For the past few decades, the issue of data protection has been difficult for people to grapple with, both in Europe and globally.
To fit in the rising digital age without compromising online data security, the EU initiated a mission to put up data protection reforms which were successfully implemented in 2018.
The main objective of this mission was to introduce the EU General Data Protection Regulation that would guide and regulate how organizations handle their consumer’s personal data, resulting in stronger data protection for all citizens within the EU.
To help you sail through GDPR easily, we have curated this list of FAQs that will shed light on information or various aspects of GDPR, so let’s get started.
What is GDPR: In a Nutshell
The General Data Protection Regulation, or in short “GDPR,” is a new law that replaces the 1995 Data Protection Directive. At its core, GDPR is the EU’s digital privacy legislation designed to protect the data of individuals within the European Union. The GDPR is built to enhance internet users’ privacy rights and prevent breaches by providing more authority over how businesses collect and use data.
The General Data Protection Regulation (GDPR) was enacted on May 25, 2018, to protect internet users’ data collected by online businesses, websites, and apps. A lot of our lives now happen online, and data is increasingly becoming central to almost every aspect of our lives.
Most, if not all, online services collect and store our personal data without us even realizing it. This includes crucial information like our name, address, credit/debit card number, birth date, and more. While some may argue that this is an invasion of privacy, oftentimes, these organizations need this data to improve their user experience.
The newly established GDPR is designed to streamline the online business regulatory process, benefiting both consumers and businesses in Europe alike by allowing them to better take advantage of the digital economy.
It also creates higher legal thresholds for companies processing data from UK residents by requiring them to use technical safeguards like encryption and providing justification for data collection.
Who Does GDPR Apply To?
The GDPR applies to:
- Companies or online businesses that process the personal data of EU residents as part of activities conducted by their branches located in the EU, no matter where those companies are based or where they process their data.
- Companies located outside of the European Union that provide services (paid or free) to or track the behavior of EU residents.
If you own a small and medium-sized enterprise (“SME”) that processes the EU’s consumer’s personal data, as mentioned above, you have to comply with the GDPR. If your company’s core part does not focus on data processing or your online activity doesn’t create any risk for the EU’s residents, then some obligations of the GDPR won’t apply to you.
For example, the appointment of a Data Protection Officer (“DPO”). To clear up, the core activities mean processing personal data as an inextricable part of the processor’s and controller’s activities.
Who is protected under GDPR?
The GDPR was put into effect to safeguard the privileges of people who reside in the European Union, regardless of whether their data is actually located in the EU. The term “citizen” is not mentioned anywhere in the regulation, which indicates a reluctance to identify the rights of EU citizens as opposed to all other citizens living within the EU boundaries.
Practically speaking, it is clear that the GDPR protects citizens’ rights within its territorial reach. This also applies to any entity using or accessing this personal data, regardless of where that data exists.
Who is exempt from GDPR?
The GDPR has a long reach as to who is exempt from rits regulations and how they protect the data of EU citizens. There are specific situations where personal information does not need to be transferred under their protections.
Here, the determining factor for exemptions is generally carried out by answering the “why” behind your data collection. There are limited GDPR exemptions related to personal data processing, such as:
- When personal data is processed during the course of an activity that falls outside the scope of European Union data protection law.
- The GDPR does not apply to government entities and law enforcement when they collect and process data for criminal investigations, detect or prevent crime, or enforce penalties.
- The GDPR does not apply to individuals that process data for household or personal activity.
- GDPR does not apply to personal data processing by Member States for activities that fall under the scope of Chapter 2, Title V, of the Treaty on European Union.
Does the GDPR Only Apply to EU-based Organizations or EU Citizens?
The GDPR applies to all organizations and online businesses that collect, process or store personal data from individuals within the European Union (and the UK). This includes businesses based outside of the EU that sell goods or services to customers in participating states.
For example, if a company based in Singapore collected data from France-based customers, that company would be expected to follow the same GDPR and standards as an organization based in Germany. In addition, the GDPR applies to companies outside of the EU that provide services or products targeting individuals within the EU.
What About Transferring Data Out of the EU?
The regulation for data transfer is found in one of the seven principles of the Data Protection Act (DPA) 2018, which was earlier traced as the 8th principle of the UK’s DPA 1998.
It states that any personal data collected from EU citizens (or anyone inside the EU) can only be transferred outside the EU if the state receives that the data is compliant with the GDPR principles and practices.
The General Data Protection Act was designed to offer complete protection to personal data within the EU.
However, it does allow for the transfer of said data outside the EU only when the personal data has been properly pseudonymized. With this approach, no entity can identify any individual, and thus it no longer matches the definition of “personal data,” thereby maintaining the privacy of citizens.
Who is Responsible for the Enforcement of the GDPR?
The GDPR was implemented so that each nation has its own data protection authority or appointed supervisory authority responsible for enforcing the GDPR. These authorities have the power to conduct data protection audits, impose administrative fines, and issue warnings for violations.
For instance, in Hungary, the Hungarian National Authority for Data Protection and Freedom of Information is the commissioner for Personal Data Protection.
In Cyprus, it is the Data Protection Authority, and in the United Kingdom, it is the Information Commissioner’s Office (ICO). Having positioned itself as an independent body, the ICO’s responsibilities include
- promoting transparency of public bodies,
- maintaining information rights, and
- upholding individual data policy rights.
As such, the ICO can dish out heftier fines to companies that don’t adhere to data protection standards.
What Kind of Fines are Possible Under GDPR?
Companies or online businesses that do not follow the new data protection changes could incur hefty fines. The fine amount depends on how significant the breach is and whether security compliance and regulations were deemed a priority for the organization.
If an organization is caught mishandling data in any way, they could face lower penalties of 10 million Euros or 2% of the annual global turnover from the previous year.
This could be anything from failing to report a data breach, not strengthening privacy by design, failing to ensure data protection is applied correctly from the start of a project, and being non-compliant with appointing services such as Data Protection Officers (DPOs).
If a company is found to have infringed upon the rights of data subjects, maximum fines of 20 million euros or 4% of their annual turnover (whichever is greater) will be imposed. This means that if you transfer data internationally without permission or don’t have procedures in place to address subject access requests, you will be penalized.