The GDPR (European General Data Protection Regulation) aims to coordinate and revamp the rules on the collection and processing of personal data of the European citizens.
As companies rely on data to provide services and products, it is key to understand why is the GDPR important? How does it work? What are its objectives? What are its challenges?
Find out all the answers to these questions on this blog post.
What is the GDPR?
GDPR stands for the European General Data Protection Regulation. Adopted in 2016, it then entered into force on 25 May 2018.
The purpose of the GDPR is to be the new reference text in the European Union (EU) about personal data, replacing a directive of 1995.
The GDPR also aims to coordinate the European legal panorama in terms of personal data protection, so that there is a single framework that applies across all Member States.
While some areas are still open to specification in national law or other directives (e.g. ePrivacy), the GDPR still creates a broader framework for all processing of data.
What is the scope of the GDPR?
The GDPR applies to any organisation, public or private, regardless of its size, which processes the personal data of EU citizens or residents, or offers goods or services to such people, even if not in the EU.
What are the objectives of the GDPR?
The objectives of the GDPR are:
- Homogeneous protection of personal data across the EU Member States. The GDPR has coordinated the European legislation on the use of personal data.
- Increased accountability. By complying with the GDPR, companies not only meet their legal obligations, but also show their users, customers, prospects and suppliers that they are committed to protecting their personal data. This way, users know that their information is secure and handled correctly by companies, and this strengthens their relationship. Transparency is one of the key points of the GDPR.
- A simplified and lighter legal framework on the processing of personal data. Thanks to the GDPR, an individual can exercise several rights with regard to the processing of his/her personal data.
3 years later, where do we stand with respect to the GDPR?
Today one of the major success of the GDPR is the real awareness of what personal data represents and what the importance of protecting it is. This is certainly due to the GDPR and to the spreading of awareness and information by all the data protection stakeholders.
But the commitments are not over.
There are companies still not seeing GDPR compliance as a priority. Sometimes, the fear of receiving fines leads some to copy and paste online policies, or to use free online templates.
In 2020, the European regulators imposed 306.3 million euros in fines. With Italy and France on top of the list. 2021 continues this trend. Regulators now want to ensure that all organisations are GDPR compliant.
Another major success of the GDPR is the improved protection against cyber-attacks. Indeed, more and more companies are being vigilant about cyber risks. This is mainly because they care about their customers, users, prospects and partners data, and their relationship of trust, and because they are aware of the negative impacts that a data leak could have on their brand image.
Companies therefore seem to have become aware of the importance of the regulation. However, there is still some way to go before a global satisfactory level of protection for their customers, users, prospects and partners.
3 years on and more than ever, we say it: Privacy is good for YOUR business.
What does the GDPR change for internet users?
Internet users concerned by the processing of their personal data can now feel a greater sense of control over them.
They benefit from rights that allow them to keep control of the information about them.
The right to be informed
The identity of the controller responsible for the processing of their personal data;
- Which data is collected;
- How and why it is collected;
- How long it is stored for;
- Who it might be shared with.
Internet users have the right to receive clear information about the use of their personal data and to exercise their rights.
The right to withdraw consent at any time
Consent needs to be an active action made by users, explicit and preferably written, which must be free, specific and informed. For instance, the action of ticking a box of an online form.
When the processing of their personal data is based on their consent, Internet users must have the possibility to withdraw their consent to the processing of their data at any time.
The right to object
After data collection, Internet users can object to how their data is being handled and halt further action, only in certain circumstances.
For example they have the right to object to the processing of their personal data when it is based on legitimate interest and for direct marketing purposes.
The right to access and rectification of their data
Internet users must be able to:
- access all the information about them;
- know the source of the information;
- access the information on which the data controller has based a decision;
- obtain a copy of their own data;
- ask for a rectification, or an update of their personal data.
The right to erasure of their personal data
Internet users may request the erasure of their personal data when it is no longer necessary for the purposes for which it is collected.
However the request may be refused when the organisation is legally obliged to keep hold of the users data to comply with legal obligations, and for evidentiary purposes.
The right to restrict the processing of their personal data
Internet users have the right to request a limitation on the processing of their personal data in certain specific cases.
The right to data portability
Internet users have the right to access their data, to re-use them, and to transfer them easily from one service to another in certain specific cases.
The right to data portability allows Internet users to:
- receive their data in a structured, digital format compatible with a variety of devices;
- to directly transfer their data to another data controller where technically possible.
The right to lodge a complaint with the supervisory authority
In case users are not satisfied with the way their personal data is processed, or their rights are not respected, they have the right to lodge a complaint with the supervisory authority responsible for the protection of personal data in the users country of residence or work.
If you have a web activity such as an e-commerce or even an informational website, you must respect the rights of your users in order to guarantee their protection and to build better relationship with them, based on trust.
Conclusion: Are you 100% GDPR compliant?
3 years after its entry into force, regulatory authorities are becoming ever more strict on the respect of the GDPR obligations.
For you, this is an opportunity to put in place a real policy for managing your data and to make it an asset: a real trust-builder with your customers.
If the GDPR compliance seems complex, don’t worry, we have the solution for you: Admeet, your all-in-one website compliance tool.
Ensure full transparency on your users’ personal data processing.