GDPR Explained in 7 Minutes: Everything You Need to Know

f you haven’t heard the term GDPR yet, you’re probably living under a rock or something. In case you find yourself in a similar situation, there’s no need to worry; we’re here to help you break out and thoroughly understand the newly updated regulation as well as the potential repercussions of not complying to it. So, without any further ado, let’s get started!

Demystifying GDPR

GDPR stands for General Data Protection Regulation, a new set of guidelines proclaimed by the European Union (EU) to give citizens of Europe more control over their personal data while offering more transparency and ensuring a high level of data protection. It is a replacement for the EU Data Protection Directive, also known as Directive 95/46/EC, and is envisioned to standardize data protection laws throughout the European Union. The core ethos behind GDPR is to make it easier and economical for businesses, irrespective of the size and type, to comply with data protection rules. In a nutshell, GDPR is the most important change in data privacy regulation in the past twenty years.

When did GDPR come into effect & who does it apply to?

The game-changing data privacy law was initially adopted on April 27th, 2016 and became enforceable after a two-year transition period on May 25th, 2018, which applies to any company or entity that collects or processes personal data of EU residents, even if it is headquartered outside the EU. Depending on a company’s role in controlling or processing data, the regulation will view it as either a data controller or a data processor. Now you must be wondering what these terms exactly mean. Well, don’t freak out as we’ve covered that subject for you below.

What are data controllers and data processors?

A data controller is an organization or entity, which alone or in conjunction with others, determines the purpose, conditions, and means of data processing. To put it another way, data controllers are responsible for just defining the terms “how” and “why” of data processing; they do not necessarily carry out these activities themselves. Instead, they make use of an intermediary to collect and process data. Typical examples of data controllers include medical professionals, banks, solicitors, government departments, charitable trusts, and voluntary organizations.  

A data processor is a person, company or entity that collects and processes (organizes, transmits, updates, and stores) data for a data controller. The controller must make sure the data is processed lawfully, transparently and for a specific purpose, while the processor must maintain records of their data processing activities to prove that they abide by regulations. Some common examples of data processors include payroll firms, cloud storage providers, accounting services, outsourcing companies, IT service providers, etc.

How to be GDPR compliant: Key Provisions

Below are the necessary legal requirements that you need to fulfill to comply with GDPR. Depending on the nature of your organization, you may or may not have to follow all of these.

1. Consent Procurement

You need to make sure your consent is clear and precise. You must be able to withdraw it as easily as you give it. You can do so by framing your terms and conditions in a language that is simple to understand, and if possible, avoid using legal jargons as they often make things more complicated. Remember, silence pre-ticked boxes or inactivity do not constitute consent.   

2. Timely Breach Notification

In the event of a security breach, you’ll be having 72 hours (after the detection of the incident) to report the data breach to both your consumers and your data controllers (if your organization is large enough to have a GDPR data controller). If you fail to report the breach to the ICO within the provided timeframe, you could face serious fines and penalties.

3. Right to Data Access

Whenever a customer of yours requests his existing data profile, you’ll need to provide him a detailed and free electronic copy of the data you’ve collected about him thus far. The report must include the several ways in which you’re using that information.

4. Right to be Forgotten

GDPR provides provisions for the right to be forgotten, also referred to as the right to data deletion, giving your customers the right to have their personal data erased or deleted upon request under certain circumstances.

5. Right to Data Portability

This is one of the fundamental data subject rights enforced by the GDPR which allows data subjects to retrieve their personal data from the data controller and reuse it for their own purposes in different services. 

6. Privacy by Design

According to this section of the General Data Protection Regulation, you must design your data collection systems with security in mind, focusing primarily on the development of business processes. You can do so by implementing the vital technical and infrastructural measures. If you fail to do so, you could face hefty fines and penalties.

7. Potential Data Protection Officers

Public authorities or companies that perform large-scale systematic monitoring and processing of sensitive personal data must appoint a data protection officer (DPO). The involvement of the DPO in your business processes depends primarily on the size of your company and the level at which it processes and collects data.

How much will non-compliance cost you?

Here’s something you must know if your company is not complied with GDPR yet: Failure to comply with GDPR can result in devastating fines and penalties of up to €20 million (about 23 million US dollars) or 4 percent of your company’s annual global revenue for the most serious contraventions. However, for minor infractions, the penalty is less, which goes up to €10 million, or 2 percent of the previous year’s global turnover. For unintentional non-compliance, a warning or an infringement notice may be issued first followed by a reprimand.

GDPR is here to stay: Embrace it or face steep EU penalties

It’s no secret that GDPR is a complex topic; the information we’ve shared in this post will help you grasp the basics and go through the legislation with a fine-toothed comb. It is crucial to tackle emerging privacy regulations proactively since it is easier to carry out a compliant process at early stages than to entirely re-design a business later. If you need any further information in relation to GDPR, then feel free to reach out to our support team at [email protected].

We’re a full stack web & mobile app development company based in India with global footprints in the US and Canada that offers detailed guidance as well as multiple tools and solutions to help you comply with the GDPR legislation.