In 2016, the European Union’s (EU) and the European Economic Area’s (EEA) legislative bodies gathered to set new ground rules and principles for businesses that process and control data about users in the EU and EEA. This regulation called the GDPR is designed to control how companies process personal information and it also to gives users more control about how their information is used.
If your business handles any data about people in the EU and EEA, here is what you need to about the GDPR, meaning what the GDPR is and what it does.
What is GDPR?
GDPR stands for General Data Protection Regulation. The General Data Protection Regulation (GDPR) is a set of rules that manage how businesses collect data and private information about citizens of the European Union (EU) and European Economic Area (EEA).
The GDPR was drafted on 14 April 2016 by the European Parliament and the Council of the European Union. It was implemented on 25 May 2018, officially replacing the outdated Data Protection Directive of 1995 (Directive 95/46/EC).
The EU GDPR aims to stop surveillance capitalism by companies on inhabitants of the EU and the EEA. The GDPR also gives inhabitants of the EU and EEA greater control over how companies use their personal information.
Surveillance Capitalism: The selling of personal data as a commodity for profit.
Where Does the General Data Protection Regulation (GDPR) Apply?
The GDPR is enforced in all states that are members of the European Union (EU) and European Economic Area (EEA).
1. European Union (EU) Member States
The European Union member states are:
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
NB: The UK formally left the EU on 31 December 2020 and it is no longer a member of the EU. Therefore, the GDPR no longer officially applies to the UK. However, the UK also has its own set of data protection laws.
2. European Economic Area (EEA) Member States
The EEA includes all 27 EU countries plus Iceland, Liechtenstein, and Norway.
Who Does the GDPR Affect?
The General Data Protection Regulation (GDPR) affects all companies that collect, store, retrieve, alter or transfer any type of data about European Union (EU) or EEA citizens living within the EU/EEA.
The GDPR applies to all companies that are either “controllers” or “processors” of EU citizens’ data.
Data Controllers: Any entity that determines how data is used i.e. how data is processed
Data Processors: Any 3rd-party entity that processes data on behalf of the Data Controller.
The GDPR also applies to all companies that operate within the EU, trade their products in the EU, or process EU personal data – regardless of where they are based.
How Does the GDPR Affect Companies?
A survey by Propeller Insights said that most executives saw these 5 industries as being the most impacted by the GDPR.
The survey then calculated the percentage of experts who agreed with this ranking. Therefore, all companies in these industries should be very worried about their GDPR compliance.
The results of the survey are as follows:
- Technology Sector – 53%
- Online Retailing – 45%
- Software Companies – 44%
- Financial Sector – 37%
- Online SaaS/Services – 34%
What Types of Privacy Data Does the GDPR Protect?
The GDPR protects the ‘personal data’ of people living in the EU and EEA. In the GDPR, ‘personal data’ is any information relating to an identifiable natural person (GDPR Art. 4 (1)).
Personal Data Includes:
- Names, Addresses, Phone Numbers, Email Addresses, ID No.
- Biometrics and Health Data
- Personal Data about Political Orientation
- Religious or Ideological Data
- IP Addresses and Cookie IDs
- Ethnicity or Racial Data
- Sexual Preferences
In short, any type of data that is related to a person in the EU and EEA falls under GDPR protection – whether it is their identity, contact information, address, preferences, etc. All of it is protected by the the GDPR.
GDPR Individual Rights
There are two different types of rights: Absolute Rights and Non-Absolute (Qualified) Rights. Absolute means the right is enforced in all situations whereas Non-Absolute means a right is only applicable in certain situations.
Here are 7 rights the GDPR gives users in the EU and EEA:
The Right to be Informed
EU/EEA citizens living within the EU/EEA must be notified before companies begin collecting and using their personal data. Companies must inform users about:
- their purpose for collecting data
- how long they will keep the data
- who it will be shared with
The Right of Access
EU/EEA citizens have the right to gain access to copies of their collected personal and related information. When a person requests access to their data, the request is often called a SAR – Subject Access Request.
Companies must provide an individual with their data after they receive a request (SAR).
The Right to be Forgotten (Erasure)
A user also has the right to make a company delete all his/her stored personal data.
After a user submits a request for erasure, verbally or in writing, companies must respond within a month from submission. However, this is not an “absolute” right and is only applicable in certain situations.
The Right to Data Portability
EU/EEA users are entitled to be able to get a copy of their personal data that is reusable across different services or valid for personal use.
For example, if an EU user wants to switch to a different medical service provider, they must be able to securely transfer a copy of their personal data to their new service provider.
The Right to Restrict Processing
Similar to the right of erasure, the right to restrict processing is also not an absolute right. It only applies in special situations.
The right to restrict the processing of personal data implies that users have the right to block companies from using their personal data. After a block request is submitted, a company has a month to respond.
The Right to Object
Grants EU/EEA users an absolute right to object to companies from using their data for direct marketing.
Companies must inform users about their right to object to the use of their data.
The Right to Rectification
Enables users to ask companies to correct personal data that is outdated, incorrect, incomplete, etc.
After a company receives a request, they have one calendar month to respond.
7 GDPR Guiding Principles
Lawfulness, Fairness, and Transparency
Companies must follow due processes to obtain and use personal data without breaking any laws. From the beginning, companies must also be open and honest with their users about why they are collecting data and how they will use the data.
After companies inform users about their purposes for users’ personal data, they must not add any unrelated purposes without the consent/agreement from their users. Each purpose must be valid, specific, and explicit.
Companies must only store personal data for the least time necessary to achieve their previously stated purposes. Companies should not store personal data indefinitely beyond their original purposes’ necessary time for use.
Companies also need to record/document how long they will store the data.
Companies should only collect the data they need to execute their purposes. They should collect any excess data that does not relate to their stated purpose.
They should only process data that is relevant, adequate, and limited to what is necessary.
Companies should only store up-to-date information that is correct and not misleading. Failing that, companies should delete their inaccurate copy of information.
Integrity and Confidentiality (Security)
Companies should install appropriate security structures to protect the user data that they store.
Companies must deeply document how they collect and process personal data. Companies are responsible for the data they hold, and they must prove their compliance with GDPR principles and guidelines.
For all the GDPR aims to achieve by enforcing new protection measures for private data, it has a few vague areas that leave much to a business’s private interpretation. For example, the GDPR only states that companies must have a “reasonable” level of protection for their customers’ private data. Meaning each company adheres to its brand of “reasonable” protection levels.
However, The GDPR governing authority also has a lot of leeway when judging GDPR non-compliance and data breach cases.
GDPR Conclusion – GDPR Meaning
Every day, there are new ways of using the internet in every part of our lives, therefore it is necessary to set laws that prevent abuse of collected personal and private information.
The GDPR is not perfect, but it is the right step in building a free and open internet that protects both businesses and individuals from privacy disputes.
To make your company/website GDPR compliant, here are some of the things you need to do:
- Make sure you receive user consent before processing their data
- Inform users about what you will do with their data
- Know/Review all the types of data you collect, and discard that which is expired or unnecessary for operation
- Respond to User Requests within a calendar month
- Employ an individual/team to manage and monitor data protection issues
- Install a robust security infrastructure to protect all your collected data
- Report all serious breaches within 72 hours
When implementing GDPR in your business, a general rule of thumb is just to follow all the GDPR rights and principles.
That’s all on the GDPR meaning. Thanks for reading.