vendorapp logo

Docs

Sign in

What is GDPR and GDPR Regulations

Introduction to GDPR

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). GDPR was implemented on May 25, 2018, and is designed to give individuals greater control over their personal data and to unify the regulatory environment for international businesses by harmonizing data protection laws across the EU.

Key objectives of GDPR

  • Enhance Data Protection Rights: GDPR aims to give EU citizens more control over their personal data by enhancing their privacy rights.

  • Increase Accountability: Organizations must implement comprehensive data protection policies and procedures to ensure compliance with GDPR.

  • Harmonize Data Protection Laws: GDPR provides a single set of rules applicable across the EU to simplify the regulatory environment for businesses.

Scope of GDPR

  • Territorial Scope: GDPR applies to all organizations operating within the EU, as well as to organizations outside the EU that offer goods or services to, or monitor the behaviour of, EU data subjects.

  • Material Scope: GDPR applies to the processing of personal data by automated means, as well as to the processing of personal data that forms part of a filing system.

Key Principles of GDPR

GDPR is based on several key principles that organizations must adhere to when processing personal data:

  • Lawfulness, Fairness, and Transparency: Data must be processed lawfully, fairly, and in a transparent manner.

  • Purpose Limitation: Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

  • Data Minimization: Data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

  • Accuracy: Data must be accurate and, where necessary, kept up to date.

  • Storage Limitation: Data must be kept in a form that permits identification of data subjects for no longer than is necessary.

  • Integrity and Confidentiality: Data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

  • Accountability: The data controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles.

Data subject rights

GDPR grants the following rights to data subjects:

  • Right to Access: Individuals have the right to access their personal data and obtain information about how it is being processed.

  • Right to Rectification: Individuals have the right to request the correction of inaccurate or incomplete personal data.

  • Right to Erasure (Right to be Forgotten): Individuals have the right to request the deletion of their personal data in certain circumstances.

  • Right to Restrict Processing: Individuals have the right to request the restriction of processing of their personal data in certain circumstances.

  • Right to Data Portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

  • Right to Object: Individuals have the right to object to the processing of their personal data on grounds relating to their particular situation.

  • Rights Related to Automated Decision-Making and Profiling: Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them.

Obligations for organizations

Organizations that process personal data must comply with several obligations under GDPR, including:

  • Data Protection by Design and by Default: Organizations must implement appropriate technical and organizational measures to ensure data protection principles are incorporated into the processing activities.

  • Data Protection Impact Assessments (DPIA's): Required for processing activities likely to result in high risk to individual rights and freedoms.

  • Data Breach Notifications: Must be reported within 72 hours to the relevant authority and affected individuals if high risk is present.

  • Appointment of Data Protection Officers (DPOs): Required for public authorities or organizations involved in large-scale monitoring or processing of sensitive data.

  • Record-Keeping: Organizations must maintain and provide processing records upon request.

Penalties for non-compliance

Non-compliance with GDPR can result in significant fines and penalties. The maximum fine for serious infringements is up to 20 million euros or 4% of the organization's total global turnover of the preceding fiscal year, whichever is higher. Lesser infringements can result in fines of up to 10 million euros or 2% of total global turnover, whichever is higher.

Conclusion

GDPR represents a significant shift in data protection and privacy laws, providing individuals with greater control over their personal data and imposing stringent requirements on organizations that process such data. Compliance with GDPR requires organizations to adopt a comprehensive approach to data protection, involving robust policies, procedures, and technical measures to safeguard personal data and uphold the rights of data subjects.