What Is GDPR and Why Is It Important?

• General data protection regulation (GDPR) is a set of personal data protection and privacy laws for users and businesses in the European Union. 
• This article explains GDPR in detail, its principles, and why GDPR is so important for users and businesses.

What Is GDPR?

General data protection regulation (GDPR) refers to a set of personal data protection and privacy laws for users and businesses in the European Union. These laws are considered the toughest in the world as far as data privacy, collection, and protection are concerned.

Today’s world runs on personalization. It has permeated everyday life, from grocery shopping to reading the news. Businesses use every single piece of information they can find about their users to deliver seamless, intuitive solutions. To provide relevant products, services, and information to the users, data is stored and processed at multiple levels. In the current era, the phrase ‘data is the new oil’ echoes across all industry verticals.

What consumers viewed as a perk, however, has gradually turned into anxiety. The number of applications recording a user’s personally identifiable information (PII) has exploded. According to IBM Security’s 2021 global study, PII data is included in as much as 44% of data breaches. Yet another consumer privacy surveyOpens a new window by CISCO in 2021 revealed that many users have stopped using an application or a service due to personal data issues. 

Technology, too, is no longer geographically bound. Even the local grocery app may be hosted on a cloud server on a different continent, making the laws surrounding data storage and processing very hazy. The user base of applications such as social media is spread across the globe. About 76% of users believe that companies need to do more to protect their data, says the Global consumer state of mind 2021 reportOpens a new window .

Considering all this, the European Union decided to update its existing set of data protection laws that were created in 1998. General data protection regulation (GDPR) was a result of this overhaul. In April 2016, GDPR was passed through the European parliament. A 160-page document of 99 articles of law was released. As of May 2018, it is mandated that all relevant organizations be compliant with these laws. 

GDPR ensures that all personal data is collected in a secure and legal process, with proper consent from the users. It places more power at the user’s end and extra responsibility at the business end.

To whom does GDPR apply?

GDPR applies to all people residing in European Union member states. This means that all businesses that operate within the EU must be GDPR-compliant. Any company that doesn’t primarily operate in the EU but still has a part of its user base in the EU needs to comply with this set of laws as well. For example, if a company provides services to people in Germany but has its offices in Silicon Valley, it also needs to be GDPR-compliant.

GDPR overview

Here are the core concepts and key players that fall under GDPR:

• • At the core of GDPR lies personal data. Personal data, in this context, is any information that can be used to directly or indirectly identify a human. Personal data usually comprises name, gender, email address, location information, IP addresses, web cookie information, and biometric data. 
  • When personal data is said to be processed, it includes data collection, data storage, data sharing, organizing, analyzing, structuring, and deleting.
  • The data subject is the person whose data is being processed. They are the ‘users’ — consumers or visitors to a product or a website. A data subject must give consent before any of their data is collected or processed. They also have the right to revoke this consent at any time.
  • The data controller is a person, organization, or authority that determines the specifics of data processing. This includes what data is to be collected, who the data subjects are, and how it will be used. The controller also decides how this can be achieved. This is usually a business; for example, a retail chain that wants to provide targeted ads to shoppers. The data controller works alone or with other controllers.
  • The data processor is the third party who does the actual processing based on the input provided by the controller. Cloud-based SaaS solutions such as CRM software, work collaboration products, or recommendation engines are some examples of data processors.

Both controllers and processors are liable to fines if they fall short of GDPR standards. However, most of the brunt is borne by the controller in case of any issue.

GDP regulations prohibit the collection of information about ethnicity, religion, political opinions, trade union membership, and sexuality under normal circumstances. Some exceptions to this rule are non-profit organizations and public authorities collecting information for archiving or recording.

GDPR fines

Failure to comply with general data protection regulations can result in a fine, which falls under two tiers:

1. Tier 1 GDPR fine: This tier of fines is for less severe violations. The penalty can be up to €10 million or 2% of the violating company’s global annual revenue from the previous year, whichever is more.

These violations typically involve the controllers and processors. Details of these violations can be found under Articles 8, 11, and 25 to 39. It also deals with oversights from accredited bodies signed on for unbiased GDPR assessments. Tier 1 fines apply to monitoring bodies as well. These bodies are independent units that transparently handle complaints and infringements.

2. Tier 2 GDPR fine: This tier of fines is for more serious infractions that involve a person’s right to privacy and consent. A penalty can go up to €20 million or 4% of the violating company’s global annual revenue from the previous year, whichever is more.

Tier 2 violations look into data processing issues, ensuring that the collected data is lawful, accurate, secure, and up to date. It deals with the various laws surrounding the data subject’s consent and right to transparency. Most tier 2 violations, however, involve transferring personal data to a non-EU, third national. This can only be done based on the European commission’s decision and with appropriate security controls.

The highest GDPR fine so far has been directed at Meta Platforms, the owner of social media platforms such as Facebook and Instagram. In September 2022, the Data Protection Committee (DPC) levied a fine of €405 million on the company. Meta was found violating the terms of processing the data of child users on Instagram.

Two months later, Meta’s data controller in Ireland, Meta Platforms Ireland Limited, was levied a fine of €265 million due to a data leak that saw the personal data of half a billion users on the internet.

In 2021, Amazon was fined €746 million for tracking user data without getting their consent. The company also didn’t provide users with the option to opt out of data processing. Amazon has appealed this fine, and the hearing will be held at a Luxembourg court in 2024.

The severity of the fine depends on the nature of the violation, the sensitivity of the data involved, the intent behind the violation (was it intentional or just negligence?), what preventive measures were in place, how the business tried to mitigate it, cooperation with the authorities, and the violation history of the company.

See More: What is Risk Management? Definition, Process, Tools, and Uses

GDPR Compliance Requirements

As is evident, failure to comply with GDPR can cause significant financial and reputational loss. General data protection regulation has 99 articles, split across 11 chapters. 

GDPR chapters

Keeping in mind the vastness of the GDPR documentOpens a new window , here is an outline for the same.

• • Chapter 1 houses articles 1 through 4. It sets the general provisions and explains the core concepts and key players, which have been explained here in the previous section.
  • Chapter 2 comprises articles 5 to 11. The core principles of data privacy and protection are described in this chapter. They form the basis of GDPR compliance. Organizations would benefit from having all stakeholders read this particular chapter.
  • Chapter 3 explains articles 12 through 23. It details the eight basic rights of the data subject. This chapter is essential reading for end users, consumers, and the legal teams of organizations.
  • Chapter 4 has articles 24 to 43. All details about controllers and processors are covered in this section. Businesses need to know these details before developing a GDPR compliance plan.
  • Chapter 5 sees articles 44 to 50. The data protection committee acknowledges that data might need to be transferred to non-EU countries because of business or infrastructure changes. These articles detail what must be done to ensure safe and legal transfer.
  • Chapter 6 has articles 51 through 59. A supervisory authority is an independent public authority appointed by an EU member state’s government. They monitor compliance and application of GDPR in companies in the state. These articles specify their qualifications, roles, tasks, and power.
  • Chapter 7 has articles 60 to 76. The seventh chapter deals with what levels of cooperation are expected from an organization, especially in light of a breach. It talks about working with supervisory authorities and processes in place to ensure cooperation and consistency, such as documentation and testing.
  • Chapter 8 explains articles 77 to 84. These articles talk about the legal rights of data subjects against a supervisory authority, controller, or processor. Terms of fines and penalties are outlined here.
  • Chapter 9 has articles 85 to 91. It provides guidelines for processing specific forms of data, including opinions. It talks about data processing from the standpoint of an employer, a scientific or historical researcher, and a public archivist.
  • Chapter 10 explains articles 92 and 93. These articles explain the right of the European Commission to establish a committee to assist with GDPR implementation across member states.
  • Chapter 11 has articles from 94 to 99. These final provisions talk about when GDPR enforcement begins. The commission commits to an evaluation every four years beginning May 2020. The idea is to keep the laws updated with technological landscape changes.

Principles governing GDPR

The seven main principles that govern GDPR, as specified in article 5, are:

1. 1. Lawfulness and transparency: All data processing must be done legally with the user’s consent. The data subject must know exactly what information is being collected, how it is being stored, for how long this data will exist in the controller’s system, and whom it will be shared with. 
   2. Purpose limitation: Once the initial purpose of data collection has been established, the data subject must be intimated of the same. The controller cannot collect or process data that falls outside this realm or purpose.
   3. Data minimization: Only adequate and necessary data must be collected, even if it does fall under the general purpose of data collection. For instance, religious preferences cannot be collected and processed in a retail app, even if it will help with recommending specific holiday-based items.
   4. Accuracy: All processed data must be accurate and up to date. There must be processes to ensure this, and that inaccurate data is rectified or deleted immediately.
   5. Storage limitation: Personal data cannot be stored for more time than necessary. Once the purpose of data collection is achieved, the data must be deleted and archived for further use.
   6. Integrity and confidentiality: When collecting and processing personal data, all technical and organizational safeguards must be in place. Appropriate security controls, privacy measures, and policy changes must be made. This data must also be protected against accidental loss, destruction, and cyber attacks.
   7. Accountability: While the rest of these principles existed in the 1995 data protection laws, the latest addition to GDPR is accountability. Considering the number of agencies involved in processing a single user’s data across multiple oceans, GDPR insists on accountability. According to this regulation, the controller is largely responsible for compliance. 

Rights of a data subject

The seven principles listed above are primarily for organizations complying with GDPR laws. It is also prudent to look into the specified rights of the data subject:

1. 1. Right to information: Subjects have the right to know where their data is at all times. All details of the controller, including contact details, must be established. When the subject files a complaint with the controller, they must be transparent in response.
   2. Right to access: The user has the right to access all information stored by a particular organization at any given interval. This can be done by submitting a data subject access request (DSAR). 
   3. Right to rectify: The DSAR may also be used to request that incorrect information be corrected. 
   4. Right to be forgotten: At any point, the data subject has the right to opt out of data collection. GDPR has modified the traditional opt-out approach and mandated an opt-in process. This means that user data is not collected by default with an unsubscribe button like before. Users must first be provided with context and asked for an opt-in before any data collection takes place, according to GDPR.
   5. Right to restriction: Subjects can ask controllers to cease data processing if they find inaccuracies or unnecessary data storage. In this case, the data is stored, but processing cannot happen without the data subject’s consent.
   6. Right to data portability: Users have the right to move personal data from one controller to another. One example of this is the ability of users to upload their Facebook photos to a Google Drive folder.
   7. Right to object: Users have the right to object to the data processing even after they have opted in. This is particularly true in the case of controllers specializing in marketing data.
   8. Right to reject decisions based on automated processing: With the amount of data being fed into systems nowadays, it is inevitable for personal data to be processed by automated software using machine learning. Data subjects can reject any consequences or profiling from these automated decisions.

GDPR breach notifications

Breach notifications are another important aspect of GDPR that organizations must know about. Breach notifications are communications that must be directly sent to the data subject in case of tampered personal data. This can be due to human error, natural calamities, or criminal activity. 

Breach notifications cannot be delivered in a public PR notice or as a broadcast on a social media channel like Twitter. All breaches must be reported within 72 hours of discovery. The notification must include the information involved, how it was compromised, and how many users were affected. It must also detail the consequences of the breach, such as monetary and identity theft. 

See More: What Is Vulnerability Management? Definition, Lifecycle, Policy, and Best Practices

Importance of GDPR

The nitty-gritty of GDPR may seem cumbersome and dry; however, overall GDPR compliance brings positive results.

GDPR promotes privacy by design. Programmers, DevOps personnel, business owners, and security teams have all started designing with data in mind. Even while exploring third-party contracts, organizations have started ensuring that these vendors know what they can and cannot do with their data. Data breaches have steadily been increasing, especially since the pandemic struck. This is the first step toward preventing such attacks.

According to CISCO’s 2021 consumer privacy survey, 60% of surveyed users viewed laws such as GDPR favorably. Any organization that is GDPR-compliant is seen as transparent to the user, thereby promoting user confidence and brand loyalty. In the last four years of GDPR compliance, companies have reported more user retention.

GDPR allows companies to establish a streamlined approach to data privacy and security. One of the initial steps to GDPR compliance is to take stock of all assets and maintain a record of all essential infrastructure components. This makes both business and security automation easier. 

One look at IBM’s 2022 cost of data breach report shows that cyber attacks such as ransomware have grown more destructive and costlier over time. Most data breaches are in the cloud, and most organizations have moved their infrastructure to the cloud. Complying with GDPR prevents such attacks, saving a lot of money for the organization in the long run.

Incident response and disaster recovery plans become crucial to ensure GDPR standards are met. These allow companies to be proactive and react more efficiently to incidents that threaten business continuity. Most importantly, GDPR has opened up conversations internationally about data privacy and protection laws. It has allowed nations worldwide to address the complex and dynamic issue of data and its privacy. 

See More: What Is Data Loss Prevention (DLP)? Definition, Policy Framework, and Best Practices

Takeaway

GDPR compliance is a huge but necessary task for organizations looking to expand globally. The process is ongoing, with budgets, systems, and policies to be considered. Staff training and internal audits must become part of the GDPR compliance process. With countries across all continents coming up with similarly outlined privacy laws, GDPR compliance is the only way forward.

Did this article help you understand GDPR in detail? Tell us on FacebookOpens a new window , TwitterOpens a new window , or LinkedInOpens a new window . We’d love to hear from you!

MORE ON SECURITY

• 10 Best Practices for Disaster Recovery Planning (DRP)
• What Is Biometric Authentication? Definition, Benefits, and Tools
• How Graph Analytics Can Transform Enterprise Data Protection
• Data Protection and Backup: Top 4 Cloud Native Solutions Enterprises Can’t Ignore
• What Is Cloud Encryption? Definition, Importance, Methods, and Best Practices