GDPR brings transparency to the entire Data Collection and Usage Lifecycle. General data protection regulation (GDPR) is a law that provides citizens more control over their personal data and compels businesses to be more transparent about their use of data. GDPR was activated on May 25, 2018, to protect European Union citizens and companies from data violations. GDPR brought all of its 27 member countries under the same data protection law.
From hotel businesses to online shops, this universal law applies to every business. GDPR brought all of the 27 EU member countries under the same data protection law.
What is GDPR?
GDPR is a 2016 legislation passed by EU countries to ensure privacy protection of the people within the European Union (EU) countries. It came into full effect on May 25, 2018. It covers all EU residents and provides organizations with clear guidelines for ensuring the privacy of the data subjects. GDPR protects personal information like name, age, DOB, and address and sensitive information like race, religion, political affiliations, sexual preferences, medical data, insurance data, biometric or genetic data, and any other information that can be used to identify an individual.
10 facts about GDPR compliance
Before looking for options to achieve GDPR compliance, you should know the following 10 facts. We outlined all the minute elements of GDPR that most people could overlook and condensed it into an easily understandable format so that you understand the what, why, and how of GDPR.
1. GDPR isn’t applicable to all EU sites and apps
The GDPR legislation doesn’t specifically target EU-based companies that host web portals like websites and apps. GDPR targets all the entities that conduct business, acquire or process information of even one EU resident that falls under the GDPR jurisdiction. Therefore, organizations do not require GDPR unless they expressly deal with EU consumers.
For example, if your EU-based organization has an app that provides information about the nearest health services that are in the group of your insurance provider, but that app is not operational within EU countries, then you do not fall under GDPR.
2. GDPR isn’t only for EU citizens
When we say EU residents, we do not specifically mean EU citizens. The data subjects that are protected by GDPR are well defined in the legislation as those citizens who are currently within EU borders. So GDPR doesn’t distinguish between data users based on their citizenship but their geographical location.
For example, if a US citizen visits any EU country, his personal information will be protected under GDPR.
3. GDPR works proactively
The GDPR states that an organization must obtain the consent of the data subject before acquiring, processing, or disclosing the data to any third-party providers. In order to comply with GDPR, EU users must be prompted for consent at every stage of any personal or sensitive data-related activity of the user.
In contrast to the policies practiced by the US government, which proactively ask for consent and work on an “opt-out” model, GDPR is based on an “opt-in” model.
4. GDPR classifies privacy breach as a violation of human rights
Privacy is deemed as a fundamental human right in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8), and the European Charter of Fundamental Rights (Article 7). Therefore, by extension GDPR also follows the same principles and regards any privacy violation as seriously as a human rights violation. GDPR Article 88 states that rules and regulations of the organization must include suitable and specific measures to protect and safeguard the data subject’s human dignity, legitimate interests, and fundamental rights.
5. GDPR sets essential rights of the data subjects
GDPR has set many rights that should be respected by organizations so that they can get GDPR-compliant status. A few of such rights are:
A. Right to erasure
Data Subjects have the right to have personal data erased. This is also known as the ‘Right to be forgotten’. Therefore, they should have the option to have their data completely erased and redacted from the company’s database.
B. Right to access
All EU residents under GDPR have the right to know how their data is being used and processed by the organization.
C. Right to knowledge
The EU citizens should have knowledge of how their data is needed, where is it getting stored and who else is it being shared with outside the organization. This should be a completely free service at the behest of the users.
D. Right to rectification
Data Subjects should have the full freedom to alter the information that they provided, whenever they want.
E. Right to stop data processing
At any point in time, data subjects should be able to restrict the entity from processing both their personal and sensitive data.
F. Right to the data transfer
Data Subjects should be given absolute freedom to transfer their data to another service provider of their choice.
G. Right to object
GDPR allows its data subjects to object to data acquisition, processing, or transfer and be given the choice to opt-in or not.
H. Right to make self decisions
Data Subjects should be allowed to make their own decisions and have the right to be free from any automated decision-making.
6. GDPR applies to all personal and sensitive data
GDPR covers all the personal and sensitive information of EU citizens that includes name, age, DOB, address, race, religion, political affiliations, sexual preferences, medical data, insurance data, biometric or genetic data, and any other information that can be used to identify an individual.
7. Non-EU organizations will need an EU representative
It is required that all organizations who are complying with GDPR have a representative present within the EU so that the authorities can easily get in touch with a representative of the company in person. Thus, it is encouraged for all non-EU organizations to hire a representative within the EU.
8. GDPR requires the appointment of a DPO
Article 37 of the GDPR clearly states the criteria for the designation of a DPO (Data Protection Officer). DPO is an enterprise security leadership role. To determine whether your organization requires a DPO, you must assess your requirements on the basis of the following four criteria:
- Data subjects
- Data items
- Length of data retention
- The geographic range of processing
9. GDPR penalties are serious
GDPR non-compliance incurs a heavy fine. GDPR fines can go to 4% of annual global turnover or a €20M loss. Regardless of the severity of the violation the authorities often penalize with the heaviest possible fines. Google was penalized with a €50 million fine for not correctly disclosing how it collected data across its different services like YouTube, Search Engine, etc.
10. You need not be alone to deal with GDPR compliance
The good news is that you don’t need to deal with GDPR compliance alone. Automated platforms can scan your website and data security system to check for all essential GDPR compliance. You will be able to make a list of all the additional things required to ensure GDPR compliance. Scrut Compliance ensures that you get GDPR compliant in the least time.
Scrut Automation is an innovative and radically simple governance, risk, and compliance automation platform for growing startups and mid-market enterprises. With Scrut, compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, HIPAA, and CCPA. Schedule your demo today to see how it works.