General Data Protection Regulation (GDPR) Summary
- The GDPR is regulates personal data protection and privacy for individuals and companies in the 27 countries of European Union (EU) plus the United Kingdom (UK).
- The GDPR outlines your consumer rights, which include the right to personal data access and portability, erasure, and correction and objection. See Key GDPR Consumer Rights.
- Companies have the following obligations to:
- provide transparent information on the use of personal data,
- ensure data protection by design and default,
- provide proper communication in the event of a data breach, and
- appoint a Data Protection Officer (DPO) whenever necessary.
- The UK GDPR applies these same rights and responsibilities to individuals and organizations that are from or do business in the UK. See UK GDPR Rights and Obligations.
- Australian businesses need to comply if they have an establishment in the EU / UK, if they offer goods and services in the EU / UK, or if they monitor the behaviour of individuals in the EU / UK. See Australian GDPR Rights and Obligations.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a legal standard under the European Union (EU), which provides guidelines on data protection and privacy for individuals and consumers in the European Economic Area.
The GDPR regulation came into force on May 25, 2018, requiring all organizations collecting and processing personal data or targeting people in the EU to observe certain rules around data privacy and security.
The main objective of the GDPR is to lay down rules to protect the use and sharing of personal data. Organizations processing personal data belonging to EU residents and citizens, or selling goods or services to such people are governed by the GDPR, even if the organization is not based in the EU.
Failure to comply with the set rules could attract fines of up to €20 million or 4% of the organization’s global revenue (whichever is higher). Subjects whose personal data privacy is violated can also seek compensation for damages.
The following are the key legal terms defined by the GDPR:
Personal Data refers to any kind of information linked to an identifiable natural person, whose attributes include:
- Unique identification number
- Health records
- Banking and income information
- Other physical, economic, cultural or social identities.
Data processing is any action an organization performs on an identifiable person’s data, either manual or automated. Such processes may include collecting, structuring, storing, using, sharing, deleting, etc.
Data subject refers to site visitors or customers whose data is processed by the organization.
Data Controller refers to the employee or business owner who determines why and how personal data is being processed.
Data Processor is a third party like cloud servers or email service providers who process personal data under the guidance of the data controller.
Key GDPR Consumer Rights
1. Right to Data Access and Portability
Individuals are obligated to request access to data collected by the company, at no cost. When presented with such a request, a company should inform the individual if they are processing the personal data, and provide the requested information in an accessible format.
2. Right to Erasure
The GDPR mandates individuals to request the erasure of any personal data collected by a company. However, a company may fail to comply if:
- the data processing respects the individual’s freedom of information and expression;
- the personal data must be kept for legal purposes;
- the data is being stored for public interest, such as public health.
3. Right to Correct and Object
Individuals who believe that their personal data held by a company is incomplete, incorrect, or inaccurate are obligated to request the company to rectify or complete it as soon as possible.
An individual also has a right to object to the processing of their personal data if the company has no legitimate interests that would override the individual’s personal interests.
Company GDPR Obligations
The GDPR covers several obligations aimed at protecting the right of individuals to control the use of their personal data. These include:
1. Providing transparent information
Companies are required to provide individuals with information on who and why it is processing their personal data. The disclosure must clearly state:
- Who the company is;
- Why the organization is processing the data;
- The legal basis for doing so;
- Who will receive the data (where applicable).
2. Appoint a Data Protection Officer (DPO)
A DPO oversees the company’s adherence to the GDPR requirements for personal data protection and privacy. The DPO informs employees in charge of personal data processing on their obligations.
A company should appoint a DPO when:
- The company systematically or regularly monitors individuals or customers, or processes special types of data;
- Processing personal data is the company’s core business activity, and
- Processing of personal data is done on a large scale, such as target advertising on search engines based on customers’ behaviour on eCommerce sites.
3. Data protection
Data Protection by Design
The GDPR requires that the company observes data protection in the early stages of developing new goods or services or when designing new methods of personal data processing.
The sooner the organization minimizes privacy risks, the better the level of awareness across all departments, and the higher the level of consumer trust.
Data Protection by Default
A company should ensure that the most privacy-friendly setting is given priority on the company’s website and other data collection channels. Therefore, if there are two privacy settings, priority should be given to the setting that prioritizes personal data protection.
4. Providing proper communication in the event of a data breach
When individuals’ personal data is disclosed to unauthorized persons accidentally or unlawfully, or if it is temporarily unavailable or altered, a company should inform the Data Protection Authority (DPA) within 72 hours upon learning of the breach.
If the data leakage poses a high risk to the affected customers, the company may be required to communicate the breach to the victims.
UK GDPR Rights and Obligations
The GDPR is retained in UK domestic law but the Uk has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version but key principles, rights and obligations remain the same.
However, there are implications for the rules on transfers of personal data between the UK and the European Economic Area (EEA). The UK GDPR also applies to controllers and processors based outside the UK if their processing activities relate to:
- offering goods or services to individuals in the UK; or
- monitoring the behaviour of individuals taking place in the UK
There are also implications for UK controllers who have an establishment in the EEA, have customers in the EEA, or monitor individuals in the EEA. The EU GDPR still applies to this processing, but the way you interact with European data protection authorities has changed.
Australian GDPR Rights and Obligations
Australian entities need to understand the new requirements in the European Union (EU) General Data Protection Regulation and how they can comply with Australian and EU privacy laws.
- Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
- The GDPR and the Australian Privacy Act 1988 share many common requirements, including to:
- implement a privacy by design approach to compliance
- be able to demonstrate compliance with privacy principles and obligations
- adopt transparent information handling practices
- There are also some notable differences, including certain rights of individuals (such as the ‘right to be forgotten’) which do not have an equivalent right under The Privacy Act (oaic.gov.au).
- Australian businesses should take steps now to ensure their personal data handling practices comply with the GDPR before commencement.
- Whether the GDPR applies to Australian Government agencies is complex (see Does the GDPR Apply to Australian Government Agencies (oaic.gov.au)).
These are the 27 member countries of the EU, plus the UK, for which the GDPR law applies:
- United Kingdom (UK)*
- Art. 4 GDPR Definitions ( gdpr-info.eu)
- What is GDPR, the EU’s new data protection law? ( gdpr.eu)
- The GDPR: new opportunities, new obligations ( ec.europa.eu)
- 7 Epic GDPR Infographics ( sepaforcorporates.com)
- Data protection - Better rules for small business ( ec.europa.eu)
- The UK GDPR ( ico.org.uk)
- The 27 member countries of the EU ( europa.eu)
- Australian entities and the EU General Data Protection Regulation (GDPR) ( oaic.gov.au)