The General Data Protection Regulation (GDPR) sets out regulations on how personal data must be collected, processed, and used by organizations within the European Union. If you hold the personal data of individuals within the EU, you must comply with the GDPR.
What is GDPR Compliance?
The General Data Protection Regulation (GDPR) is a regulation introduced in the European Union in May 2018. It replaces the 1995 Data Protection Directive. The GDPR sets out regulations on how personal data must be collected, processed, and used by organizations within the EU.
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. If you hold the personal data of individuals within the EU, you must comply with the GDPR.
The GDPR applies to any organization that processes the personal data of individuals in the EU, regardless of where they are located. This includes both public and private organizations.
What is GDPR compliance and what should you do about it?
Under the GDPR, data subjects have more control over their personal data. They also have greater rights to request access to their personal data and more control over how organizations use their personal data.
In short, there are a lot of changes in the GDPR that go far beyond what you would expect from other privacy laws. For example, under the GDPR, you must allow individuals to review or gain access to a copy of your data.
Also, you can no longer use ‘adequacy' tests to determine whether your organization is compliant with GDPR regulations — instead, you must prove compliance by offering users a high level of protection or allowing them to opt-out of having their personal data processed.
What are the different types of personal data that are subject to GDPR compliance?
The GDPR sets out the different types of personal data that are subject to compliance with that regulation. The GDPR covers a wide range of personal data, ranging from:
- Identifiers such as name and address, e-mail address, and phone number.
- Information is any fact, form, or other information that can be used to identify an individual, including but not limited to: name, identification number (e.g. social security number), biometric information (e.g. fingerprints or facial images), genetic information (such as DNA), biographical details and education/work history.
- Sensitive data is any data that is likely to cause harm if made public, such as medical records, financial details, and private communications.
These examples are only a selection of the different types of personal data covered by GDPR compliance. Read more about them in our blog post on the topic.
How must organizations process personal data?
The GDPR sets out two general types of processing. You must comply with either “adequacy” or “co-determination” requirements.
Under the adequacy requirement, you must adhere to certain minimum standards for how your organization collects, uses, and keeps your personal data.
Under the co-determination requirement, you must ensure that individuals have an active choice in how their personal data is collected and used.
What are the consequences of not complying with GDPR?
The GDPR imposes significant consequences on organizations that fail to comply with the regulations. Failure to comply with GDPR can result in fines of up to 20 million euros (or 4 percent of annual global revenues), or a fine of up to 1 percent of global annual revenues, whichever is higher.
Organizations that don't abide by the GDPR cannot use public data and must make all personal information available in an accessible format. They are also prohibited from transferring personal data outside the EU without approval from national authorities.
An organization that is not compliant risks:
a.) fines for failing to comply with the law;
b.) breaches of trust and misuse of personal data, which may result in civil penalties or criminal sanctions.
How can you protect your personal data under GDPR?
By following the GDPR, you will ensure that your personal data is treated with the utmost care and transparency. You should treat personal data with the same privacy protections as you would your own data.
The most common types of personal data that organizations process are name, email address, gender, and age. Each of these items is typically protected by a legal obligation to protect this information.
The most important thing to remember about GDPR is that it covers personal information about an individual: not their name or business address. The GDPR's “right to be forgotten” means that you can request an organization to delete any information from their records about you if they no longer hold it.
This includes information like your social media account handle and what products and services you're interested in buying online.
GDPR compliance is the starting point for all your data handling activities. It is important to understand the different types of personal data that need to be protected, how to process that information in a GDPR compliant manner and how to protect your personal data.
We’ve provided an overview of this important topic, which is essential for any business—whether you are a startup or a large, established company.