The GDPR applies to all companies that process the personal data of EU citizens, regardless of where the company is located. It applies to any data that can be used to identify a living individual, including names, addresses, email addresses, IP addresses, and location data.
The GDPR strengthens EU data protection rules by giving individuals more control over their personal data and how it is collected, used, and shared. It also imposes stricter penalties on organizations that fail to comply with the regulation. Under GDPR, organizations must obtain explicit consent to process personal data, and must inform individuals of their rights, including the right to access, correct, and delete their personal data.
What is Personal Data?
According to the General Data Protection Regulation (GDPR), personal data is any information that can be used to directly or indirectly identify a natural person.
This includes not only traditional personal information like names, addresses, and phone numbers, but also other types of data such as IP addresses, cookie data, and location data. Personal data can also include special categories of data, such as information about an individual’s health, religion, or sexual orientation, which require additional protections.
Key provisions of the GDPR
- The Right to be Informed: The GDPR requires companies to provide clear, concise, and easily understandable information to individuals about the collection and use of their personal data.
- The Right of Access: The GDPR gives individuals the right to access the personal data that a company holds about them, as well as information about how the data is being used.
- The Right to Rectification: The GDPR gives individuals the right to have inaccurate personal data corrected and completed.
- The Right to Erasure: The GDPR gives individuals the right to have their personal data deleted in certain circumstances, such as when the data is no longer needed for the purpose for which it was collected.
- The Right to Restrict Processing: The GDPR gives individuals the right to limit the ways in which their personal data is used, for example, by asking a company to stop using the data for direct marketing.
- The Right to Data Portability: The GDPR gives individuals the right to receive their personal data in a format that is easy to reuse and to transmit it to another data controller.
- The Right to Object: The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances, such as for direct marketing purposes.
- The Right not to be subject to Automated Decision-making: The GDPR gives individuals the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
- The Accountability Principle: The GDPR requires companies to take responsibility for complying with the regulation, including implementing appropriate technical and organizational measures to protect personal data.
- The Data Protection Officer (DPO): The GDPR requires companies to appoint a Data Protection Officer if they carry out certain types of data processing or if they are a public body.
- The Data Breach Notification: GDPR requires companies to notify the supervisory authority of a data breach within 72 hours of becoming aware of it, and to notify the affected individuals if the data breach poses a risk to their rights and freedoms.
- The Fines and Penalties: GDPR has strict fines and penalties for non-compliance, up to €20 million, or up to 4% of the total worldwide annual revenue of the preceding financial year, whichever is higher.
The GDPR is a complex law, and companies are advised to consult with legal counsel to ensure compliance.
Key Issues with GDPR
- Identifying and mapping all personal data: Companies must be able to identify and map all personal data that they collect, process, and store. This can be a time-consuming and resource-intensive task.
- Obtaining consent: GDPR requires companies to obtain explicit and informed consent from individuals before collecting and processing their personal data. This can be difficult to achieve, particularly for companies with large customer bases.
- Providing data access and deletion: GDPR requires companies to provide individuals with access to their personal data upon request and to delete it upon request. This can be difficult to achieve, particularly for companies with large amounts of data.
- Compliance with data protection by design and default: GDPR requires companies to implement data protection measures throughout the entire data lifecycle. This can be difficult for companies that have not previously prioritized data protection.
- Appointing a data protection officer: GDPR requires companies to appoint a data protection officer (DPO) if they meet certain criteria. This can be difficult for smaller companies without dedicated privacy resources.
- Risk of heavy fines: GDPR introduced hefty fines for non-compliance, up to 4% of a company’s annual revenue or €20 million (whichever is higher). This can have a significant impact on a company’s bottom line.
Revisions to GDPR
The General Data Protection Regulation (GDPR) was adopted by the European Union in 2016 and went into effect in May 2018. Since its implementation, there have not been any major revisions to the regulation.
- One-stop-shop mechanism: The EDPB and the ECJ have clarified the one-stop-shop mechanism, which allows companies to have their data protection compliance overseen by a single EU member state rather than each individual country in which they operate.
- Legitimate interest: The EDPB has provided guidance on the legitimate interest grounds for processing personal data under GDPR, which allows companies to process data without explicit consent in certain circumstances.
- Data protection impact assessment (DPIA): The EDPB has provided guidance on how to conduct a DPIA, which is a risk assessment required under GDPR for certain types of data processing activities.
- GDPR and e-Privacy Regulation: The EU is currently working on a new e-Privacy Regulation, which will complement GDPR and address specific privacy concerns related to electronic communications.
- GDPR and Brexit: The UK has left the EU, but GDPR was applicable to the UK until the end of the transition period on December 31, 2020.
GDPR and Schrems II
Schrems II is a legal case that invalidated the EU-US Privacy Shield, a framework for transferring personal data from the EU to the US. The case was brought by an Austrian lawyer and privacy activist, Max Schrems, and was decided by the European Court of Justice (ECJ) on July 16, 2020.