The General Data Protection Regulation is over two years old and continues to undergo evaluations to determine whether it's properly serving the needs of data subjects. This large-scale regulation has changed the personal data landscape across Europe and the world. In this article, we will address some of the most common questions about the GDPR regulation and how it can affect your business.
Table of Contents
- The General Data Protection Regulation (GDPR) in the European Union
- Personal Data Regulations Included in the GDPR
- Parties Affected by the GDPR
- Common GDPR Questions
- What Happens if You Lack GDPR Compliance?
- Become GDPR Compliant with ETL
The General Data Protection Regulation (GDPR) in the European Union
The GDPR is a unified data protection law for all EU citizens, . It became fully effective on May 25, 2018. It is considered to be the most important piece of legislation to be introduced in the European Union in the past 20 years, replacing the 1995 Data Protection Directive.
Personal Data Regulations Included in the GDPR
The GDPR regulates the processing of personal data in the EU, including its collection, use, transfer, and storage.
"Personal data" is the most important phrase here. The GDPR’s main focus is to increase the rights and control that EU citizens - or “data subjects” - have over their EU data and how it's used. The data protection rules also encourage companies to maintain GDPR compliance by increasing enforcement and imposing strict fines if they breach the terms.
The changes introduced by this regulation include:
- Increased rights for EU citizens: The legislation provides more rights for data subjects, granting them - among other things - the right to be forgotten, the right to file complaints against data controllers, and the right to request a copy of any personal data stored about them. Data erasure is particularly important, as previously they may have faced difficulty in fully deleting personal data. Under these laws, IP addresses also count as covered data.
- Notification of data breaches: Under GDPR, any “destruction, loss, alteration, unauthorized disclosure, or access to,” individuals’ personal data must be reported to a country’s data protection regulator if the breach could have a negative impact on the individuals affected. This increases cybersecurity and protects users against major hacks or personal data breaches. Companies must avoid undue delays when reporting these incidents.
- New requirements for data monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals, requiring that organizations with “regular or systematic data monitoring” to employ a data protection officer (DPO). In other words, you can’t monitor or collect user data without a good reason and a solid process.
- Legal obligations and increased monitoring of organizations: The GDPR requires that organizations implement appropriate policies, keep detailed records on data activities, and enter into written agreements with vendors. Supervisory authorities, in turn, will be able to carry out on-site data protection audits and the power to issue public warnings, reprimands, and orders to carry out specific remediation activities.
- Protection of personal data: These regulations take a comprehensive and robust approach in protecting personal data that companies use. By unifying the regulations throughout the European member states, data subjects enjoy a consistent and standardized approach.
- Data portability: Data subjects can request that their data be moved between data controllers and provided to the individual in a common and usable format.
- Special categories: Some data types have more stringent GDPR requirements due to their sensitive nature. This information includes sexual orientation, biometric data, health information, genetic data, religious beliefs, political leanings, race, ethnicity, sex life data, and trade union memberships.
Parties Affected by the GDPR
The GDPR covers companies of all sizes, including small businesses and service providers, who operate within member states in Europe. It also applies to companies outside of the EU that sell goods and services to natural persons in the EU or EU-based businesses.
How Does Brexit Affect GDPR in the UK?
Brexit happened on January 31, 2020, but it currently has a limited impact on GDPR compliance requirements in the UK. The EU laws still apply until the end of 2020. The National Law Review reports that these countries plan on continuing to follow the GDPR following the transition period.
Common GDPR Questions
What is the European Data Protection Board?
The EDPB is an independent organization that maintains consistency in the application of GDPR laws. It offers a range of resources to help companies successfully implement these practices, including guidelines, recommendations, dispute mediation, and advising the European Commission.
What is the Information Commissioner's Office?
The ICO is a UK organization that enforces compliance with varying information rights regulations in that region, including the GDPR. Much like the EDPB, the ICO is an independent entity that acts in the public interest. Individuals and other stakeholders can reach out to this organization with concerns, complaints, and questions. For example, if a data subject runs into a company that is mishandling their personal data, they can get help from the ICO.
Differences Between a Data Processor and a Data Controller
These two terms are easy to get mixed up, but they have different roles under a data protection directive.
Data controller: This entity establishes why they need to use personal data and what they're doing with it. They may have their own processes in place to work with this information or go through a third-party solution. No matter where the data is, they have the control and responsibility for it.
Data processor: This entity only works with data given to it by a controller. It follows the specific requirements provided by the controller and can't do anything with the data outside of this scope.
What Does the GDPR Mean For Your Business?
If you are a company outside the European Union, this still affects your business. Why? If you offer goods or services to individuals within the EU member states or monitor their behavior, then the GDPR may apply to you. Your region may also draft similar data privacy laws in the future, so it's best to prepare.
How Do You Prepare for the GDPR?
The preparations and decision-making involved with the GDPR are complex for all businesses. The first step is to assess the current state of your business, analyzing the personal data that exists across your company, and determining your current level of compliance and risk. Specifically, look at your data collection and storage practices and evaluate things like:
- Personal data collection methods
- The length of time you hold the data
- If you're updating the data
- Your data security methods
- The type of data you're working with
- The way you process data
- Notification timelines for data breaches
Your company needs team members who fully understand the GDPR terms and what they need to do to abide by data protection rules. Take a privacy by design approach to your policies and procedures. A data protection impact assessment can guide your decision-making throughout this process.
Once you've implemented your strategy, continually evaluate it so you stay up-to-date on the latest best practices. Your long-term success in compliance hinges on analyzing your performance.
What Happens If You Lack GDPR Compliance?
The GDPR has some of the highest sanctions for non-compliance, including fines of €20 Million or up to 4% of a company’s annual global revenue. InfoToday reports that €114 million in fines were issued in the first 20 months following GDPR's introduction. Companies that ran into trouble with their processing activities include Google, Facebook, British Airways, and Marriott International.
Your company may not immediately get a fine for GDPR non-compliance. Other enforcement methods include receiving warnings or being reprimanded, being banned from personal data processing, getting an order for rectification, erasing, or restricting personal data, and limitations on data transfers.
Become GDPR Compliant with ETL
Extract Transform Load (ETL) solutions are data processors that handle data integration. At Integrate.io, we provide a platform to help you migrate, transform, and organize your data from various sources - including personal data about your customers. We do not access any of that information ourselves. We act as the pipeline, so we don't save any data or use it for any purpose other than to provide you with our service.
Our ETL platform helps you track your GDPR compliance efforts and easily access, change, remote, and delete EU data through your Integrate.io account at your user's request. You control your data from one place, rather than trying to process these requests through multiple applications.
You create a quality customer experience by showing that you're responsive to data privacy concerns, and you decrease the risk of falling out of compliance.
GDPR and Integrate.io
Here's a full list of how Integrate.io empowers your organization and your users under GDPR.
- Cybersecurity and data Breaches: Integrate.io not only follows standard industry practices around encryption, but also has systems in place for authentication, authorization, and auditing so that your information - and your customers’ information - is safe at all times.
- Rights for Individuals: If your customers from EU countries want you to access, modify, or delete information about them, you will be able to make those updates and export that information quickly and efficiently. This includes the customer’s right to be forgotten.
- Lawful Basis for Processing: If you want to save your customers’ information, you need a “lawful reason” to do so - an opt-in, a signed contract, etc. While all this information will be housed in your CRM or customer support tool, you will be able to track it and demonstrate your lawful basis for processing personal data within the Integrate.io platform.
Do you still have questions about GDPR regulations, need a copy of the Integrate.io DPA, or want to know more about how Integrate.io's ETL platform will transform your data management? Contact us to speak with one of our customer support representatives.