Before we can start going deeper into data protection law and learning how to make your organization compliant, we must be sure that we fully understand what GDPR is and what it requires from us. In the first article of our new series, the XCure team has created this list of the most important things you need to know about GDPR. Are you ready?
1. What is GDPR?
GDPR stands for General Data Protection Regulation. It was created by the European Union to harmonize data privacy laws across EU Member States and ensure that individuals are protected with regards to the processing of their personal data. It also lays down the rules to facilitate the free movement of personal data within the EU.
It came into force on May 25th, 2018, and it is important to note that, while GDPR indeed brings many innovations to the field of data protection and privacy, it is not the first regulation of these matters created by the European Union. On the contrary, the GDPR replaces the Data Protection Directive of 1995, updating the existing rules to a more digital and connected world.
2. When is GDPR applicable?
The Regulation is applicable whenever personal data is processed, wholly or in part, by automated means. It is also applicable when the processing is done by non-automated means if the personal data processed is or intends to be part of a filling system. As you can see, GDPR has a very wide scope of application that encompasses almost all types of processing of personal data done in a systematic manner.
There are, however, four cases in which the processing of personal data is not regulated by the GDPR:
- When done in the course of activities outside of the scope of Union law, such as those related to public security, defense, or national security;
- When EU Member States are carrying out activities related to the Union’s common foreign and security policy, under the Treaty on European Union;
- When a natural person does it in the course of a purely personal or household activity;
- When done in the context of law enforcement, by a competent authority, for the purposes of the prevention, investigation, detection or prosecution of criminal offenses, or the execution of criminal penalties.
3. What is considered data processing?
Under the GDPR, data processing is a very wide concept that includes any operation performed on personal data, either by automated or non-automated means. That includes actions such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, making available, alignment or combination, restriction, erasure, and destruction of personal data.
4. Who needs to comply with GDPR?
Organizations that need to comply with GDPR are divided into three main cases:
- When the processing of personal data is done by a controller or processor based in the European Union, even if the processing itself does not take place in the EU;
- When a controller or processor not based in the EU processes personal data of people who are located in the Union, when the purpose is offering goods and services or monitoring behavior;
- When public international law makes an EU Member State law applicable to the case.
5. What happens if GDPR is not followed?
Organizations that don’t comply with GDPR not only will be considered less trustworthy by the public, but can also be subjected to substantial fines.
Less serious infringements can lead to a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the previous year, whichever amount is higher. This type of infringement includes violations such as failing to report a data breach or notify it to data subjects.
More serious infringements, by their turn, can result in fines of up to €20 million, or 4% of the firm’s worldwide annual revenue from the previous year, whichever amount is higher. They include violations such as unauthorized transfers of data and ignoring requests of access from data subjects.
6. What can you do to ensure your organization is GDPR compliant?
Under GDPR, most organizations will have to radically change the way they collect, store and use personal data. The Regulation requires that more transparency is given to this process, empowering individuals and protecting their privacy.
While becoming compliant demands a conscious effort from organizations, when done correctly it can be used to strengthen them and give a competitive advantage over those who don’t follow the Regulation.
The good news is that by reading this article you have already taken the first step into your compliance journey. In our next posts, we will explain in detail various aspects of GDPR and the measures you can take to implement them, so don’t forget to follow our LinkedIn page to keep up to date with our new data privacy law series.
Did you know that with XCure’s Privacy Management Tool you can easily map, document and maintain the requirements of data protection regulation? Try it now for free and make sure your organization is GDPR compliant!
Contact XCure team, if you want more information or presentation about the Privacy Management Tool.