national law for purposes such as taxes and accounting. Furthermore, requests for deletion may be ignored if there is a legitimate public interest in the data’s online availability.
Right to data transfer
People have the right to have their data transferred from one service provider to another.
Right to be informed
People must be informed by companies prior to any form of data collecting and must give their explicit consent to such. Consent may not be acquired implicitly and must always be voluntary.
Right to have their data updated
People have a right to have their data changed if said data is outdated, insufficient, or plain wrong.
Right to object
People have a right to object, thereby, among other things, requiring that a company stops using their data for marketing. There are no exceptions to this rule and all use of the objecting individual’s personal data must stop immediately upon the company receiving the individual’s objection. It is the responsibility of the business to inform everyone clearly of this right.
Right to be notified
People have a right to be notified about any breach of data security that may compromise their personal data within 72 hours of the company obtaining information about the breach.
Data has become an integral and indeed vital part of modern life as we know it. Data brings with it a plethora of opportunities – positives for both the individual and for companies at large – but there are also risks and potentially negative repercussions that inevitably follow. The need for GDPR is evident. Nonetheless, the GDPR is by no means perfect and it provides many challenges and worries for business owners around the world – small and big alike. With that being said, it also comes with opportunities for those companies who take a stand to fight for the individual. Companies that manage to convince clients that they care about data and about data protection in general as well as companies that are open about how they use data and for what purposes, are likely to increase their trustworthiness and ultimately also customer loyalty.