What is GDPR?
Data protection regulations are often seen as something that’s rather confusing or problematic. However, their main purpose is to make sure that both businesses and individuals are using the personal data of others correctly, whilst making sure that their own data is not being misused. In this way, data protection regulations protect us from malevolent or fraudulent uses of our confidential information.
How does GDPR fit into all of this? The abbreviation GDPR stands for General Data Protection Regulation. It’s an EU regulation that aims to standardize the data protection methods of each of its member states, ensuring that the same laws are applied in all its constituent countries. The purpose is to provide EU citizens more power and visibility into which pieces of personal information organizations hold on them, along with how and where this data is used. Accessibility to this information is expected to give such citizens increased protection against the misuse of their personal data by other organizations.
Within the GDPR, the list of things that can constitute “personal data” is rather large and includes pretty much anything that can be used directly or indirectly to identify a specific individual. Such things include:
- Email address
- Home address
- Bank details
- Medical information
- Political opinions
- Biometric data
- IP address
- Racial/ethnic data
- Social media posts
- Sexual Orientation
Some of the things on this list might be surprising, others are self-explanatory. But the general commonality is that any of these points can be used to identify a specific person, and they’re all therefore considered “personal data”.
The GDPR came into force on the 25th May 2018 and has been up and running ever since. According to research from Betipy, it applies to all organizations either registered within the EU or with a subsidiary in the EU, as well as any international organizations that either sell products and services to EU residents or process their personal data in any way. Any organizations found in breach of EU GDPR can face fines up to a substantial €20,000,000 or 4% of the company’s global turnover.
How Does GDPR Affect Large Businesses?
The GDPR will have a significant effect on large businesses that have a sizeable workforce. There are numerous rules, processes, and restrictions included in the GDPR, which businesses will have to comply with if they’re to avoid breaching the regulations and being charged a hefty fine.
The first step for a large business is to make themselves aware of the GDPR rules, regulations and timeline. Without a thorough understanding of the regulations, businesses run the risk of having missed something critical within their processes and procedures, which could lead to the breach of vital regulations.
After making themselves aware of the GDPR, there are several key rules and processes that must be accommodated within the businesses policies. Businesses must…
- Document all held personal data held – the new regulations require businesses to keep a documented record of all data processing carried out, including where the data came from, who it’s shared with, and for what purpose it’s been collected.
- Ensure the adherence of privacy notices – all businesses must make sure that their privacy notices are in accordance with GDPR and are communicated to all relevant stakeholders, including staff, customers, and contractors.
- Provide the necessary procedures for implementing individual’s rights – within the GDPR, anyone wishing to observe or affect how their personal data is used and stored must be given the right to do this, including requests for the deletion of personal data. Businesses must therefore include documented procedures for satisfying this type of request.
- Offer Subject Access Requests for free – As mentioned above, under GDPR, individuals can request access to information on how their personal data is processed and used, which is called a Subject Access Request (SAR). As well as businesses having to implement procedures to support this, which can become rather onerous, they must also deliver the SAR within 30 days and cannot charge a fee.
- Record “Consent Management” methods – Included within the GDPR are rules on how businesses seek, record and manage consent. This is to ensure that businesses are making individuals fully aware of how and why their data is being collected, and that the individuals have given full consent for the collection of their personal data. A business must record its processes for adhering to this.
- Differentiate between children and adults – the GDPR brought in special protection for data belonging to children for the first time. Businesses must now differentiate between children and adults so that they can accurately implement the correct GDPR for the individuals given age.
- Implement specific data breach procedures – certain types of data breach have specific regulations to adhere to, including to which relevant supervisory authority the breach must be reported. Businesses must ensure that they implement the correct data breach procedures for the specific type of data breach that’s occurred.
- Assign data protection officers – in order to facilitate and control the implementation of GDPR rules and procedures, businesses must designate data protection officers (DPOs). This only really applies to large businesses that have a need for large amounts of personal data processing. DPOs include both controllers and processors, with both providing key functions in processing operations and general GDPR compliance.
- Identify lead data authority across multi-state EU companies – if a business spans several EU states, a lead data protection supervisory authority must be identified. This authority becomes responsible for the implementation and adherence of GDPR across all branches of the company, regardless of which EU state the branch resides in.
This list makes it clear that GDPR has a significant effect on how businesses operate. Many businesses and commentators considered it an extremely serious topic leading up to its rollout in May 2018, as demonstrated by this BBC article from 2017 (1) titled “Could new data laws end up bankrupting your company?”. The title alone demonstrates the level of concern that was given to these radical new data protection laws. As a result of this wide-spread fear, lots of preparation went into the roll-out of these new regulations, and GDPR has now become an established and accepted element of day-to-day business within the EU.
Guest post courtesy of Angelina Murphy