Login

General Data Protection Regulation (GDPR): What You Need to Know to Stay Compliant

The General Data Protection Regulation is a European Law containing hundreds of pages of articles clarifying the data rights of the companies operating in the EU and their users/customers. This blog is going to give you a clear idea about GDPR.

Undoubtedly GDPR law is the strictest rule in the EU. It is so standard that even after ‘Brexit,’ the UK kept the law in effect (called ‘UK-GDPR’). Any violation of GDPR articles from enforcing countries must face the courts. Many US clients and business groups are facing trouble for the rule as historically, a US company (Facebook) was held responsible for the law.

GDPR law has become a role model for other countries as every tax-paying Citizen holds the right to have privacy about their data. The EU and UK have their law of GDPR to restrict the business groups, whether national or multinational, from manipulating Citizen’s data. The daunting fines for violating the articles are demoralising the enterprises. They get to sleep in peace, knowing their privacy is safe.

If you are reading this, then you must be looking for a complete training course. Enrol in The GDPR Training Course to do a certification course and be an expert.

Behind the Creation of GDPR

If you are thinking why after so many years of establishing the EU, they formed a fearsome law for businesses? This story is for you then.

The starting era of the 21st century is the boom of social media applications and the internet over every vital communication. The emergence of Google and Facebook is so important that they were forced to use each other as an ally. The intensity rose when Snowden (former US spy) opened a report about eavesdropping on the EU officials. The problem began when a Google user sued Facebook in 2011 to scan emails that were supposed to be private. After two months, the EU data protection authority declared the need for a data protection law.

The EU parliament passed the GDPR motion in 2016, and it is in effect from May 25, 2018. All operating organisations of the EU have to stay compliant with GDPR.

Is GDPR For Everyone?

If you are operating in a country enforced by GDPR and dealing with personal information, it applies to your company. It is not necessary to be on the EU territory to be convicted. If you deal with the EU or UK citizen information anywhere in the world, GDPR deals with you. This law is known to the EU as an ‘extra-territorial effect.’

Compliance Requirement

Article 3 of GDPR dictates-

  1. The Regulation applies to the processing of personal data in the context of activities of an establishment of controller or processor in the Union, regardless of whether the processing takes place in the Union or not.
  2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
    1. the offering of goods or services, payment of data subject is required, to data subjects in the Union; or
    2. monitoring of their behaviour as far as their behavior takes place within the Union.
  3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies under public international law.

    So Article 3.1 holds responsible for every domestic and international company that processes EU citizens’ data.

    Article 3.2 has two sub-sections.

When Does GDPR Sue Outsiders?

According to Article 3.2, two types of outsiders have to maintain General data protection regulation, the GDPR.

1. Offering goods and services

E.g., Google, the giant tech company, gives online services to the EU extensively. So google is a compliant organisation that abides by GDPR rules. Huawei is an internet provider company in the EU that is headquartered in China but compliant with GDPR for dealing with EU citizen information.

2. Monitoring EU citizens' behavior

E.g. US web development company based in Los Angeles, California, selling websites mainly to US businesses. But if they try to track and analyse EU visitors to the company’s website, then this may be subject to the provisions of the GDPR guidelines.

Every Citizen is responsible!

No. Pure personal and household activity are outside the GDPR eligibility. Collecting email addresses for party invitations/ picnics is not a GDPR violation.

Another one is exempted, a company with below 250 employees. But small and medium-sized enterprises are not exempt from GDPR guidelines.

The Accuser, Accused and Accusing Content

GDPR guidelines use very formal and specific terms.

Accusing Content

Personal Data is the content for which an EU citizen can accuse you. Any company that deals with the EU citizens information is compliant to data protection protocol. The person, him/herself, doesn’t need to complain against any data privacy protocol. Local authorities also have the right to do so. Fake data input is also a crime in the privacy protocol (e.g. using someone’s picture to open a duplicate account).

The Accused

Usually, the company is held responsible for every employee’s action. So the data misuse or manipulation may happen by one or multiple employees or a branch, but the entire company will be sued for this. The probable personals are-

1. The data processors

Any action done on data is processing. These actions include collecting, recording, organising, structuring, storing, using, erasing. So whoever does such work with acquired personal data called a data processor.

2. The data controllers

The person or board that decides why and how data will be processed. The board of members of the owner of the company or a branch of the company or an employee can be the data controller.

3. The third party

If the data controller hires someone to process data on his behalf, then the hired company or person is a third party. GDPR has some special rules about third party data processing.

The Accuser

The person whose data is being processed. Usually, these people are the customers, users or visitors of the site. In GDPR fact, they are known as ‘the subject’.

GDPR Compliance Requirements

If you want to stay compliant to GDPR rules, Article 5.1-2 stated seven protection and accountability rules for you.

General Data Protection Regulation (GDPR) What you need to know to stay compliant

Accountability to Data Security

According to GDPR, you have to demonstrate how you are compliant to GDPR. Only signing a contract paper will not make you GDPR compliant. You have to appoint

Data Protection Protocol

Appropriate technical and organisational measures.” has to be implemented to handle data security. Technical measures indicate two-factor authentication and end-to-end encryption.

Organisational measures indicate staff training, privacy policy and access limitation of all employees to personal data.

If your site is compromised, you will have 72 hours to notify the subjects otherwise be fined.  (This notification requirement may be waived if you use technological safeguards, such as encryption, to render data useless to an attacker.)

Process the Data If-

Consent of the Subject

The consent of the subject is a prerequisite to process his/her data. The GDPR rules imply that consent must be-

Know Your Rights

A data subject has some right to claim if they use/visit a data processing site. There is a whole

chapter about data subjects’ rights (GDPR cp-3). In summary, they are-

CopyRight of GDPR.EU

If there are any violations to any article of GDPR, the site or the company will be fined if found guilty.

GDPR Violation Fine

GDPR violation penalty is one of the toughest in the world. There are two tires of GDPR violation.

The less severe

This kind of infringement can result in maximum €10 million or 2% of a company’s global revenue (whichever is highest). The acts behind this huge fine are described-

➔   Controllers and Processors that manipulate personal data collected from customers and do not abide by Articles 8, 11, 25-39, 42, and 43.

➔   Certification bodies that do not/cannot certify the evaluation and assessment process of their certification programs and by that violating Articles 42 and 43.

General Data Protection Regulation (GDPR) What you need to know to stay compliant

Source: Privacy Affairs GDPR Fines Tracker

➔   Monitoring bodies that do not maintain a proper procedure in handling complaints or reported infringements impartially and transparently.

The more serious

This kind of infringement can result in a maximum €20 million or 4% of a company’s global revenue (whichever is highest). The acts behind this huge fine are described-

  •    Basic principles of data processing indicating lawfulness, fairness and transparency. Articles 5, 6 and 9 dictate the laws.
  •    The permission/consent of the users to use/manipulate data. Article 7 clarifies the rule.
  •    Articles 44-49 say that transfer of data to a third country without any legal notice is also a violation of GDPR law.

So to avoid such a huge fine, you need a data protection officer(DPO). A person to monitor all the personal data your company deals. 

Some Biggest Fines and the Companies

Some multinational and national companies are fined a record amount in recent years. The big five companies are-

General Data Protection Regulation (GDPR) What you need to know to stay compliant fines

Google- €50 million

The French authority sued google for lack of transparency in processing citizens’ data. Google failed to provide proof against user consent policy to show ads and control of data.

TIM- €27.8 million

This telecommunication giant invaded non-authorised personal information as an aggressive marketing policy. They contacted a few million individuals (150 times more per-month) who were not their customers by acquiring their name, surname or company name; tax code or VAT number; telephone line; address; contact details without permission. They violated some serious GDPR facts in this process.

Austrian Post- €18 million (additional 1.8 million for investigation)

Austrian Post had accounts of over one-third of the national population and sold their names to a third party. This crime was so grave that the authority invested an additional 1.8 million euro in finding the names of victims (political leaders were there too).

Deutsche Wohnen SE – €14.5 million

The German real estate company was accused of keeping their tenant’s unnecessary information and was not compliant to data retention law of GDPR facts. They actually could not provide any real use of their tenants’ information in their archive, which GDPR strictly implies.

 

1&1 Telecom GmbH – €9.5 million

This German telecom company did not have proper security of the customer data. As a result, it was easy for an outsider to access personal data which GDPR condemns. 

 

Closing Note

So these penalty histories probably gave you an insight about General Data Protection Regulation, GDPR facts. Nowadays, every company that operates in GDPR enforced territory has a Data Protection Officer (DPO) to avoid a humongous fine. So career is bright if you are looking to be a GDPR expert instead of opening a company.

October 25, 2023
0
Your Cart

Upgrade to get UNLIMITED ACCESS to ALL COURSES for only £49.00 per year

ADD OFFER TO CART

No more than 50 active courses at any one time. Membership renews after 12 months. Cancel anytime from your account. Certain courses are not included. Can't be used in conjunction with any other offer.