General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a regulatory framework that establishes standards for the acquisition and processing of personal data from European Union citizens (EU). Because the Regulation applies to all websites that draw European visitors, even if they do not expressly promote products or services to EU citizens, it must be followed by all sites that attract European visitors.
The General Data Protection Regulation (GDPR) requires EU visitors to be provided with a variety of data disclosures. Also, the site must take efforts to assist EU consumer rights, such as early notification in the case of a data breach. The Regulation, which was adopted in April 2016, went into full force in May 2018 following a two-year transition period.
Who is affected by General Data Protection Regulation (GDPR)
Personal data is at the core of GDPR. In general, this is information that allows a live individual to be recognized directly or indirectly, from publicly available data. Personal data might be something obvious, such as a person’s name, geographical information, or a clear online identity, or it can be something less visible, such as IP addresses and cookie identifiers.
There are a few particular kinds of sensitive personal data that are given additional safeguards under GDPR. Information regarding a person’s racial or ethnic origin, political ideas, religious beliefs, trade union membership, genetic and biometric data, health information, and data on a person’s sex life or orientation are all examples of personal data.
The most important aspect of what defines personal data is that it allows a person to be recognized – pseudonymized data can nevertheless be considered personal data. Individuals, organizations, and enterprises that are either “controllers” or “processors” of personal data are protected by GDPR, which is why it is so crucial.
The Information Commissioner’s Office (ICO), the UK’s data protection authority, states that “controllers are the principal decision-makers — they exert overarching control over the purposes and means of processing personal data.” There may also be joint controllers of personal data, in which two or more groups decide how data is handled. The ICO states that “processors act on behalf of, and only on the orders of, the applicable controller.” GDPR imposes greater responsibilities on controllers than on processors. Despite its origins in the EU, GDPR can be applied to enterprises located anywhere in the world. If a company in the United States, for example, does business in the European Union, GDPR may apply, as well as if it is a controller of EU individuals.
Rules of GDPR
1. Transparency, justice, and lawfulness
You should have a legitimate cause for processing personal data whenever you do so. This principle is called lawfulness in the GDPR. Data can be processed for a variety of reasons, including:
You have the user’s consent to do so.
To fulfil a deal, you must accomplish it.
It’s required to meet a legal responsibility.
For the preservation of a natural person’s essential interests.
It’s public work that’s being carried out in the public interest.
You can demonstrate that you have a legitimate interest that is not outweighed by the rights and interests of the data subject.
The GDPR’s idea of fairness is intertwined with the concept of legality. It implies you shouldn’t withhold information about what you’re collecting data for or why you’re collecting it. In other words, if people understood how you were utilizing their data, they wouldn’t be shocked. Fairness implies that the information you collect will not be mishandled or misused.
Transparency and fairness are inextricably linked: Transparency is defined as being transparent, open, and honest with data subjects about who you are and why and how you’re processing their personal data. You act fairly towards your data subjects if you follow it.
2. Purpose limitation
The GDPR’s second principle establishes limits on using personal data for specific purposes. According to the GDPR, data is only “collected for specific, explicit, and legal reasons.”
Your data processing purposes must be clearly defined. They must also be presented to individuals in a clear and understandable manner via a privacy notice. Finally, you must strictly adhere to them, restricting data processing to the specified goals.
Unless you have a clear responsibility or function set out in law, if you wish to use the data you’ve acquired for a new purpose that’s incompatible with your original purpose, you must seek consent again.
3. Minimization of data
Collect just the information you’ll need to fulfill your objectives. This is the GDPR’s data minimization concept. If you want to get people to sign up for your email newsletter, for example, you should just ask for the information you need to send out the newsletters. Avoid collecting personal information that isn’t directly relevant to your goal, such as phone numbers or addresses.
It’s up to you to make sure the data you gather and maintain is accurate. Set up checks and balances to rectify, update, or delete data that is erroneous or incomplete. Keep frequent audits on the calendar to double-check the data’s cleanliness.
5. Storage limitation
You must justify the amount of time you keep each piece of data you store, according to GDPR. To follow this storage limitation policy, data retention durations should be established. Set a time limit after which you’ll anonymize any data you’re not currently utilizing.
6. Confidentiality and integrity
The GDPR requires you to protect the data you gather from internal and external risks by maintaining its integrity and confidentiality. This necessitates forethought and deliberate attention. You must safeguard data against unauthorized or unlawful processing, as well as loss, deletion, or damage due to accident.
The GDPR regulators understand a business might claim to follow all of the regulations without really doing so. As a result, they demand a certain amount of accountability: As confirmation of your adherence to the data processing standards, you must have suitable methods and records in place. This evidence can be requested at any moment by supervisory authorities. The importance of documentation cannot be overstated. It establishes an audit trail that you and authorities may follow if you ever need to verify your accountability.
GDPR’s Customer-Service Requirements
According to the guidelines, visitors must be informed about the data the site collects about them and must expressly consent to such data collection by clicking an Agree button or acting.
Sites must also warn visitors on time if the site’s personal data is compromised. These EU requirements may be more stringent than those required in the jurisdiction in which the site is located.
A review of the site’s data security is also required, as is determining if a dedicated data protection officer (DPO) needs to be employed or if an existing employee can fulfill this role.
Visitors must be able to reach out to the DPO and other appropriate staff members to exercise their EU data rights, which include the opportunity to have their presence on the site removed, among other things.
The General Data Protection Regulation’s Other Provisions and Obligations (GDPR)
As an added measure of consumer protection, the GDPR mandates that any personally identifiable information (PII) collected by websites be anonymized (i.e., turned anonymous) or pseudonymized (i.e., the customer’s identity is replaced with a pseudonym). The pseudonymization of data allows businesses to perform more in-depth data analysis, such as calculating average debt ratios of customers in a certain region—a calculation that would normally be outside the scope of data acquired for evaluating creditworthiness for a loan.
The GDPR has an impact on data that isn’t acquired from customers. Most importantly, the legislation extends to employee records kept by human resources.
Controversies Regarding the GDPR
In certain sectors, GDPR has been criticized. Some argue that the obligation to appoint DPOs, or even to examine the need for them, places an unnecessary administrative burden on some businesses. Some people also claim that the standards are overly ambiguous on how to handle employee data.
Furthermore, data cannot be transmitted to a nation outside the EU unless the recipient firm ensures the same level of security as the EU. This has resulted in concerns about the high cost of disrupting corporate operations.
There’s also fear that the expenses of following GDPR will rise over time, owing to the growing need to educate consumers and staff about data security dangers and remedies. There’s also doubt about how data protection authorities across the EU and abroad will be able to coordinate their enforcement and interpretation of the legislation to provide a fair playing field when the GDPR takes full effect.
UK Cyber Security Ltd is here to help
If you would like to know more, do get in touch as we are happy to answer any questions.
Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks. Or just get in touch by clicking contact us.