What is GDPR?
The General Data Protection Regulation, also known as GDPR, is the legislation that includes the rights of citizens in terms of data protection within the European Union, which has been in force since May 2016 and mandatory since May 2018. (Burgess, 2020)
The information that this regulation seeks to protect the privacy of the following information (Davis, 2022):
· Basic identifiable information: name, address, and identification numbers
· Web data: location, IP address, cookie data and RFID tags
· Health and genetic data
· Biometric information
· Racial or ethnic data
· Political opinions
· Sexual orientation
The GDPR applies to the processing of personal data of individuals located in the European Union (EU), regardless of the organization's location and size. This means that even organizations that are not located in the EU must comply with the GDPR if they process the personal data of EU citizens, and it applies to any organization that processes personal data of EU individuals, this is known as “extraterritorial scope”. (OneTrust, 2021)(ShareThis, 2021)(Intersoft Consulting, n.d.):
The territorial scope is governed by Article 3 of the regulation. Article 3(1) states that the GDPR applies to the processing of personal data by a controller or processor "established" in the EU. Article 3(2) states that the GDPR also applies to the processing of personal data of individuals located in the EU by a controller or processor not established in the EU, where the processing activities are related to:
Here are some examples of organizations that are likely to be subject to the GDPR:
· An organization that is established in the EU and processes personal data of individuals located in the EU.
· An organization that is not established in the EU but offers goods or services to, or monitors individuals located in the EU.
· An organization that is not established in the EU but has a website or app that is accessed by individuals located in the EU.
There are a few exceptions to the GDPR's application to small and medium-sized enterprises (SMEs). For example, SMEs are not required to have a data protection officer (DPO) if they do not process the personal data of a large number of individuals. However, SMEs are still required to comply with the GDPR's other requirements, such as the requirements for obtaining consent from individuals and for providing individuals with access to their personal data.
The main objective of the Data Protection Act and the implemented Regulation is to improve the level of data protection of natural persons. To do this, the approach is (Grupo Atico 34, 2023):
· Better inform what happens to personal data once it is shared.
· Facilitate the understanding of privacy policies through clear and simple language.
· Improve access to the rights included in the regulations, especially in the case of minors.
· Safeguard the treatment conducted for archiving purposes for research or statistical interest.
This regulation is based on eight main rights of users that help protect privacy and personal data. Companies must guarantee these, otherwise, they could face severe penalties (Davis, 2022):
1. Right of access.
2. Right to information.
3. Right to portability.
4. Right to erasure (to be forgotten).
5. Right to rectification.
6. Right to withdraw consent.
7. Right to object.
8. Right to object to automatic processing.
Essentially, any company that wishes to process personal data and that is part of the jurisdiction of the regulation must take into account the following points in addition to ensuring that personal data is used in a lawful, fair and transparent manner and based on a specific purpose that has been previously defined (Grupo Atico 34, 2023).
· Consent, this must be granted clearly and not implicitly, for a specific purpose.
· Duty of information, this so that the user takes into account what is going to be done and who will be behind their personal data.
· Data Protection Officer
· Activity log, including what type of data is processed, how and where it is used, where it is stored and whether there is transfer to third parties.
· Risk analysis, as the name implies, in addition to analyzing existing risks, you need a plan on how to prevent them from occurring.
· Notification of security breaches, which must be within a maximum of 72 hours.
· Impact assessment, like risk analysis, basically indicates what risks were detected and the action plan to remedy them.
· Privacy by design, that is, takes into account, before collecting personal data, the purpose of this and the measures that will be taken to protect them.
To understand a little more about this regulation, it is necessary to know who participates in it and what role they play. The following roles that are presented are those key responsibilities of the regulation (OneTrust, 2021):
· Controller - is the natural person or legal entity that determines the purposes and means of the processing of personal data (user).
· Processor - A natural person or legal entity that processes personal data on behalf of the controller (third party).
· Data Protection Officer (DPO) – this is a function required by the RPGD, this is responsible for compliance with the GDPR.
· Control Authority – is an authority in a country of the European Union, this helps with advising companies on how to comply with the GDPR and conducts audits, as well as attends complaints and issues fines when necessary.
For those companies that do not adhere to the rights and obligations determined by the regulation, it also indicates the type of infringement and to which article of the regulation it belongs, and based on this the fine is stipulated.
For serious infringements: fine of up to ten million euros (or 2% of annual turnover, whichever is higher). (Grupo Atico 34, 2023)
For profoundly serious infringements: fine of up to twenty million euros (or 4% of annual turnover, whichever is higher). (Grupo Atico 34, 2023)
The GDPR can be commented on from different perspectives. From the perspective of the user or client, GDPR provides greater security and confidence by knowing what the objective is of using their data. This is because the GDPR requires organizations to be transparent about how they collect and use personal data, and to obtain consent from individuals before they can process their personal data. This gives individuals more control over their personal data and helps to protect them from identity theft by requiring organizations to take steps to protect personal data. These steps include using strong passwords, encrypting personal data, and limiting access to personal data to authorized personnel.
Now, although from the perspective of companies that have an obligation to adhere to this regulation, it can be somewhat tedious to designate resources for compliance with it, however, in turn, it adds a layer of security to the systems used by the company, since by covering the need to protect personal information, They ensure that only authorized personnel have access to confidential information, which would otherwise be exposed and with it, the systems to which they have access. In addition to being essential to avoid being severely punished.
With this said, it should be emphasized that this additional security requirement adds greater added value in terms of the quality of the services provided, since there is greater transparency in their operations involving individual identities.
Burgess, M. (March 2020). What is GDPR? The summary guide to GDPR compliance in the UK. Retrieved from WIRED: https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018
Davis, M. (July 2022). GDPR compliance regulations: The 12 biggest need-to-knows. Obtained from OSANO: https://www.osano.com/articles/gdpr-compliance-regulations
Atico Grupo 34. (February 2023). Obligaciones LOPD y RGPD de las empresas. Obtained from Data Protection - LOPD: https://protecciondatos-lopd.com/empresas/obligaciones-lopd-rgpd/
Atico Grupo 34. (January 2023). RGPD (Reglamento general de protección de datos): Guía 2023. Obtained from Data Protection - LOPD: https://protecciondatos-lopd.com/empresas/rgpd-reglamento-general-proteccion-datos/#Objetivos_del_RGPD
Intersoft Consulting. (n.d.). General Data Protection Regulation. GDPR. Retrieved from https://gdpr-info.eu/: https://gdpr-info.eu/
OneTrust. (April 2021). Complete Guide to General Data Protection Regulation (GDPR) Compliance. Retrieved from OneTrust: https://www.onetrust.com/blog/gdpr-compliance/
ShareThis. (2021, May). The GDPR for Small Business: What SMBs Need to Know. Retrieved from ShareThis: https://sharethis.com/es/website-tips/privacy/2021/05/gdpr-for-small-businesses/