GDPR - Regulation on Data Protection & Privacy in the EU

Data security is a primary concern all across Europe. We keep hearing the news about data breaches and cyber attacks happening around Europe. However, it does not mean authorities are not taking any steps to improve data protection. General Data Protection Regulation (GDPR) is one significant milestone taken by the European Parliament and Council of the European Union. The EU law regulates data privacy and protection in the EU and the European Economic Area (EEA).

Now, the GDPR aims to unify data privacy regulations across Europe, serving as guidance for businesses that are required to comply with these rules and, at the same time, providing some clarity and rights for individuals. This is important because large volumes of data are processed online, which puts pressure on companies that need to manage their user’s personal data appropriately. Otherwise, they can be left with enormous non-compliance fines.

GDPR stands for General Data Protection Regulation. The GDPR is a global privacy and security law originating from the European Union (EU). It applies to organizations worldwide that target or collect data related to EU individuals, imposing significant fines for privacy and security breaches, potentially in the tens of millions of euros.

The GDPR replaced the original data protection directive from 1995. It now serves as the main legal framework for data protection in the EU. Interestingly, its final and approved version was achieved after more than four years of negotiations, and the European Parliament and European Council adopted it in April 2016.

GDPR was officially implemented on 25th May 2018 to enforce a standardized data security law on all European Union members. According to the EU, GDPR provides people with the right to protect their personal information and revises how organizations and businesses should handle the information (data) of those who interact with them.

Valuable GDPR Sources:

General Data Protection Regulation has over 100 articles, which you may read here.
The regulation acts as a framework for data security laws across the continent and replaces the old 1995 data protection law.

As per GDPR, personal data is any information that can be used to recognize a person’s identity. Different identity-related aspects can include a person’s name, address, date of birth, ID number, and more. However, in the era of online data tracking technology, various other things are considered personal data, such as social media accounts, IP addresses, browser cookies, email addresses, etc.

However, GDPR serves as an extra protection layer for certain sensitive information. This includes examples like data regarding one’s biometric data, religious beliefs, political opinions, genetic information, health details, and other facts like one’s orientation. In general, personal data is defined as any sort of information that can be traced back to a person, including pseudonymized data (which replaces any information that could be used to identify an individual with a pseudonym).

Data Protection Principles According to the GDPR

When processing data, adhere to the seven protection and accountability principles outlined in Article 5.1-2 of the GDPR:

Lawfulness, fairness, and transparency: Ensure processing is legal, fair, and transparent to the data subject.
Purpose limitation: Process data solely for the explicit and legitimate purposes communicated to the data subject during collection.
Data minimization: Collect and process only the necessary data for specified purposes.
Accuracy: Maintain personal data accuracy and keep it up-to-date.
Storage limitation: Store personally identifying data only for the duration necessary for the specified purpose.
Integrity and confidentiality: Process data securely, maintaining integrity and confidentiality, such as through encryption.
Accountability: The data controller is responsible for demonstrating GDPR compliance with these principles.

GDPR mandates that data controllers must demonstrate compliance. That means compliance cannot be claimed without the ability to prove it.

General Data Protection Regulation applies to all the businesses and organizations operating within the European Union and organizations outside of the EU offering services and goods to individuals and companies in the EU.

It simply means that almost every major corporation in the world needs to comply with the GDPR directive.

There are two types of data handlers the legislation applies to:

Processors: A ‘processor’ refers to a natural or legal person, public authority, agency, or entity that processes personal data on behalf of the controller. Processors operate under the authority and on behalf of the controller, prioritizing the controller’s interests over their own.
Controllers: A controller is a person, agency, or public authority that decides the purposes of personal data processing. The processor is a person, agency, and public authority that processes personal data on behalf of the controller.

According to GDPR, the UK’s Information Commissioner’s office will be accountable for registering data controllers and taking action on those violating data protection law. The commission says, “by unifying the European continent’s rule on data protection, the legislative body is creating new business opportunities and encouraging innovation.

GDPR takes legal obligations on a processor to maintain records of personal data and how it is processed.

Illustration of the GDPR compliance steps mentioned below

Initially, it might seem daunting to achieve GDPR as it involves a lot of regulations that businesses need to follow. Below, we have compiled a few steps to make the compliance process pretty straightforward.

Step 1: Appoint a Data Protection Officer (DPO)

A data protection officer makes sure that your company is compliant with GDPR. So, your first step should be hiring a DPO. Remember, only public authorities/companies that have 10 to 15 employees need to hire a DPO. However, even if your company doesn’t fall into this category, appointing a DPO won’t be a bad choice.

GDPR Article 39 explains the roles of DPO in all matters associated with data protection. In general, the data protection officer is responsible for:

Advising and informing the controller, processor, and employees about their data protection obligations.
Monitoring compliance with data protection regulations and the controller or processor’s policies.
Providing advice on data protection impact assessments and overseeing their implementation.
Collaborating with the supervisory authority.
Serving as the contact point for the supervisory authority on processing issues and consulting as needed.

Step 2: Check for Stored Personal Data

As per the directive, businesses should collect personal data with clearly defined purposes and shouldn’t use it for anything else. A DPO should confirm every scenario in which your company collects, stores, and processes personal data. They should check if the personal data is utilized for the legal matter only. For example, if your company sells goods online to customers, your company will require a customer’s name, address, contact number, or email address for notifications only. There is no legal ground for asking personal information, such as a customer’s gender and marital status.

A company should clearly explain what personal data they hold and for what reason.

Step 3: Get Customer Consent

Getting a customer’s consent is a legal ground for processing their personal data. It should be in plain language. A customer must know which company requests data, how long it will be stored, and who receives it. To get customer consent, businesses should create and publish a privacy policy explaining how their users’ personal data will be used. Moreover, customers should be given an option to accept this policy and for their consent.

Step 4: Secure All Personal Data

According to GDPR, personal data should be processed in a manner that ensures the right level of security and confidentiality. Even if the data is stored electronically as part of an application, a business should be responsible for its protection. For that, you must take the necessary steps to prevent data breaches and other financial crimes. Otherwise, you will be fined with a massive penalty.

There are two levels of GDPR fines. The 1st level takes a fine of €10 million or 2% of annual turnover, which is greater. The 2nd level carries a maximum penalty of €20 million or 4% of annual turnover, whichever is greater.

Which tier will apply to a business is determined by data protection authorities based on factors like the extent of non-compliance, duration of non-compliance, the size of any damage to data subjects, types of data involved, etc.

Some of the biggest names that have paid GDPR fines in 2020 alone include:

Google – €50 000 000.
Austrian Post – €18 000 000.
TIM – €27,800 000.
Deutsche Wohnen SE – €14 500 000.

Illustration of iDenfy identity verification solution

GDPR requires businesses to protect the personal data and privacy of European citizens. While there are so many things that help you ensure your customers’ privacy, implementing a powerful identity verification solution adds an extra security layer.

With identity verification, you can rest assured that only legit people are using your platform and no one is misusing the information.

At iDenfy, we provide identity verification solutions. Our company has been offering its services to various individuals and businesses across the globe. We turn your smartphone or any other device into an ID verification terminal and face recognition system so that you can conduct the verification of your users remotely quickly.

Our ID document detection solution can recognize more than 3000 documents from more than 190 countries. You can book a meeting with our experts or contact our team to learn more about our service.

This blog post was updated on the 3rd of October, 2024, to reflect the latest insights.

A guide to: GDPR - regulation in law on data protection, an infographic summarising the text above.