What is GDPR?
GDPR stands for General Data Protection Regulation. It’s a regulation that unifies data protection laws across all member states of the European Union (EU), including Ireland, Lichtenstein, Norway, and Switzerland. It gives its protected users and EU residents more rights and also control over how their data will be processed. The GDPR came into force on May 25, 2018. It comprises of 99 articles, arranged into 11 chapters.
Who Does this Regulation Apply to?
The GDPR applies to organizations, companies, individuals, corporations, public authorities and other entities – including small businesses, charities and nonprofit organizations – that are either based in the EU, offer goods or services (even for free) to people in the EU, or that monitor the behaviour of people in the EU, either directly or as a third party.
What are the Consequences of Violating the GDPR Regulation?
Companies that violate the EU General Data Protection Regulation face a maximum fine of €20 million ($23 million) or 4% of their annual global turnover (whichever is higher).
Core GDPR Guidelines
The key principles to be GDPR complaint which dictate how businesses should process their data is as following:
- Lawfulness, fairness, and transparency
- Data processing must be legal and the information collected and used fairly. You cannot mislead users about how you use their data.
- Purpose limitation
- The purpose of processing must be clear from the start, recorded, and changed only if there is user consent.
- Data minimization
- Only data that is required for the above stated processing purpose must be collected.
- Accuracy
- Additionally, reasonable steps must be taken to ensure the collected data is accurate and up to date.
- Storage limitation
- You shouldn’t store the data longer than necessary.
- Integrity and confidentiality
- Additionally, there should be appropriate cybersecurity measures in place to protect Personal data which is stored.
- Accountability
- Organizations are accountable for how they handle data and also comply with the GDPR.
Essential Components of a GDPR Privacy Policy
Data Protection Policy should outline the way you comply with the obligations and rights addressed by the GDPR. A GDPR Privacy Policy should have clauses that address the following:
- An introduction that explains the purpose of the document
- The date that the Privacy Policy takes effect (or the date of its last update)
- Your company’s name and contact details
- Name and contact details for important roles (DPO, EU Rep, etc.)
- Your data protection principles
- The types of personal data you collect and process
- How and why you process personal data
- Your legal bases for each act of processing
- How long you retain personal data
- The types of third parties with whom you share personal data
- Data Protection Officer information (if applicable)
- Any automated decision-making you do
- Users rights
- Details of any transfers to non-EU countries
- Notification of how changes to the Privacy Policy will be communicated
- Use by children
- Cookies
Legal Bases to Collect Personal Data
The legal bases for processing a person’s personal data are:
- Consent – You should have earned their permission in a GDPR-compliant way
- Contract – You need to process their personal data in order to fulfill a contract
- Legal obligation – You would be breaking the law if you didn’t process their personal data
- Vital interests – Their life (or someone else’s life) depends on you processing their personal data
- Public task – Additionally, you need to process their personal data to carry out a task that’s in the public interest
- Legitimate interests – Processing their personal data is in your interests, and you’ve carried out a Legitimate Interests Assessment
Rights granted to an individual by this Regulation
The GDPR grants individuals eight rights over their personal data:
- Right to be informed
- The right of access
- Right to rectification
- The right to erasure (known as “the right to be forgotten”)
- Right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making
FAQs
Yes, the GDPR requires cookie consent. The information collected by cookies is personal data as they track what users do online. Therefore, the GDPR requires user consent to the use of cookies.
The difference between the GDPR and CCPA is that the GDPR is based in the European Economic Area (EEA), while the CCPA is based in California.
A Data Protection Officer (DPO) is an employee within your organization who is responsible for understanding the GDPR and ensuring your organization’s compliance. The DPO is the main point of contact for the data protection authority. Typically, the DPO has knowledge of both information technology and law.
A Privacy Policy is not only the legally required document to disclose your practices on protecting personal information, but it’s also a great way to show users that you can be trusted, and that you have procedures in place to handle their personal information with care.