The General Data Protection Regulation (GDPR) is legislation derived from international privacy and human rights laws and GDPR Compliance is essential for businesses located in the European Union (EU) and/or serving clients in the EU.
History of GDPR
The GDPR was approved by the (EU) in 2016 and protects an individual’s personal data by establishing safeguards so that companies collect data in an ethical manner. In addition to responsibly collecting data, the GDPR compliance is enforced for the entire life cycle of personal data. The storage, use, restriction, destruction, and communication of personal data must be regulated. For example, in the event of a data leak companies must notify all affected parties within 72 hours of the occurrence per the GDPR.
The GDPR protects personally identifiable information (PII) including the following:
- Name
- Location Data
- Biometric data (ie. Fingerprints and Facial Imaging)
- Race
- Political or Religious Affiliations
- Information that is specific to the identity of a person (ie. Social, Cultural, Economic)
The Foundations of the GDPR
The GDPR regulations are derived from 7 principles. These principles are the core foundations of the GDPR and can be identified throughout the GDPR articles.
The 7 principles are as follows:
- Lawfulness, Fairness, Transparency: An organization must establish a policy to determine the type of PII to be collected and the intended use.
- Purpose Limitation: An organization must determine what type of PII should be collected for its end goal. All other PII that is not directly relevant must not be collected.
- Data Minimization: An organization must only keep the amount required to meet its goals. PII cannot be saved for potential use later on.
- Accuracy: An organization must ensure PII is accurate and up to date with periodic reviews. PII must be updated when the user makes a request.
- Storage Limitations: An organization must establish a policy with a set and justifiable retention period.
- Integrity and Confidentiality: An organization must establish safeguards to protect against both internal and external threats. This includes but is not limited to data loss, unauthorized access, and cyber attacks.
- Accountability: An organization must be responsible for all PII and provide evidence of compliance.
Case Example: Google, Inc.
Applicable organizations that do not follow the above principles are at risk for penalties and potential fines. For example, the French data protection authority fined Google, Inc. $57 million in 2020. The data protection authority (CNIL) indicated that the company did not clearly define how PII was processed and did not obtain user consent. This was a direct violation of the GDPR as it affects a user’s rights.
GDPR Compliance and Your Organization
The GDPR applies to all organizations that collect an EU member state citizen’s personal data including both data processors and controllers. The GDPR includes all methods of data collecting and is not solely limited to website use.
Contact Dayspring Technology at consulting@dayspringtechnology.com or visit here for more information on how your organization can establish best practices to ensure an appropriate GDPR compliance structure is in place.