The GDPR, which stands for General Data Protection Regulation, is a piece of EU data privacy legislation that applies to all member countries and came into force on May 25th, 2018.
The GDPR imposes strict obligations on organizations collecting or processing personal data in the European Union (EU), with severe penalties for non-compliance: up to four percent of your annual global revenue or 20 million euros (~$20 million), whichever is greater. In addition, there are strict provisions requiring notice from individuals whose rights have been violated or breached due to poor data management practices by companies they do business with; so if you don't comply with these rules diligently now while they're still relatively new and unknown—and especially if those issues come out later during an investigation by regulators—you could be liable for significant fines down the road.
The regulation also introduces new rights for individuals in relation to their personal data, including the right to request access to and deletion of personal data; an individual may have any inaccurate information rectified without delay.
It’s important to note that the GDPR applies only to companies based in the EU and those who control or process personal data of individuals living in the European Union, so it would be considered an international standard. If you aren’t based in Europe or don’t have operations there (and therefore aren't subject to this regulation), then it doesn't apply to you. We have been protecting GDPR data for our clients for years, so it's important to always pick a file transfer provider, like us, who has met this regulation before, while also being willing to execute a GDPR Data Processing Agreement (DPA).
Is GDPR a Directive?
GDPR is a regulation, not a directive. The European Union (EU) has updated its data protection and privacy laws to meet the demands of modern technology and create a single set of rules for all EU citizens.
GDPR applies to any organization that processes personal data relating to individuals living in the European Union (regardless of where they are located). Organizations must also comply with GDPR if they process any personal data relating to employees or customers across Europe, regardless of where it's processed.
What is Personal Data Under GDPR?
GDPR compliance is more than simply ensuring you're in compliance with the law. When it comes to personal data, your customers expect that their information is treated with care and respect—and so do you.
It's important that you understand what personal data means under GDPR so you can protect your users' privacy rights and build trust with them by respecting their privacy preferences.
Under GDPR, personal data is any information that can be used to identify a person (e.g., name, photo). That includes names, email addresses, IP addresses and other identifiers like cookies or device IDs (or telephone numbers if these are connected to an individual).
Privacy by Design and Default
Privacy by default and design, or PbD, is a new concept introduced by the GDPR. It means that privacy must be built into the design of systems, rather than added as an afterthought.
When it comes to compliance, this means that if your system collects personal data—which it most likely will—then you must make sure that data is anonymized before being stored. If not, then you're effectively violating the GDPR.
Purpose Limitation
In the context of GDPR, purpose limitation refers to the requirement that personal data should only be collected for a specific, explicit and legitimate purpose. Furthermore, it must not be processed in any way incompatible with that purpose. In this sense, data controllers are required to inform individuals as to the specific purpose for which their data is being collected and used. Further still, they must ensure that all personal data is deleted or erased once its original purpose has been fulfilled.
Purpose limitation does not just refer to how long an organization can store your information; rather, it also deals with sharing your information with third parties (i.e., other companies). Under GDPR law, organizations are forbidden from passing on this kind of sensitive information unless you have given consent for them do so.
Data Minimization
Data minimization is another principle of GDPR compliance and is related to the purpose limitation. While it may sound like something you learned in math class, data minimization actually comes down to limiting the amount of personal data collected, as well as limiting how that data can be used.
In this case, “minimizing” means that you should only collect personal data that is necessary for the purposes of processing. That might mean collecting fewer items on a form than before or opting for an alternative method of collecting information—such as asking users to provide specific consent instead of requesting everything on your list at once—so that you don't end up with more than you need. Additionally, if your company intends to retain personal information longer than needed, then it's best if they're able to delete it at some point in time (unless there are other legal reasons why they can't).
Data Transparency and Portability
Data transparency is a principle of the GDPR that requires organizations to provide clear, understandable information about how they process personal data. It also requires them to provide information about their policies and practices regarding the processing of personal data.
Data portability is a new right for individuals under the GDPR. With this right, you can move your personal data from one service provider to another. This can be used if the service provider has collected your personal data and either:
- Does not provide you with adequate services or products due to their collection of information on you
- Fails to use adequate security measures in that they do not protect your data against unauthorized access or disclosure
The idea behind data portability is that it allows individuals to take control of their own personal information and make sure that it is handled properly by any organizations using the information.
Accountability Principle
The accountability principle requires that controllers and processors be able to demonstrate compliance with the GDPR. The accountability principle is a key component of the GDPR, designed to ensure that organizations are able to provide evidence that they have complied with the GDPR.
To comply with this principle, you should be able to show:
- how you handled personal data;
- how you handled security breaches; and
- what measures were taken in case of misuse or abuse of personal data
What is a GDPR DPA?
One of the key requirements of GDPR is that businesses and organizations must have a data processing agreement (DPA) in place when they engage with third-party data processors. A DPA is a legally binding agreement that outlines the terms and conditions for the processing of personal data by a third-party data processor.
A GDPR data processing agreement is important because it helps businesses and organizations ensure that they are complying with GDPR regulations. The agreement sets out clear guidelines and obligations for both the data controller (the business or organization that collects and controls the personal data) and the data processor (the third party that processes the personal data on behalf of the controller). It also ensures that personal data is processed lawfully, fairly, and transparently.
The agreement covers various aspects of data processing, including the purpose of the processing, the types of personal data that will be processed, the security measures that will be in place to protect the data, and the rights of the data subjects (the individuals whose personal data is being processed). It also outlines the responsibilities of the data processor and the data controller in case of data breaches or other incidents.
In summary, a GDPR data processing agreement is essential for businesses and organizations that handle personal data. It helps them ensure that they are complying with GDPR regulations, and that the personal data of EU citizens is being processed lawfully, fairly, and transparently. By having a DPA in place, businesses and organizations can build trust with their customers, protect their reputation, and avoid costly fines and legal action. Sharetru understands this requirement and will execute a DPA alongside our clients for specific offerings, assisting you in meeting the controls for GDPR.
What's Next for GDPR?
For many countries outside of the EU, GDPR is still followed as a good framework for data privacy. However, many organizations are still struggling to meet GDPR due to disagreements about where the data is being housed, who owns the data, and who holds the data.
Due to this, in the years following GDPR's requirement, there's been a global movement regarding data regulations. Other countries and states started implementing comprehensive data privacy mandates because they wanted more clarity for businesses in their jurisdiction, and the expectations of controls on organizations within their jurisdiction that weren't defaulting to "we follow GDPR." For instance, Connecticut did not believe that California's went far enough materially, so they created their own. A few examples of new data privacy laws in the United States alone are: California(CCPA), Colorado (CPA), Connecticut (CTPA), Vermont, Virginia (VCDPA) and Utah (UCPA)
This is not only happening in the United States, either. China (2021), South Africa (2021), Brazil (2020), New Zealand (2020), India, and others have already passed or begun creating data protection laws.
Because of this, we foresee a world that's only going to become more complicated regarding data protection. GDPR will no longer be the standard by which organizations design systems to protect data. Instead, organizations might choose the lowest denominator regarding protection. Imagine being a global company with global operating units, or housing data all over the world. It's important your compliance team stays apprised of all data law developments, and you decide if it's best to meet the most stringent requirements across all systems, or try to meet the laws individually.
Conclusion
We’ve also covered the basics of how to become GDPR compliant, including what personal data is, who needs to comply with the GDPR and how companies can solve for GDPR compliance regarding data access. We hope you found this information useful, and if you would like us to write about any other topics, or have questions regarding our platform and how it can help you protect data specific to your organization, please feel free to contact us today!
%20Logos%202022/sharetru-white-logo.svg){kind=logo}