GDPR: General Data Protection Regulation
The GDPR is a wide-ranging and complex data privacy law affecting every organisation that deals with data belonging to individuals who live in EU member states.
The General Data Protection Regulation is one of the strictest and most wide-ranging data protection measures in the world. Introduced in May 2018, the General Data Protection Regulation was devised and written by European Union (EU). However, GDPR compliance impacts international organisations located anywhere around the world, if they deal with data subjects based in EU member states.
Penalties for non-compliance with the data protection rules contained within the GDPR can be harsh, including GDPR fines reaching millions of Euros. This website is for small business owners, business leaders and anyone else who feels they need a simple guide to data protection regulation (GDPR).
Simply put, the aim of GDPR is to give all data subjects who live in an EU country a legal basis against the unlawful processing of data collected that they want control over. For organisations, GDPR defines how the data protection principles should be adhered to regarding personal data relating to EU citizens.
Any organisation that acts as a data controller, or other organisations that handle information relating to the data subjects must achieve GDPR compliance to prevent any risk of a data breach or any mishandling of sensitive personal data. GDPR is complex and everyone should ensure compliance, particularly if they are involved in online reputation management either on a personal or corporate level.
While the ‘right to privacy’ dates all the way back to the European Convention of Human Rights in 1950, the dramatic progression and development of technology since then left legislation struggling to keep up.
In 1995, the EU decided to establish minimum data privacy rules in its European Data Protection Directive. This was aimed at providing the kind of protection necessary in a technologically advanced world. Since then, of course, technology has rocketed ahead and today our world is ultra-connected and online.
IT infrastructure has powered ahead and the need to protect data subjects affected by this progress became more urgent. Consumer data is now used in all kinds of ways that were unthinkable just 20 years ago, such as AI performing company background checks for recruiters.
By 2000, online banking was offered by most mainstream financial service firms and six years later social media exploded onto the scene. By 2011 it became clear to the supervisory authorities that it was in the public interest for the EU to create a “comprehensive approach to personal data protection.”
Work began on updating the old rules to create a new way of legislating the way every organisation chooses to process data. In April 2016, the resulting GDPR directive entered into force with the proviso by the European Parliament that every organisation became compliant by May 2018.
Ensuring compliance is among vital interests for every organisation in the world that deals with large-scale or even small amounts of personal data.
This includes third countries, which covers the UK since Brexit came into force at the start of 2020. Failing to meet GDPR obligations risks fines and even, in certain circumstances, criminal convictions. GDPR’s implementation is a legal obligation overseen by the official authority and, as such, is now among standard contractual clauses with data subjects.
The strict rules of the legislation include various terminology that needs to be understood. Here are a few key terms:
A data controller refers to the person in control of processing personal data. This includes business owners or employees that take on this role. They will be in charge of data protection impact assessments.
The data subject is the person whose data is being processed.
Any third party that works on behalf of the data controller to process personal data.
Any information that the data processor has collected that can be used to identify the person including names, addresses, sensitive information, religious beliefs, biometric data, cookies, political opinion and pseudonymised data.
This is all and any action that occurs pertaining to the information from the data subject. This includes automated decision-making, manual data collection, storing, erasing and disseminating through information systems.
We mentioned earlier the importance of complying with the legitimate interests of the supervisory authority in charge of GDPR to maintain a positive online reputation. Any personal data breach or data breach could backfire on the data controller and damage their online reputation management strategy.
Article 17 of the GDPR is the ‘Right to be Forgotten‘, which gives the data subject the opportunity to enforce their right to data erasure. However, this is a complex procedure in itself and, in order to be successful. should follow the legal requirements necessary.
Part of online reputation management is finding ways to remove content from Google if you think its damages how others see you. Find out more on this here, including how the data protection laws fit in.
Almost every interaction a person has with an organisation or public authority involves sharing of personal data. And for anyone designated a controller, it’s essential that their processes reflect the need to comply with the General Data Protection Regulation (GDPR).
In order to make this easier for organisations to avoid penalties for non-compliance, the GDPR data privacy laws lay out the 7 key principles in Article 5.1.2. They are:
All data has to be handled securely using what the GDPR calls the “appropriate technical and organisational measures.” The GDPR, if complied with, is designed to minimise the chances of a security breach and improve information security for people who live in EU member states.