This brochure provides an overview of Regulation (EU 2016/679) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive) (hereinafter referred to as the “General Data Protection Regulation” or the “GDPR” or the “Regulation”) which officially came into force on 25 May 2018.
“The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” – Recital 4 GDPR
2. The objectives underlying the GDPR
The objectives underlying the implementation of the GDPR were the following:
- Strengthening Data Protection: The GDPR aims to strengthen the rights of individuals regarding the collection, use, and storage of their personal data. It introduced stricter rules for organizations handling personal data, ensuring that individuals have more control over their information.
- Harmonizing Data Protection Laws: The GDPR seeks to harmonize data protection laws within the EU member states. Before its introduction, there were variations in data protection regulations across different countries, leading to inconsistencies and challenges for businesses operating in multiple jurisdictions. The GDPR aimed to establish a unified set of rules applicable throughout the EU, thereby simplifying compliance for organizations.
- Adapting to Technological Advances: The previous EU Data Protection Directive (enacted in 1995), did not adequately address the significant technological developments and changes in data processing that had occurred since then. The GDPR was designed to address these advancements, considering the increased use of online services, social media, cloud computing, and big data analytics.
- Strengthening Accountability and Governance: The GDPR places a stronger emphasis on accountability for organizations processing personal data. It requires businesses to demonstrate compliance with data protection principles and maintain appropriate documentation of their data processing activities. Moreover, organisations are required to implement measures such as privacy impact assessments and data protection policies.
- Increased Enforcement and Penalties: The GDPR introduced significantly higher fines for non-compliance, aiming to incentivize organizations to take data protection more The potential fines for violations of the GDPR can be substantial, up to 4% of a company’s annual global turnover or €20 million, whichever is higher.
Overall, the GDPR aims to provide individuals with greater control over their personal data while establishing a consistent and robust framework for data protection across the EU. It also seeks to address the challenges posed by the digital age and ensure that organizations handle personal data responsibly and transparently. To this end, the GDPR imposes stricter requirements to the way private businesses as well as government entities use personal data.
3. A Valuable Opportunity for Businesses
Prima facie, businesses may construe adherence to GDPR obligations as yet another compliance chore. However, GDPR-compliance can be a valuable opportunity for businesses.
From a business perspective, there are several benefits to being GDPR compliant:
- Enhanced customer trust: GDPR compliance demonstrates your commitment to protecting customer data and privacy. By implementing the necessary safeguards and adhering to the regulations, you build trust with your customers, which can lead to stronger customer relationships and increased loyalty.
- Competitive advantage: GDPR compliance can provide a competitive edge in the marketplace. Many customers now prioritize privacy and data protection when choosing products or services. Being GDPR compliant can differentiate your business from non-compliant competitors and attract privacy-conscious customers.
- Mitigating financial risks: Non-compliance with the GDPR can result in significant financial penalties. By being compliant, you reduce the risk of fines, which can be up to 4% of annual global turnover or €20 million, whichever is higher. Avoiding these penalties helps protect your bottom line and preserves financial resources that can be invested elsewhere.
- Improved data management practices: GDPR compliance requires businesses to implement better data management practices, including data inventory, data mapping, and risk assessments. These practices can help you gain a clearer understanding of your data assets, identify areas of improvement, and streamline data processes. Improved data management can lead to operational efficiencies and cost savings.
- Expanded market reach: The GDPR is not limited to businesses operating within the European Union (EU). It applies to any organization that processes personal data of EU residents. By being GDPR compliant, you can expand your market reach and engage with customers from the EU without facing legal barriers or restrictions.
- Minimized data breaches and security risks: GDPR compliance encourages businesses to implement robust security measures to protect personal data. By adopting these measures, you reduce the risk of data breaches, which can result in reputational damage, financial losses, and legal consequences. Protecting customer data helps maintain a positive brand image and safeguards your business against potential cyber threats.
- Streamlined data subject rights processes: GDPR grants individuals certain rights over their personal data, such as the right to access, rectify, and erase their data. By being compliant, you establish processes and mechanisms to handle these requests effectively. Streamlining these processes not only ensures compliance but also enhances customer satisfaction and strengthens relationships.
In view of the foregoing, embracing GDPR can foster a privacy-focused culture within your organization and position you as a responsible custodian of personal data, leading to long-term success in the digital landscape.
“Europe’s data protection regime has become a compass to guide us through the human-centric digital transition and is an important pillar on which we are building other polices, such as data strategy or our approach to AI.The GDPR is the perfect example of how the European Union, based on a fundamental rights’ approach, empowers its citizens and gives businesses opportunities to make the most of the digital revolution. But we all must continue the work to make GDPR live up to its full potential.” – Věra Jourová, Vice-President for Values and Transparency
4. The GDPR: an evolution or a revolution?
The GDPR replaced the Data Protection Directive of 1995 and introduced several significant changes to the way personal data is handled and protected. While the GDPR brought about important updates to data protection laws, it can be seen as an evolution rather than a revolution because it builds upon the principles and foundations established by preceding legislation.
The most key developments brought about by the GDPR relate to:
- Expanded territorial scope: the GDPR applies not only to organizations within the EU but also to those outside the EU if they process the personal data of EU residents. This extraterritorial reach was an expansion of the previous directive and acknowledges the global nature of data processing.
- Increase in penalties: the GDPR significantly increased the potential fines for non-compliance. Organizations can face fines of up to 4% of their annual global turnover or €20 million, whichever is higher. This change aimed to make data protection a more serious consideration for businesses and incentivize compliance.
- More stringent consent requirements: the GDPR sets higher standards for obtaining consent for data processing. It requires organizations to obtain freely given, specific, informed, and unambiguous consent from individuals. The GDPR also introduced the concept of explicit consent for sensitive data, further strengthening individuals’ control over their data.
- Enhanced data breach notifications: the GDPR mandates organizations to report data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. This requirement ensures prompt action and transparency in handling security incidents, improving the protection of individuals’ personal data.
- Strengthened rights of data subjects: the GDPR introduced new or enhanced rights for individuals, such as the right to be forgotten, the right to data portability, and the right to object to processing. These rights empower individuals to have more control over their personal data.
- Improved accountability and governance: The GDPR emphasizes the principle of accountability, requiring organizations to demonstrate compliance with data protection regulations. It encourages the implementation of privacy measures, such as the appointment of data protection officers, privacy impact assessments and data protection by design and by default, fostering a privacy-centric approach.
5. How to determine if your business is GDPR-compliant?
Businesses must carefully examine the regulations and comprehend their impact on their business operations. It is important to note that the influence of GDPR extends beyond a particular area of the company; instead, it necessitates the implementation of a process-oriented approach throughout the entire business.
The likelihood is that you will need to make continuous adjustments to your business procedures to conform with this regulation, and introduce fresh measures to ensure compliance on an ongoing basis.
Preparing your business for compliance with the GDPR involves several important steps. Here’s a comprehensive guide to help you navigate the process:
- Understand the Scope: familiarize yourself with the GDPR’s requirements and how they apply to your business. Assess which personal data you collect, process, or store, and determine the lawful basis for processing that data.
- Conduct a Data Audit: perform a thorough audit to identify and document all personal data your business collects, processes, and stores. Document the purposes for processing the data, the categories of individuals involved, the data’s storage locations, and any third parties with whom you share the data.
- Devise GDPR-compliance action-plan: based on the outcome of the data audit, formulate a GDPR-compliance action-plan that fits the organization’s size, nature of operations, and data processing activities.
- Implementation of the action-plan: engage a trusted data protection specialist to assist with the implementation, which may include one or more of the below action-points:
- reviewing and updating of consent mechanism;
- reviewing and revising privacy policies and notices;
- establishing processes to handle data subjects’ rights, such as access, rectification, erasure, restriction, and data portability requests within the specified timeframes;
- ensuring the adherence to the data minimization and purpose limitation principles;
- implementing appropriate technical and organizational measures to safeguard personal data;
- establishing procedures to detect, respond to, and report data breaches in compliance with the GDPR’s notification requirements;
- reviewing contracts and agreements with third-party processors to ensure they meet GDPR requirements;
- conducting training sessions to educate the staff about GDPR principles, their roles and responsibilities, and how to handle personal data appropriately;
- identifying high-risk data processing activities and conduct data protection impact assessment to evaluate potential risks to individuals’ rights and freedoms and implementing the appropriate measures to mitigate identified risks;
- reviewing data transfer mechanisms to countries outside the European Economic Area (EEA) and ensuring that appropriate safeguards, such as standard contractual clauses or binding corporate rules, are in place for such transfers.
- appointing a data protection officer (if necessary) or a designated person for data protection matters;
- maintaining detailed records of data processing activities, including purposes, data categories, recipients, retention periods, and security measures, and
- conducting periodic reviews and audits to assess the organization’s ongoing compliance with the GDPR and updating the action plan accordingly to address any identified gaps or changes in regulatory requirements.
- Assess the effectiveness of the implemented data protection measures: perform a GDPR FIT/GAP evaluation or conduct an ISO 27001 FIT/GAP evaluation.
- Review GDPR-compliance measures regularly: this is crucial for organisations to adapt to changing requirements, mitigate emerging risks, improve internal processes, build trust and ensure ongoing compliance with data protection legislation.
6. GDPR-compliance advisory services offered by Corrieri Cilia
Corrieri Cilia offers valuable support and information to individuals and businesses who are subject to the provisions of the Regulation. Compliance with GDPR has become crucial in the corporate world, as it contributes to the growth of businesses and enhances trust among stakeholders. With a team of skilled professionals, Corrieri Cilia is well-equipped to help you and your business meet the necessary standards for GDPR compliance. We provide a range of services tailored to each client’s specific needs and preferences, encompassing various aspects of GDPR-compliance.
To discuss how we can help your business comprehend its GDPR obligations and become compliant, you may send an e-mail to [email protected].
NB: Kindly note that the data contained herein is for informational purposes only and thus, it is advisable to seek legal counsel or consult with a data protection professional to ensure compliance with the GDPR based on your specific business circumstances.