GDPR stands for General Data Protection Regulation. GDPR is a European Union protection regulation that came into force on May 25, 2018. It applies to all organizations that process the personal data of EU residents. This means that companies in the EU and abroad are affected. GDPR is the strictest and most complex personal data protection regulation in the world.
Types of data
There are two types of data – personal and non-personal.
- Personal data
Personal data is any information that can directly or indirectly lead to an identified or identifiable natural person. General Data Protection Regulation uses the term ‘information’ rather than ‘data’ since the data tends to have an informational value. Any type of personal information can be linked to a specific living person.
- Non-personal data
Non-personal data is never linked to an identified or identifiable natural person. This category includes data that was previously classified as personal, although the linkage to a natural person has been removed.
What is personal data processing
Various types of actions with personal data are considered to be personal data processing: Collecting, recording, organization, structuring, storage, adapting or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure or destruction.
GDPR rules apply to companies that process personal data wholly or partly, using automated or manual processing, or if the data is a part of a structured filing system.
Examples of personal data
General Data Protection Regulation applies to the processing of personal data. Companies need to protect the following personal data:
- Employee personal data (name, address, date of birth, etc.)
- Information about customers/patients/residents (marketing databases, medical records, contact lists)
- Non-public personal data of business partners and providers
- Personal data that is transferred to and processed by third parties (accounting books, credit registers, direct marketing)
- Images and sound recordings
- Encrypted data (IP addresses, MAC addresses, cookies if they can be linked to a natural person)
- Photos of individuals
- Video recordings
The purpose of GDPR
The purpose of the General Data Protection Regulation is to protect the privacy of citizens. Therefore, companies are obliged to protect the personal data of these citizens and cannot process it or sell it to any third parties without their consent.
In the past, companies would have sold data to one another without the consent of the data subjects. GDPR aims to create a uniform standardized norm for personal data protection within the EU.
Another purpose of GDPR is to modernize the former rules so that they align with the modern digital society.
Rights of the individual
GDPR is intended to help EU citizens understand how their data is being used and how to file complaints. The goal is to give individuals control over their personal data. Citizens have the following rights:
- right to be informed
- right to access
- right to rectification
- right to erasure/to be forgotten
- right to restrict processing
- right to data portability
- right to object and rights in relation to automated decision-making and profiling
The Scope of GDPR
General Data Protection Regulation impacts all organizations that process the personal data of EU citizens, including every company that offers goods and services or employs people in the EU even if an entity is based outside the EU.
GDPR applies to companies, associations, organizations, authorities and in some cases private individuals.
GDPR covers the whole European Union, and it applies to all the member states and covers the European Economic Area countries, such as Iceland, Lichtenstein, Norway, and the United Kingdom.
The Seven Principles of GDPR
GDPR stands on seven principles for the processing of personal data.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
GDPR violations – fines
In the event of a GDPR violation, there are two types of fines that companies may be obliged to pay.
- The lower level is up to 10 million euros, or 2% of the worldwide annual revenue from the previous year, depending on which is higher. Violations connected with record-keeping, data security, etc.
- The upper level is up to 20 million euros, or 4% of the worldwide total revenue from the previous fiscal year, depending on which is higher. These fines are usually issued for violations relating to data protection principles, the legal basis for processing, the prohibition of processing sensitive data, denial of data subjects’ rights, or data transfer to non-EU countries.
The GDPR fines apply to all types of businesses, from large to small.
The fines are set for each individual case and must be effective, proportionate and dissuasive. There is a catalog of criteria that is used for setting an appropriately high fine. The following criteria are considered:
- whether the violation was intentional
- the number of people affected
- what type of measures the company took to mitigate the damage
- the level of collaboration with authorities etc.
Differences in GDPR within the EU
Germany’s BDSG
When GDPR came into force, so did the new Germany Privacy Act (BDSG-new). It complements, specifies, and modifies the GDPR and focuses on specific topics. The BDSG-new applies to private companies that are based in Germany and which process personal data in Germany, but also to companies that offer goods and services in Germany or monitor the behavior of data subjects in Germany.
Five Privacy laws in the world similar to GDPR
Brazil
Brazil launched the LGPD in September 2020, right after GDPR. They are very similar in terms of scope and applicability. Companies that want to conduct business in Brazil’s economy have to comply with LGPD.
South Africa
South Africa’s Protection of Personal Information Act (POPIA) is applicable as of July 2020. There are a few differences between GDPR and POPIA regarding how strict the laws are. GDPR has higher fines, but POPIA includes criminal charges.
Turkey
Turkey’s Law on Personal Data Protection (LPDP) has been amended several times since 2016 and it is approaching GDPR, especially when it comes to personal data processing.
USA
Every state has their own privacy laws. In the State of New York there is 23 NYCRR 500, which applies to financial institutions operating in New York. In California, there is the California Consumer Privacy Act (CCPA), which closely resembles GDPR.
The CCPA is intended to further consumers’ constitutional right to privacy by giving them an effective way to control their personal information. The bill was passed by the California State Legislature and came into force on January 2020.
Thailand
In February 2019 the Thailand Personal Data Protection Act (PDPA) was approved, but the date of effect was delayed. The law is effective as of June 1, 2022. The PDPA is like the GDPR, in that it includes a broad definition of personal data, the requirement to establish a legal basis for collection and use of personal data, and high penalties for violation. The fines are lower, although there is a possibility of imprisonment.
Top 3 biggest GDPR fines
#1 Amazon – fine of €746 million
A fine of €746 million was issued by the Luxembourg National Commission for Data Protection (CNDP) to Amazon.com Inc. An investigation was opened due to a complaint filed by 10,000 people against Amazon in May 2018. CNPD found that Amazon had violated GDPR when its advertising targeting system failed to obtain proper consent from users.
#2 WhatsApp – fine of €225 million
Ireland’s Data Privacy Commission (DPC) issued a GDPR fine to WhatsApp Ireland on September 2, 2021. The principle of transparency was violated by WhatsApp Ireland Ltd, and the company didn’t provide proper information to users. In 2021, WhatsApp updated its User Privacy Notice to increase transparency about the processing of users’ personal data.
#3 Google LLC – fine of €90 million
CNIL (The Commission nationale de l’informatique et des libertés) issued a fine of €90 million to Google LLC. YouTube users in France were not allowed to refuse cookies as easily as accepting them. When users are discouraged from refusing cookies, the company benefits, and that is considered a GDPR violation.
5 steps to secure data for GDPR compliance
1
Perform a data audit
You should know what type of personal data your company generates and where the information is stored.
2
Implement document handling guidelines
Create a set of rules that specify how personal data can be handled.
3
Educate your employees
Every employee should be aware of how to handle personal data.
4
Encrypt your data
GDPR recommends that all media and external devices should be encrypted.
5
Protect your data against leakages and insider threats
Data loss prevention is a comprehensive strategy that should be implemented not only due to GDPR but because data is one of the most valuable assets that companies have. Secure your data and communication methods, such as e-mail, cloud storage, instant messengers, print, USB drives, mobile devices, etc.
How to align with GDPR with Safetica
Safetica helps you to monitor the data flow within your IT environment as well as when it leaves the perimeter of your company. You can set specific rules that help you to comply with GDPR. You will be able to see how employees work with personal and other sensitive data, and it allows you to eliminate the risk of misuse or accidental policy violation. The system notifies you in real-time in the event of a security threat.
Privacy and personal data protection should be an absolute right of everyone in the modern world. That's why we at Safetica place these protections at the heart of each of our products,”
says Safetica CISO Radim Trávníček.
If you want to find out more about regulatory compliance and Safetica, check out this link or book a demo with our security experts.