The General Data Protection Regulation
This was passed in the European Union to ensure complete data protection. It has a strict set of regulations and penalizes the non-complying organizations heavily, up to almost 4% of their annual net revenue. GDPR stipulates that companies, irrespective of whether within or outside of the EU, must ensure complete data protection for the citizens of the EU, including controlling who can access and use the information and respecting the citizens’ right to be forgotten. If your organization is based in the EU or transacts with companies in the EU, then GDPR compliance is mandatory.
Help with GDPR!
1. Getting informed
Consent
Consent is a fundamental aspect of the GDPR, and it places significant emphasis on ensuring that individuals have control over their personal data. Ensuring compliance with GDPR consent requirements involves careful consideration of how consent is obtained, documented, and managed throughout the data processing lifecycle. Organizations must also regularly review and update their consent mechanisms to ensure ongoing compliance with GDPR standards.
Clear and Unambiguous Consent
Consent must be freely given, specific, informed, and unambiguous. This means that individuals must actively agree to the processing of their personal data. Silence, pre-ticked boxes, or inactivity do not constitute valid consent.
Separate Consent
Consent must be separate from other terms and conditions. This means that consent cannot be bundled with other agreements, and individuals must be able to give consent separately from agreeing to other matters.
Informed Consent
Individuals must be fully informed about the purpose of the data processing, the types of data being collected, how it will be used, and any third parties with whom the data will be shared. This information must be presented in clear and understandable language.
Granular Consent
GDPR requires that consent be granular, meaning that individuals must be able to consent to different types of processing separately. They should have the option to consent to some processing activities while withholding consent for others.
Easy Withdrawal of Consent
Individuals have the right to withdraw their consent at any time, and it must be as easy to withdraw consent as it was to give it. Organizations must provide clear instructions on how individuals can withdraw consent, and they must stop processing the data as soon as consent is withdrawn.
Explicit Consent for Special Categories of Data
For processing special categories of personal data (e.g., health information, racial or ethnic origin, political opinions), explicit consent is required. This means that consent must be given explicitly, rather than implied.
Proof of Consent
Organizations are required to keep records demonstrating that individuals have given valid consent to the processing of their personal data. These records should include information on when and how consent was obtained.
Children's Consent
For data processing related to services offered directly to children (under the age of 16 in most EU countries, but member states can lower this to a minimum of 13), parental consent is required.
2. Getting notified
Data Breach Notification
A data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Data breach notification is a critical aspect of GDPR compliance, and organizations must have robust procedures in place to detect, assess, and report breaches promptly. Failure to comply with data breach notification requirements can result in significant fines and reputational damage for organizations.
Request expert help today
Timely Notification
Organizations must notify the relevant supervisory authority (usually the Data Protection Authority in their respective EU member state) of a data breach without undue delay and, where feasible, within 72 hours of becoming aware of it. If notification is not made within 72 hours, the organization must provide a reason for the delay.
Exceptions to Notification
Exceptions to the obligation of notifying data subjects exist under certain circumstances. If technical and organizational measures have been enacted to safeguard the personal data affected by the breach, especially those that render the data incomprehensible to unauthorized individuals, such as encryption, notification may be exempted. Moreover, if subsequent actions have been undertaken to mitigate the likelihood of significant risk to the rights and freedoms of data subjects, the requirement for notification may also be waived. These exceptions offer flexibility in situations where adequate safeguards have been implemented to protect the integrity and privacy of individuals' data, thereby mitigating the need for immediate disclosure.
Content of Notification
The notification to the supervisory authority regarding a data breach must contain several key elements. Firstly, it should provide a detailed description of the breach, outlining the nature of the incident, including the categories and approximate number of individuals whose data has been compromised, as well as the categories and approximate quantity of personal data records involved. Additionally, it should furnish contact details of the data protection officer or another designated point of contact for further inquiries. Furthermore, the notification should delineate the anticipated repercussions of the breach and elucidate the measures already implemented or proposed to rectify the situation. This may encompass actions taken to mitigate any potential adverse effects of the breach.
Notification to Data Subjects
In certain circumstances, organizations must also communicate the data breach to the affected data subjects without undue delay, particularly if the breach is likely to result in a high risk to their rights and freedoms. This communication should be clear and easily understandable and should include recommendations for mitigating potential adverse effects.
Documentation and Record-Keeping
Organizations must document all data breaches, regardless of whether notification is required. This documentation should include the facts surrounding the breach, its effects, and the remedial action taken. These records help demonstrate compliance with GDPR requirements and are subject to review by supervisory authorities.
3. Fundamental rights
The Right to Access
The Right to Access, also known as Subject Access Right, is one of the fundamental rights granted to individuals under the General Data Protection Regulation (GDPR). It empowers individuals to request access to their personal data held by organizations and to obtain information about how their data is being processed. Organizations must have processes in place to handle subject access requests efficiently and in compliance with GDPR requirements
Get help with GDPR
Requesting Access
Individuals have the right to request access to their personal data held by organizations. This request can be made verbally or in writing, and organizations are obligated to respond to the request within one month of receiving it. In certain cases, this period can be extended by two further months if the request is complex or numerous, but the individual must be informed of the extension within one month of the receipt of the request, along with the reasons for the delay.
No Fee (in most cases)
In general, organizations cannot charge a fee for fulfilling a subject access request unless the request is "manifestly unfounded or excessive," particularly if it is repetitive. In such cases, organizations may charge a reasonable fee or refuse to act on the request.
Exemptions and Identity Verification
When addressing subject access requests, it's essential to consider both exemptions and identity verification procedures. Exemptions to the Right to Access exist, including those pertaining to national security, defense, law enforcement, and legal professional privilege. Nevertheless, these exemptions must be narrowly applied and in compliance with GDPR regulations. Additionally, organizations have the right to request reasonable additional information from individuals to verify their identity before fulfilling the subject access request, especially if there are concerns regarding the security of personal data. These measures ensure that data protection rights are upheld while safeguarding against potential misuse or unauthorized access to sensitive information.
Clarification of Requests
If the request is unclear or incomplete, the organization should seek clarification from the individual to ensure that the request is properly understood and can be adequately fulfilled.
Information Provided
When responding to a subject access request, certain information should be provided to the individual seeking access to their personal data. This includes confirmation as to whether or not their personal data is being processed, along with access to a copy of the data undergoing processing. Additionally, individuals should be informed about the purposes for which their data is being processed, the categories of personal data involved, and the recipients or categories of recipients to whom the data has been or will be disclosed. Furthermore, they should be made aware of the envisaged period for which their personal data will be stored, or the criteria utilized to determine that period. It's crucial to communicate the existence of their rights, including the right to request rectification, erasure, or restriction of processing, as well as the right to object to such processing. Moreover, individuals should be informed about their right to lodge a complaint with a supervisory authority. Lastly, if the personal data has not been collected directly from the individual, any available information regarding its source should also be disclosed. Providing this comprehensive information ensures transparency and empowers individuals to exercise their data protection rights effectively.
Format of Response
Organizations must provide the requested information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. This may involve providing the information in writing or by electronic means, depending on the individual's preference and the nature of the request.
4. Control your data
The Right to be Forgotten
The Right to be Forgotten, also known as the Right to Erasure, is a key provision of the General Data Protection Regulation (GDPR) that empowers individuals to request the deletion or removal of their personal data when certain conditions are met. The Right to be Forgotten is designed to empower individuals to have greater control over their personal data and to protect their privacy rights. It places obligations on organizations to honor individuals' requests for erasure, subject to certain limitations and exceptions outlined in the GDPR.
Erasure Rights and Procedures
Individuals possess the right to request the erasure of their personal data under specific conditions, including instances where the data is no longer necessary for its original purpose, consent has been withdrawn, or the data was unlawfully processed. Furthermore, erasure may be requested to comply with legal obligations or if the data was collected in relation to information society services for a child.
Exceptions and Limitations
While the right to erasure is fundamental, certain exceptions exist, such as circumstances involving freedom of expression, legal obligations, public interest in health, archiving, research, or defense of legal claims.
Request Submission and Response Time
Individuals can submit erasure requests verbally or in writing, with organizations obliged to respond promptly within one month. Extensions are permissible in complex cases, but individuals must be informed within the initial one-month period.
Obligations Regarding Third Parties
If personal data has been shared with third parties, organizations must notify them of the erasure request, unless it is unfeasible or excessively burdensome. Additionally, individuals have the right to know about these third parties upon request.
5. Know who has your data
Data Portability
Data Portability is an important aspect of GDPR compliance as it enhances individuals' control over their personal data and promotes competition and innovation in the digital economy. It empowers individuals to make informed choices about their data and fosters trust between individuals and service providers.
Definition
Data Portability refers to the right of individuals to receive their personal data from a data controller in a structured, commonly used, and machine-readable format. It also allows individuals to transmit this data to another data controller without hindrance.
Purpose
The primary purpose of Data Portability is to enhance individuals' control over their personal data and facilitate the switch between different service providers or platforms. It promotes competition and innovation by enabling individuals to use their personal data to take advantage of new services or tools.
Scope
Data Portability applies to personal data that individuals have provided to a data controller, and where the processing is based on consent or the performance of a contract. It includes data that individuals actively and knowingly provide, as well as data generated through their activities or interactions with a service.
Formats for Portability
The data must be provided in a structured, commonly used, and machine-readable format, such as CSV, XML, or JSON. This ensures that the data can be easily understood and processed by both individuals and other data controllers.
Process for Requesting Portability
Individuals can make a request for Data Portability verbally or in writing. Data controllers must respond to these requests without undue delay and within one month of receipt. This period can be extended by two further months if the request is complex or numerous, but the individual must be informed of the extension and the reasons for it within one month of the receipt of the request.
Transmission to Another Data Controller
Upon request, the data controller must transmit the individual's personal data directly to another data controller, where technically feasible. This should be done securely and without hindrance.
Exceptions
Data Portability does not apply if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. Additionally, it does not apply to processing necessary for the establishment, exercise, or defense of legal claims.
Interoperability
Data controllers are encouraged to develop interoperable formats and standards to facilitate Data Portability and ensure that individuals can effectively exercise their rights across different services and platforms.
6. PROTECT YOUR DATA
Data Protection Officers
Data Protection Officers (DPOs) play a crucial role in ensuring compliance with the General Data Protection Regulation (GDPR). Overall, DPOs play a critical role in promoting and ensuring compliance with GDPR requirements, protecting individuals' privacy rights, and fostering a culture of data protection within organizations.
Request expert help today
Role and Responsibilities
Firstly, they offer advice and guidance to the organization on adhering to data protection regulations. This includes monitoring compliance with GDPR requirements, overseeing the development and implementation of data protection policies, procedures, and practices. DPOs also manage Data Protection Impact Assessments (DPIAs), which evaluate the potential impact of data processing activities on individuals' privacy rights. Furthermore, they handle data subjects' requests related to their rights under the GDPR, such as access, rectification, erasure, and data portability. Acting as a liaison with supervisory authorities, DPOs serve as the organization's point of contact for regulatory matters, fostering cooperation on data protection issues. Additionally, they are responsible for training and raising awareness among employees regarding GDPR obligations and best practices for data protection. Lastly, DPOs oversee the organization's response to data breaches, including notifying supervisory authorities and affected data subjects when necessary, thus ensuring swift and appropriate action in the event of a breach.
Qualifications and Expertise
DPOs are expected to embody a range of qualifications and attributes essential for the effective execution of their duties. Firstly, they should demonstrate expertise in data protection law, encompassing a thorough comprehension of legislation such as the GDPR and pertinent national data protection laws. Alongside legal acumen, DPOs are required to exhibit professional qualities including integrity, independence, and a steadfast commitment to upholding high ethical standards. Moreover, a comprehensive understanding of the organization's structure, operations, and data processing activities is imperative, ensuring that DPOs can effectively navigate and address data protection challenges within the organizational context. Additionally, relevant experience in data protection and privacy-related roles, coupled with proficiency in information technology and data security practices, equips DPOs with the requisite skills to fulfill their role competently. By possessing these attributes and qualifications, DPOs are better positioned to safeguard individuals' privacy rights and foster a culture of compliance with data protection regulations within the organization.
Appointment and Position within the Organization
Positioned within the organization, DPOs should maintain a direct line of communication with the highest management level, such as the CEO or board of directors, to uphold independence and ensure effectiveness in their role. Operating autonomously, DPOs should not be subject to directives concerning their task performance and must not face dismissal or penalties for executing their duties diligently. This framework ensures that DPOs can fulfill their responsibilities impartially and without interference, safeguarding individuals' privacy rights and fostering a culture of compliance within the organization.
DPO's Contact Information
Public accessibility: The contact details of the DPO should be published and made easily accessible to data subjects and supervisory authorities.
7. PRIVACY FIRST
Penalties
Under the General Data Protection Regulation (GDPR), organizations that fail to comply with its provisions can face significant penalties and fines, GDPR penalties are designed to incentivize organizations to take data protection and privacy seriously, ensure compliance with GDPR requirements, and protect individuals' rights and freedoms regarding their personal data
Avoid Penalties, get help with GDPR
Administrative Fines
The GDPR grants supervisory authorities, which include Data Protection Authorities in EU member states, the authority to impose administrative fines on organizations found to be in breach of GDPR requirements. These fines are categorized into two tiers based on the severity of the infringement: The first tier allows fines of up to €10 million or 2% of the organization's worldwide annual revenue from the previous financial year, whichever amount is higher. This tier applies to violations concerning specific provisions such as data protection by design and by default, maintenance of data processing records, implementation of data security measures, conducting data protection impact assessments (DPIAs), and timely notification of data breaches. The second tier permits fines of up to €20 million or 4% of the organization's worldwide annual revenue from the previous financial year, whichever is higher. This tier is applicable to breaches related to the core principles of data processing, including the lawfulness, fairness, and transparency of processing, adherence to the purpose limitation principle, data minimization, accuracy, storage limitation, integrity, and confidentiality of data, as well as respecting individuals' rights and handling international data transfers appropriately. These fines serve as significant deterrents for organizations, emphasizing the importance of compliance with GDPR standards and the protection of individuals' privacy rights.
Other Remedies
Alongside administrative fines, supervisory authorities hold the power to enforce various other remedies and corrective actions to address GDPR violations. These measures may include issuing warnings, reprimands, or directives to cease processing, as well as imposing temporary or permanent bans on data processing activities. Moreover, supervisory authorities have the authority to issue binding decisions mandating organizations to rectify or erase personal data, impose restrictions on processing activities, or comply with individuals' requests for data access or modification. These additional measures serve to reinforce compliance with GDPR regulations, ensuring that organizations take appropriate action to rectify breaches and safeguard individuals' rights to data protection and privacy.
Rights of Individuals to Compensation
Individuals whose rights have been infringed under the GDPR hold the right to seek compensation from organizations for any material or non-material damages incurred due to the violation. This compensation extends beyond the administrative fines levied by supervisory authorities, holding organizations accountable for the harm caused by their non-compliance with GDPR regulations. Consequently, organizations may face financial liability in the form of compensation claims, further emphasizing the importance of adhering to data protection laws and safeguarding individuals' rights to privacy and data protection.
Factors Considered in Determining Fines
When determining the appropriate administrative fines for GDPR violations, supervisory authorities consider various factors. These include the nature, gravity, and duration of the infringement, assessing the severity and impact of the violation along with its persistence. Additionally, fines may be escalated if a significant number of individuals are affected by the breach. The intentional or negligent conduct of the organization also plays a crucial role, with higher fines potentially imposed for deliberate misconduct or negligence. Conversely, organizations demonstrating proactive efforts to address compliance issues and cooperating with supervisory authorities may receive mitigated penalties. Furthermore, any history of previous infringements or warnings issued to the organization may be taken into account, influencing the final decision on fines. This comprehensive evaluation framework ensures that penalties are commensurate with the severity of the violation while incentivizing organizations to prioritize data protection and compliance with GDPR regulations.
Our partners
Google Cloud, Amazon AWS, Microsoft Azure, and Kubernetes trust us to implement their technologies in for our clients.
