In May 2018, the European Union enacted the General Data Protection Regulation (GDPR), aiming to protect personal data in the digital age. GDPR has set a new standard for the protection of data not only in the EU but globally, in the following text we will explore its core components, the type of data that it covers and of course the profound legal implications of the regulation.
1) The scope of GDPR and the applicable data
The GDPR is a comprehensive data protection law that came into effect on May 25, 2018, across all EU member states. It was designed to harmonize data privacy laws across Europe, protect EU citizens' data privacy, and reshape the way organizations across the region approach data privacy. The GDPR grants individuals greater control over their personal data and simplifies the regulatory environment for international business by unifying the regulation within the EU.
The GDPR applies to 'personal data', which is any information related to an identified or identifiable person who can be directly or indirectly be identified in particular by reference to an identifier. This includes a wide range of data such as:
- Name and Identification Numbers: Including social security numbers, employee ID numbers, and passport numbers.
- Location Data: Information about an individual's location, which can be precise (GPS data) or inferred from other information.
- Online Identifiers: This encompasses IP addresses, cookies, and other identifiers that could track online behavior.
- Sensitive Personal Data: Also known as "special categories of personal data," this includes data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic and biometric data, health information, and data concerning a person's sex life or sexual orientation.
2) Entities that need to comply with GDPR
The GDPR imposes obligations when there is any processing of personal data. The GDPR identifies the following:
- Data Controllers: Natural or legal persons that determine the purposes and means of processing personal data. This includes businesses, organizations, or even individuals who collect data from EU residents, regardless of the organization's location.
- Data Processors: Natural or legal persons that process data on behalf of the data controller. This includes anyone that processes data , such as cloud service providers or marketing agencies.
Importantly, the GDPR applies not only to organizations located within the EU but also to those outside the EU that offer goods or services to, or monitor the behavior of, EU residents. This global reach underscores the regulation's broad impact on international business practices. Furthermore, as a recent case is Greece underlined, GDPR is also applicable to individuals who process data. As such, politicians, marketeers and other professionals are also obliged to comply with the requirements of the GDPR. The Regulation offers a limited exemption to individuals under Art.2 when data is used "in the course of a purely personal or household activity".
Anonymous data is generally not covered by the GDPR, however, in some cases of anonymized data sets, the GDPR may still apply, depending on how easy or not it is to identify the data subject.
3) The principles set by GDPR
The GDPR introduces a set of principles that serve as the foundation for the protection and processing of personal data. The first of these principles is the requirement for lawfulness, fairness, and transparency, mandating that all data processing activities be legal, fair to the individuals concerned and transparently conducted, ensuring that individuals are fully informed about how their data is used.
Closely tied to the principle of transparency is the necessity for purpose limitation, which stipulates that data must be collected for specific, explicit, and legitimate purposes. Once collected, data should not be processed in a manner that deviates from these initially-stated purposes, unless further processing is compatible with the original objectives or consent is obtained.
Integral to the GDPR's framework is the principle of data minimization, ensuring that only data which is necessary for the specified purposes is processed. This principle advocates for the collection of data that is adequate, relevant, and not excessive in relation to the processing purposes.
Accuracy of personal data is another cornerstone, requiring that data be kept accurate and up-to-date. Any inaccurate data, when identified, must be erased or rectified without delay, emphasizing the dynamic nature of data management and the ongoing responsibility organizations have towards the integrity of the data they process.
The principle of storage limitation further imposes restrictions on the longevity of data storage, allowing personal data to be kept in identifiable form only as long as necessary for the processing purposes. For data retained beyond this period for reasons such as public interest, scientific research, or historical records, stringent measures must be taken to safeguard the rights and freedoms of the data subjects.
Ensuring the integrity and confidentiality of personal data through appropriate security measures is paramount, protecting the data against unauthorized access, accidental loss, destruction, or damage. This principle underscores the necessity for robust security practices and protocols in managing personal data. Various organizational and technical measures may be needed to be taken by organizations to ensure that this principle is complied with.
Finally, the principle of accountability encapsulates the essence of GDPR compliance, placing the responsibility directly on the shoulders of data controllers to not only comply with these principles but also to demonstrate their compliance through documented evidence and practices. This reflects a shift towards a more accountable and proactive stance on data protection, requiring organizations to internalize these principles in their operations and decision-making processes.
4) Legal implications
Non-compliance with the GDPR can result in severe legal implications, including fines of up to €20 million or 4% of the annual global turnover, whichever is higher. The Regulation enhances individuals' rights, introduces mandatory data breach notifications, and imposes strict requirements for data protection impact assessments and accountability measures. These legal implications underscore the necessity for organizations to adopt comprehensive data protection measures and maintain transparency in their data processing activities.
Large or high-risk organizations (where large data sets are processed or sensitive data processing is taking place) must conduct a Data Protection Impact Assessment (DPIA) to ensure that sufficient protection measures are taken to safeguard individual rights and freedoms. In case of a data breach (which may involve unauthorized access or data disclosure, data loss, modification etc.), data controllers are required to notify the regulatory authorities within 72 hours of becoming aware of it.
In Cyprus, the regulatory authority that is responsible for enforcing GDPR is the Office of the Commissioner for Personal Data Protection. The Commissioner is tasked with overseeing the application of data protection laws in Cyprus and acts as an independent supervisory authority responsible to monitor and enforce GDPR, investigate complaints and, if needed, impose fines for violations and provide advice and guidance on GDPR related obligations.
In conclusion, the GDPR represents a significant step in the area of data protection, emphasizing the importance of individual privacy rights. It requires organizations (and individuals) to adopt a proactive approach to data privacy, ensuring transparency, security, and accountability in the processing of personal data. As data continues to play a crucial role in the digital economy, understanding and complying with the GDPR is essential for any organization handling EU residents' personal information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.