General Data Protection Regulation compliance has become obligatory for every business or organisation which gathers, stores or uses the personal data of citizens throughout the European Union. In answering the question as what the meaning of ‘GDPR compliance’ is, we should first begin by explaining the difference between a European Union Directive and a European Union Regulation.
A European Union Direction is a general set of guidelines on which a European Union member country may base their own domestic laws around, with some allowed flexibility. In contrast, an EU regulation is legislation that applies throughout the entire EU, meaning that every country or state within the EU must comply with regulations as they are enforced by law.
The GDPR is an EU Regulation. The 1995 EU Data Protection Directive will be replaced by the GDPR which intends to create a set of standard data protection laws across the European Union. Businesses and companies that operate in several EU member countries will now be obligated to work within a uniform set of rules which resolve issues that were previously impossible to predict when the 1995 Directive was drafted, e.g. data processing in context of “cloud” technology.
What is considered ‘personal data’?
Data is considered personal if it contains any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute as personal data. It should also be noted that the GDPR protects personal data regardless of the technology used for processing data. This means that the regulation applies to both automated and manually processed data.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
Now, when we say GDPR covers the personal data and privacy of users of the EU, it helps to know precisely the kind of data that is covered by the regulations. So, here goes…
- Name, address, email ID and other basic information about the identity of the individual
- IP address, location, cookie data and other miscellaneous information collected online by websites and apps
- Views shared on social media on politics and other topics
- Ethnic or racial data
- Data held in medical files, which could be a symbol that uniquely identifies a person
- Biometric data
- Sexual orientation
- Health records and medical information
Penalties for Non-Compliance
Since the GDPR is as its name suggests, a regulation, it is enforced by law and any EU member states who do not comply with the regulation will be imposed with heavy fines. The maximum fine under the GDPR is up to 4% of the annual global turnover of the organisation or €20 million – whichever is the greater number.
However, not all GDPR violations result in monetary fines. Authorities such as the UK’s Information Commissioner’s Office can take a range of other actions which include:
- Warnings and reprimands;
- Ordering a suspension of data transfers to third parties;
- Ordering the restriction, erasure, or rectification of data; and
- Imposing a ban (temporary or permanent) on data processing.
If a member state violates the GDPR, fines are then administered by individual member state supervisory authorities. The following ten things are to be used to determine the amount of the fine on a non-compliant organisation:
- Nature of infringement: number of people affected, damaged they suffered, duration of infringement, and purpose of processing
- Intention: whether the infringement is intentional or negligent
- Mitigation: actions taken to mitigate damage to data subjects
- Preventative measures: how much technical and organisational preparation the firm had previously implemented to prevent non-compliance
- History: (83.2e) past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines
- Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement
- Data type: what types of data the infringement impacts; see special categories of personal data
- Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party
- Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct
- Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement
The rights of individuals
Organisations and companies which collect, maintain, or uses an individual’s personal data but neglects to first obtain the consent of those individuals, or fails to permanently delete the data of those individuals – are in violation of the GDPR. There are numerous rights that individuals have and must be taken into account by organisations when they establish their GDPR compliance. Here are some examples of rights of individuals:
- The right to view or consult stored personal data.
- The right to correct any errors in their personal data.
- The right to be informed as to how their personal data will be used.
- The right to be informed as to how long their personal data will be stored.
- The right to be informed who their personal data is being shared with.
- The right “to be forgotten” – to have all records of personal data permanently deleted.
- The right to be informed as to the source of their personal data in circumstances where informed consent was not in fact given.