Privacy is a universal understanding that transcends geography and culture. Some even call it a right. With the internet becoming a larger aspect of our lives, there have been many complications in regards to our data and how it is used. The European Union created a law that is called the General Data Protection Regulation (GDPR). If you are not familiar with this term, read on as these regulations do expand into businesses in the United States. The more you know, the more authority and control you have over your privacy.
What is GDPR?
The General Data Protection Regulation law came into effect on May 25 of 2018 in Europe. It is considered the strictest law with privacy and security in the world. Even though this law was put into effect by the European Union, it inflicts obligations onto any organization that collects data from people in the EU. This law protects one's data such as an IP address, name, email, photos, date of birth, location, gender, credit card information, and much more. GDPR created new legal standards for disclosure, consent, and protection processing of personal information.
What Does This Mean for Companies?
You can only imagine how many companies around the world had to change their policies and not only do that internally but also have to let their external users know about them. For example, if you are a smaller company based in the US that mainly sells to US citizens but gets any traction from EU citizens, then you may be subject to the requirements of the GDPR. If companies are not careful with following this regulation, they are at risk of being fined for noncompliance. In Article 3 of the law, there is a territorial scope that is explained in detail. Article 3.2 applies the law to organizations that are not in the EU if two conditions are met. Those conditions include monitoring the online behavior of people in the EU and selling goods or services to them as well.
Why is GDPR Necessary?
In this day and age, there is a problem of not understanding the importance of our data & how much we should be protecting it. There are situations that we have no control over that can cause mistakes in the systems that keep our information. People are regularly entrusting their data to cloud services, social media, and websites that do not entirely protect their data. In return, this data is in danger of breaches that occur daily. A breach could cause someone to have their home address leaked or even their personal bank information without the organization you entrusted your data with realizing. Protecting your data shouldn’t be something you brush off, you should be aware of the risks you take if it ends up in the wrong hands.
Structure of GDPR Compliance
GDPR fines are intended to make non-compliance a costly outcome for all businesses. The fines are stated in Article 83 and any organization that is non-compliant faces a liability depending on the severity of it. There are two tiers of GDPR fines that we will explain in detail. The first tier includes the less severe infringements that can still cost up to 2% of an organization's worldwide annual revenue. This includes any violations of the topics listed below.
- Controllers & Processors: Collectors & controllers who have data processors must adhere to the laws under Articles 8, 11, 25-39, 42, & 43.
- Certification Bodies: In Articles 42 & 43, accredited bodies charged with certifying organizations must make their evaluations without bias and the process must be transparent.
- Monitoring Bodies: Article 41 states that bodies that have been designated to have the appropriate level of expertise must follow established procedures in handling complaints or reported violations neutrally and transparently.
Now onto the more severe infringements, which will also be listed below. This includes anything that goes against the ideologies of the right to privacy that are the focus of GDPR. These types of infringements could result in a fine of up to 4% of the firm's worldwide annual revenue from the preceding financial year. To put it in perspective, it could be around 40 million dollars.
- Basic Principles for Processing In Articles 5, 6, and 9 state that data processing must be done in a lawful, fair, transparent manner. It must be collected and processed for a specific purpose, securely, and kept truthful. Organizations can only process data that meets one of 6 lawful bases in Article 6.
- Conditions for Consent: Article 7 states an organization must show proof of the consent of a person who gives consent to process any of their data.
- Data Subject's Rights: Articles 12-22 explain how individuals have a right to know the data being collected from them as well as what it is used for. They have a right to obtain a copy of that data, correct the data, or even have the data removed.
- Transfer of Data: Articles 44-49 state details about transferring data internationally or to a third party. Before an organization transfers any data, the European Commission must decide if that country or organization ensures enough protection and safeguarding.
To further discuss the topic of fines, we need to have a basic understanding of what the criteria points are for assessing the level of payment and if or if not a fine will be assigned. A detailed list can be found on this website (https://gdpr.eu/what-is-gdpr/).
This is an overview of what GDPR means for individuals and businesses across the world. The importance of knowing this law comes hand-in-hand with knowing one can have control over their data and privacy under this law.
Stay in the know
Get special offers on the latest developments from Unify.