personal data has become a valuable asset, often traded and used for various purposes. To protect individuals’ privacy and regulate the handling of personal data, the European Union (EU) introduced the General Data Protection Regulation (GDPR). Enforced since May 25, 2018, GDPR sets guidelines for the collection, processing, and storage of personal data of individuals within the EU, as well as the export of personal data outside the EU.
Key Principles of GDPR
- Lawfulness, Fairness, and Transparency: Data processing must be lawful, fair, and transparent to the data subject.
- Purpose Limitation: Data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
- Data Minimization: Data collected should be adequate, relevant, and limited to what is necessary for processing.
- Accuracy: Personal data should be accurate and, where necessary, kept up to date.
- Storage Limitation: Data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed.
- Integrity and Confidentiality: Personal data should be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
| Who Does GDPR Apply To? | GDPR and Data Subject Rights |
| GDPR applies to any organization, regardless of its location, that processes personal data of individuals in the EU. This includes businesses, charities, and public authorities, as well as organizations that process personal data on behalf of others. | GDPR grants individuals several rights regarding their personal data, including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object to processing. Organizations must ensure these rights are respected and upheld. |
GDPR Compliance
Compliance with GDPR involves implementing technical and organizational measures to ensure data protection principles are followed. This includes conducting data protection impact assessments, appointing a data protection officer (DPO) where required, and implementing measures to secure personal data.
GDPR compliance refers to the process of ensuring that an organization’s data processing activities adhere to the requirements set forth in the General Data Protection Regulation (GDPR). This regulation outlines rules and guidelines for the collection, storage, processing, and sharing of personal data of individuals within the European Union (EU).
Organizations that are GDPR compliant have implemented measures to protect personal data and uphold the rights of individuals, such as the right to access, correct, and erase their data. Compliance involves implementing data protection policies and procedures, conducting data protection impact assessments, appointing a Data Protection Officer (DPO), and providing data subjects with information about how their data is processed, such actions falls under the premises of information security management and is the direct result of how a company choose to manage their security and safety of their customers.
Failure to comply with GDPR can result in significant fines and penalties, so organizations must take steps to ensure that they are meeting the requirements of the regulation.
Consequences of Non-Compliance
Failure to comply with GDPR can result in severe penalties, including fines of up to €20 million or 4% of the annual global turnover, whichever is higher. Additionally, organizations may suffer reputational damage and loss of customer trust.
Privacy Rights of GDPR
The GDPR, or General Data Protection Regulation, is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
| Privacy Right | Description |
|---|---|
| The right to be informed | Individuals have the right to be informed about the collection and use of their personal data. |
| The right of access | Individuals have the right to access their personal data and information about how it is being processed. |
| The right to rectification | Individuals can request the correction of inaccurate or incomplete personal data. |
| The right to erasure | Individuals have the right to request the deletion or removal of their personal data. |
| The right to restrict processing | Individuals can request the restriction or suppression of their personal data. |
| The right to data portability | Individuals can obtain and reuse their personal data for their own purposes across different services. |
| The right to object | Individuals have the right to object to the processing of their personal data in certain circumstances. |
| Rights in relation to automated | Individuals have the right not to be subject to a decision based solely on automated processing, |
| decision making and profiling | including profiling, which produces legal effects or similarly significantly affects them. |
Data Protection Officers
A Data Protection Officer (DPO) is a person designated to oversee an organization’s data protection strategy and implementation to ensure compliance with data protection laws and regulations, such as the GDPR. The DPO’s role includes advising on data protection impact assessments, monitoring compliance with the GDPR and other data protection laws, cooperating with supervisory authorities, and acting as a point of contact for data subjects and the supervisory authority. The GDPR mandates the appointment of a DPO for certain organizations, such as those processing large amounts of personal data or engaging in systematic monitoring of individuals.
When DPO Needed?
There are many security roles within the realm of information security management system, those are build and construct to have a grater scale of how organization strategy works. DPO is one of those roles however not ever organization need a DPO, here’s a few guidelines to understand if your organization needs a DPO:
- Public authority.
- You Own core activities require you to monitor people systematically and regularly on a large scale (e.g adverstiment agency, monitoring, tracking, Algorithm that require presevation of data.
- Having core activities which are large-scale processing of special categories of data listed under Article 9 of the GDPR or data relating to criminal convictions and offenses mentioned in Article 10.
History of GDPR
The General Data Protection Regulation (GDPR) was adopted by the European Parliament and the Council of the European Union in April 2016 and came into effect on May 25, 2018. However, its roots can be traced back to the early days of data protection legislation in Europe.
The history of the GDPR begins with the Data Protection Directive of 1995, which was the first comprehensive data protection law in Europe. This directive aimed to harmonize data protection laws across EU member states and regulate the processing of personal data within the EU. It established principles for the fair and lawful processing of personal data, as well as requirements for data controllers and processors.
Over time, technological advancements and changes in the way data is processed led to calls for an update to the Data Protection Directive. In 2012, the European Commission proposed a comprehensive reform of data protection rules to strengthen online privacy rights and boost Europe’s digital economy.
After several years of negotiations and revisions, the GDPR was adopted in 2016, replacing the Data Protection Directive. The GDPR introduced several key changes and enhancements to data protection laws, including:
- Expanded territorial scope: The GDPR applies to all organizations that process personal data of individuals within the EU, regardless of where the organization is located.
- Increased penalties: The GDPR introduced significantly higher fines for non-compliance, with penalties of up to 4% of annual global turnover or €20 million, whichever is higher.
- Strengthened consent requirements: The GDPR requires organizations to obtain clear and explicit consent from individuals before processing their personal data.
- Enhanced data subject rights: The GDPR gives individuals greater control over their personal data, including the right to access, rectify, and erase their data.
- Data breach notification: The GDPR requires organizations to notify data protection authorities of a data breach within 72 hours of becoming aware of it.
Overall, the GDPR represents a significant step forward in data protection and privacy rights in Europe, providing individuals with greater control over their personal data and imposing stricter obligations on organizations that process that data.
GDPR Fines
To better comprehend what possibility outcome of failure of GDPR compliance by organization simply look at below table which show case real case fines by GDPR due to failure of compliance and the reasoning behind them
| ETid | Country | Date of Decision | Fine [€] | Controller/Processor | Quoted Art. | Type |
|---|---|---|---|---|---|---|
| ETid-2279 | SPAIN | 2023-11-02 | 48,000 | INSTITUT MARQUÉS OBSTETRICIA I GINECOLOGIA, S.L.P. | Art. 5 (1) f) GDPR, Art. 32 GDPR, Art. 34 GDPR | Non-compliance with general data processing principles |
| ETid-2278 | SPAIN | 2024-03-25 | 27,000 | 20 MINUTOS EDITORA, S.L. | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority |
| ETid-2277 | BULGARIA | 2023-02-09 | 5,100 | Unknown | Art. 5 (1) a), b) GDPR, Art. 6 GDPR | Non-compliance with general data processing principles |
| ETid-2276 | SPAIN | 2024-03-15 | 800 | Private individual | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles |
| ETid-2275 | SPAIN | 2022-06-22 | 1,600 | URQUÍA & BAS, CORREDURÍA DE SEGUROS S.L. | Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations |
| ETid-2274 | SPAIN | 2024-02-06 | 160,000 | SANITAS, S.A. DE SEGUROS | Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing |
| ETid-2273 | ITALY | 2024-02-22 | 2,000 | Camera di Commercio Industria Artigianato e Agricoltura | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing |
| ETid-2272 | SPAIN | 2024-02-13 | 100,000 | VODAFONE ESPAÑA, S.A.U. | Art. 6 (1) GDPR | Insufficient legal basis for data processing |
| ETid-2271 | SPAIN | 2024-02-13 | 4,000 | ASNEF-EQUIFAX, SERVICIOS DE INFORMACIÓN SOBRE SOLVENCIA Y CRÉDITO, S.L. | Art. 15 GDPR | Insufficient fulfilment of data subjects rights |
| ETid-2270 | ITALY | 2023-07-18 | 45,000 | Municipality of Modica | Art. 5 (1) a), c), e) GDPR, Art. 5 (2) GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 28 GDPR, Art. 37 (1), (7) GDPR | Non-compliance with general data processing principles |
In conclusion, GDPR meant to protect and help people’s right of privacy and safety online, following the technical guidelines of GDPR and having good GDPR compliance within your company will improve your services and product since those rights are ought for by users and consumers alike around the world. Failing to comply with those regulation will results in fines and legal problems due to invasion of privacy of your customers.
I am a software engineer with 20 years of experience of writing code, Software languages, Large scale web application, security and data protection of online digital assets in various software systems and services. I’ve decided to write and share my interests in cyber security online and information security to help and improve white hat security, safety and privacy of our online digital assets, As companies, as individuals or experts providing services. In here you’ll be able to read freely about cyber security threats, detections, common problems, services, news and everything related to information security and cyber security – enjoy and feel free to contact me via the contact page for any question.