The General Data Protection Regulation (GDPR) was passed by the European Union (EU) in 2016, going into effect on May 25, 2018. The objective was to give people's data privacy rights a boost and standardised data protection laws across EU member states. Restructuring to comply with the internet age’s challenge towards data and giving rise to increased numbers of usage online, GDPR replaced the 1995 Data Protection Directive. The provisions are intrinsic and apply to organisations located in Europe or outside Europe when processing the data concerning the European residents.
General Data Protection Regulation 2018: Salient Features
The GDPR is composed of 11 chapters and 99 articles, covering a comprehensive framework for data privacy and protection. Below are the key highlights of its pivotal chapters:
Chapter 1 of GDPR: General Provisions
The foundational framework of the regulation is laid by chapter 1 of GDPR. GDPR clearly defines objectives, scope and territorial reach of the GDPR, and it applies to any entity, inside or outside the EU, handling the personal data of persons from the EU.
Furthermore, it defines some key terms, which make up the regulatory structure of GDPR, such as 'personal data', 'processing', 'data controller' and 'data processor'.
This chapter enforces the consistency of understanding and implementation across jurisdictions.
This chapter provides an overview of the objectives and territorial coverage of the GDPR which applies to any organisation that processes individuals’ personal data that are located within the EU, regardless of the location of the organisation.
Also, Get to Know Role of Quantum Computing in Data Privacy
Chapter 2 of GDPR: Principles
This Chapter enshrines the core principles of GDPR. It contains 7 Articles from Articles 5 to 11 which define key principles that determine what is lawful data processing. They include:
Lawfulness, Fairness, and Transparency: The data has to be legally processed and transparently.
Purpose Limitation: Data collected for particular purposes cannot be used for any other purpose.
Data Minimization: Only needed data should be processed.
Accuracy: Personal data has to be accurate and kept up to date.
Storage Limitation: No data should be retained beyond its necessity.
Integrity and Confidentiality: However, data should be protected from unauthorised access by appropriate measures.
Also, Get to Know Role of Cyber Security In Data Privacy
Chapter 3 of GDPR: Rights of the Data Subjects
Chapter 3 contains 5 Sections and 12 Articles, that is from Article 12 to Article 23. This chapter establishes a comprehensive set of rights for individuals, including:
Right to Access: This allows individuals to access the data that organisations hold about them.
Right to Rectification: Inaccurate data can be corrected and requested by individuals.
Right to Erasure ('Right to be Forgotten'): In certain situations, individuals can demand the deletion of their data.
Right to Data Portability: This means individuals can even transfer their data to another service provider.
Right to Object: Individuals have a right to object to data processing for certain purposes.
For example, a European e-commerce company must comply with a customer's request to delete their data after account closure.
Also, Get to Know What is Importance of Data Retention Policy
Chapter 5 of GDPR: Transfers of Personal Data to Third Countries or International Organizations
This chapter applies to data transfers outside of the European Union. It allows transfers only if the receiving country or organisation provides an adequate level of data protection. Secure transfers are managed with mechanisms such as standard contractual clauses (Standard Contractual Clauses - SCCs) and binding corporate rules (Binding Corporate Rules - BCRs).
For example, an Indian based cloud storage provider handling EU data must adhere to GDPR's transfer requirements or face penalties.
Also, Learn about What is Data Privacy Management
Chapter 6 & 7 of GDPR: Independent Supervisory Authorities and Cooperation Framework
Chapters 6 and 7 of the General Data Protection Regulation (GDPR) focus on the establishment, roles, and cooperation of supervisory authorities.
Chapter 6 mandates the independence of these authorities, detailing their tasks, powers, and responsibilities to monitor GDPR compliance.
Chapter 7 establishes a cooperative framework, promoting collaboration among EU supervisory authorities through mechanisms like mutual assistance and joint operations.
The European Data Protection Board (EDPB) is introduced to ensure consistency in GDPR enforcement across member states. Together, these chapters strengthen the enforcement and harmonization of data protection laws within the European Union.
Chapter 8 of GDPR: Remedies, Liability, and Penalties
Chapter 8 of GDPR contains 8 chapters from Article 77 to 84. This chapter emphasizes enforcement and accountability. Following are some important provisions from this chapter:
Remedies: The aggrieved party has a right to lodge complaints and seek judicial redress.
Liability: The GDPR violations are the controller and processor’s responsibility.
Penalties: The maximum fines for non-compliance can go up to 20 million euros or 4% of annual global turnover, whichever is the higher.
For example, in 2019, when Google had a 50 million euro fine slapped on the transparency violation under the GDPR.
Learn about Who is Data Protection Officer
Nature and Scope of the Act
GDPR has an extraterritorial scope, applying to entities outside the EU if they process the personal data of EU residents. It establishes a risk-based approach, emphasizing accountability and data protection by design. GDPR’s provisions are binding on all sectors, from e-commerce to healthcare, ensuring comprehensive coverage.
Summary
GDPR, 2018 is a comprehensive data protection regulation aimed at ensuring protection of personal data rights of individuals within the EU and beyond. It standardized data privacy laws of the digital age to address the challenges of the digital age. Its provisions include principles of data processing, rights of the data subject and regulations for the international data transfers, including severe penalties for failure to comply. As having an extraterritorial scope, GDPR is offering a global benchmark for data privacy, with transparency, accountability and security in personal data processing.
Related Posts:
What is GDPR: FAQs
Q1. What is the main purpose of the GDPR?
The objective of GDPR is to keep the data safe pertaining to the EU residents so long as it's being processed in a transparent and responsible manner.
Q2. Who must comply with GDPR?
GDPR applies to all organisations that process personal data about EU citizens, regardless of where the processor is situated.
Q3. What are the penalties for not complying with GDPR?
Non-compliance can occur with fines of up to 20 million euros or 4 percent of the group's annual turnover, whichever is higher.
Q4. Does the GDPR apply to a small business?
GDPR applies to all businesses which handle personal data of EU citizens regardless of the size of businesses.
Q5. Does GDPR apply to non EU residents?
GDPR mainly protects EU residents, but because of its impact often global organisations feel compelled to adopt similar data protection measures and indirectly benefit non EU individuals.
