The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
The promulgation of the GDPR exemplifies Europe’s unwavering commitment to upholding the principles of data privacy and security, particularly in the context of an evolving digital landscape characterized by increasing reliance on cloud-based services and the prevalence of data breaches. Notably, the regulation’s extensive scope and intricate provisions, coupled with certain areas of ambiguity, present a multifaceted challenge for organizations seeking to achieve full compliance. This complexity is particularly evident for small and medium-sized enterprises (SMEs) that may face considerable obstacles in navigating the regulatory requirements. Consequently, it is of paramount importance for all affected organizations to exercise due diligence and adopt comprehensive measures to ensure adherence to the GDPR’s guidelines and to safeguard the data privacy rights of individuals.
The GDPR applies to all organizations that process personal data of individuals in the European Union, regardless of whether the organization is based in the EU or not. This means that any organization that collects, stores, or uses personal data of EU citizens must comply with the GDPR.
Personal data is defined as any information relating to an identified or identifiable natural person. This includes names, addresses, email addresses, phone numbers, IP addresses, and other similar information. The GDPR requires organizations to obtain explicit consent from individuals before collecting their personal data and to provide them with clear information about how their data will be used.
What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework enacted by the EU to strengthen and unify data protection for individuals within the EU and the European Economic Area (EEA). It also addresses the transfer of personal data outside these regions. GDPR establishes a set of data protection principles and rights that organizations must adhere to when collecting, processing, and storing personal data.
Key Principles of GDPR
The General Data Protection Regulation (GDPR) is based on several key principles that organizations must follow when processing personal data. These key principles are as follows:
- Lawfulness, fairness, and transparency: Organizations must process personal data lawfully, fairly, and in a transparent manner.
- Purpose limitation: Organizations must collect personal data for specified, explicit, and legitimate purposes and not process it in a way that is incompatible with those purposes.
- Data minimization: Organizations must ensure that personal data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
- Accuracy: Organizations must ensure that personal data is accurate and kept up to date.
- Storage limitation: Organizations must keep personal data for no longer than is necessary for the purposes for which it was collected.
- Integrity and confidentiality: Organizations must ensure that personal data is processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
- Accountability: Organizations are responsible for demonstrating compliance with GDPR requirements and may be subject to audits by supervisory authorities.
Under the GDPR, individuals have several rights regarding their personal data. They have the right to access their data and request that it be corrected or deleted if it is inaccurate or incomplete. They also have the right to object to the processing of their data for certain purposes and to request that their data be transferred to another organization. The following are the 7 core rights outlined by the GDPR:
- Right to access: Individuals have the right to obtain confirmation from an organization as to whether or not personal data concerning them is being processed, and if so, access to that data.
- Right to rectification: Individuals have the right to request that an organization correct any inaccurate or incomplete personal data concerning them.
- Right to erasure: Individuals have the right to request that an organization erase their personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
- Right to restrict processing: Individuals have the right to request that an organization restrict the processing of their personal data in certain circumstances, such as when they contest the accuracy of the data.
- Right to object: Individuals have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them.
- Right to data portability: Individuals have the right to receive their personal data in a structured, commonly used and machine-readable format and have the right to transmit that data to another organization.
- Right not be subject automated decision-making: Individuals have a right not be subject automated decision-making including profiling which produces legal effects concerning him or her or similarly significantly affects him or her.
Enforcement and Fines
The General Data Protection Regulation (GDPR) is known for its stringent enforcement mechanisms, including the imposition of substantial fines and penalties for noncompliance with its provisions. Organizations that fail to adhere to the requirements set forth by the GDPR may face legal repercussions, which serve as a deterrent for potential violations and ensure that data protection and privacy rights are upheld. Below is an overview of the fines and penalties associated with GDPR noncompliance:
Two-Tiered System of Fines: The GDPR employs a two-tiered system for imposing fines, with the severity of the fine depending on the nature and extent of the violation:
- Up to €10 million or 2% of the organization’s global annual revenue, whichever is higher, for violations related to record-keeping, data security, data protection officers, and data protection impact assessments.
- Up to €20 million or 4% of the organization’s global annual revenue, whichever is higher, for violations related to the basic principles for processing personal data, including consent, data subject rights, and international transfers.
The factors that would influence the tier of administrative fines under the General Data Protection Regulation (GDPR) are as follows:
- The nature and severity of the violation: The more serious the violation, the higher the potential fine. For example, a data breach that exposes sensitive personal data would be considered more serious than a minor violation of record-keeping requirements.
- The duration of the violation: If an organization has been violating GDPR requirements for an extended period of time, this may result in a higher fine.
- The number of individuals affected: If a large number of individuals are affected by a violation, this may result in a higher fine.
- The level of cooperation with supervisory authorities: Organizations that cooperate fully with supervisory authorities during investigations and take steps to remedy violations may receive lower fines than those that do not.
- The level of compliance prior to the violation: Organizations that have made efforts to comply with GDPR requirements before a violation occurs may receive lower fines than those that have not.
Compliance with the General Data Protection Regulation (GDPR) is a fundamental and non-negotiable obligation for organizations operating in today’s data-driven world. Adherence to GDPR not only ensures legal and regulatory alignment but also brings a multitude of advantages that extend beyond mere compliance. A key consideration for organizations complying with GDPR is the avoidance of substantial financial penalties, which can have detrimental effects on an organization’s reputation and fiscal health. By proactively instituting comprehensive data protection measures, organizations can reduce the likelihood of facing costly fines and legal consequences resulting from violations of the regulation.
Moreover, adherence to the principles of GDPR fosters a sense of trustworthiness and dependability among consumers, clients, partners, and various stakeholders. Amid the growing apprehension about data privacy, individuals are more inclined to engage with organizations that exemplify transparency, uphold accountability, and are committed to safeguarding the privacy of personal data.
Ultimately, compliance with GDPR represents more than a legal obligation—it serves as a strategic cornerstone that reinforces an organization’s credibility, augments competitive advantage, and promotes sustained success. By adopting and embodying the principles of GDPR within their organizational values, businesses can solidify a foundation of trust, strengthen customer relationships, and advocate for the ethical handling of data in an increasingly digital world.
Wolford, B. (2022, May 26). What is GDPR, the EU’s new data protection law? GDPR.eu. https://gdpr.eu/what-is-gdpr/