The General Data Protection Regulation, or GDPR, has fundamentally changed how companies are allowed to process and handle data. This blog post explains everything there is to know about GDPR rules and how they affect you.
What is GDPR (General Data Protection Regulation)?
The GDPR is also known as the Personal Data Regulation or the Data Protection Regulation. It is an EU law that applies in all countries that are members of the EU. In Denmark, the GDPR is supplemented by the Data Protection Act.
The GDPR describes how companies must collect, protect and store relevant personal information. The regulation also stipulates that companies must not keep the information for longer than necessary.
The law further describes what individuals should expect and can demand from a company, organisation or authority that collects and uses information about them.
History of GDPR
25 May 2018 is an important day in data security. It was the day that the mutually agreed General Data Protection Regulation (GDPR) began to be enforced.
The GDPR replaced previous data protection rules across Europe that were nearly two decades old - with some of them first drafted in the 1990s.
In Denmark, the GDPR replaced the previous Personal Data Act, which was the applicable law on personal data from 2000 to 2018.
According to the EU, the GDPR was designed to "harmonise" data protection law across all of its member states as well as provide greater protections and rights to individuals.
The GDPR was also created to change how businesses and other organisations can handle personal information from the stakeholders they interact with.
The GDPR can be considered the world's strongest set of data protection rules, improving how people can access information about them and setting limits on what organisations can do with personal data. The GDPR rulebook in place today contains 99 individual articles.
The GDPR legislation was finalised after more than four years of discussion and negotiations - it was adopted by both the European Parliament and the European Council in April 2016. The underlying Regulation and Directive were published at the end of April 2016.
Who does GDPR apply to?
The essence of the GDPR is personal data. Personal data is broadly information that allows a living person to be directly or indirectly identified from available information.
This can be very personal and simple, such as a person's name, location data or a clear online username, or it can be something less "personal": IP addresses and cookies can also be considered personal data.
Under the GDPR, there are also a few special categories of sensitive personal data which are given greater protection. These personal data include information about racial or ethical origin, political opinions, religious beliefs, trade union membership, genetic and biometric data, health information and information about a person's sex life or orientation.
The key feature of personal data is that it allows a person to be identified from it - pseudonymised information may still fall within the definition of personal data.
Personal data is so important in the GDPR because individuals, organisations and businesses that are either 'controllers' or 'processors' of the personal data are covered by the law.
Although the GDPR is an EU law, the GDPR may also apply to companies located outside the EU. For example, if a company in the US does business in the EU, the GDPR rules may apply to that company.
Do the GDPR rules apply to all businesses?
Everyone who regularly processes personal data is covered by the legislation.
Your business is covered by the GDPR rules if:
- It has employees, their personal data must be processed regularly, for example for the payment of wages.
- The company's customers are individuals, their personal data must be processed regularly, for example for the provision of a service, good or payment.
- The company's customers are personally owned companies, their personal data must be processed on a regular basis.
- If the company owns a website that tracks the behaviour of visitors to the website, personal data will be processed.
- The company communicates with visitors to its website via a contact form or email, you will process personal data.
What are the GDPR's key principles?
At the heart of the GDPR are seven key principles, which are designed to set out how individuals' data can be handled. They do not act as hard and fast rules, but instead as an overarching framework designed to embrace the broad aims of the GDPR.
The principles are broadly the same as those that existed under previous data protection laws.
GDPR's seven principles are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Retention Limitation
- Integrity and confidentiality (security)
In reality, only one of these principles - accountability - is new to data protection rules.
Getting to grips with the GDPR rules
The most important thing to get to grips with in GDPR is the correct collection, handling, storage, disclosure and documentation of personal data.
Personal data processing
Processing or data handling are the actions carried out involving personal data. The list of the kinds of actions that are considered data processing is very long. The GDPR gives a number of examples of acts that are categorised as data processing:
Collection, recording, organisation, systematisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
As a rule of thumb, data processing almost always involves personal data.
Data processing agreement requirement
A company must conclude the necessary data processing agreements if it uses data processors.
This can be a difficult area for many businesses, as many are unsure what exactly it means to be a data processor and when the data processor is processing personal data on behalf of the data controller.
In general, if you are a data controller and instruct a data processor to process personal data on your behalf, you will need to draw up a data processor agreement.
General data processors include:
- Bookkeepers and accounting systems, such as Dinero and e-conomics
- Payroll systems, such as Dataløn and Danløn
- Digital applications to generate and deliver newsletters, such as Mailchimp and Active Campaign
Consent required from businesses
It is a requirement under the GDPR that companies process personal data lawfully. This means that the company must have a valid reason to process the personal data.
A valid reason can be, and most often is, that the company has obtained consent to do so. Consent means that the company has been given permission by an individual to process his or her personal data.
However, there are a number of requirements for consent to be valid. The requirements include:
- The company must be able to prove that it has obtained the consent correctly, for example by getting it in writing
- The consent must be unambiguous and specific
- The consent must be given voluntarily
- The consent must be an active expression of will
- Consent must be informed
Obligation to notify data breaches
The GDPR has introduced a self-notification obligation in the event of a data breach, such as a ransomware attack in which personal data is compromised. The notification must be made within 72 hours.
"Data breaches" can be many things, but they can also be very simple situations, such as an email with personal data being sent to the wrong recipient. It is therefore important that companies know what counts as a data breach.
Technical measures must protect data
Companies must put in place appropriate IT systems to handle personal data. GDPR rules require IT systems and applications used to process personal data to have default settings that ensure the highest possible level of protection for personal data.
Why do companies need to comply with the GDPR?
Legislation. The GDPR is an official EU law and businesses must therefore comply with it.
Image. By being GDPR compliant, your company will appear professional to your customers and partners.
Data protection. GDPR is first and foremost about safeguarding people's personal data. It is your responsibility as a company to ensure that the personal data of your customers and employees is protected in practice.
Documentation. As a business, you need to be able to document that you are complying with GDPR legislation. This means that the company must be able to prove to the Data Protection Authority that it complies with the rules and requirements. The company must be able to show that it has entered into the necessary data processing agreements, is in control of their consent, information obligations, etc.
Internal overview. In addition to ensuring data protection, the GDPR also provides an opportunity to gain an overview of the company's processes, data types and IT systems.
Communication with customers. Everyone in your company needs to know the GDPR rules so you can communicate effectively and correctly with your customers. And as a business owner, you need to know the rules so that communication with all employees is done correctly.
Comply with customers' rights. Customers of a company are "registered" with the company and therefore have some rights with the GDPR, swhether the company must accommodate.
These include the right to be informed about how their data is processed by the company and the "right to be forgotten", i.e. that personal data must be erased or made anonymous.
What are an individual's GDPR rights?
While the GDPR undoubtedly affects businesses, data controllers and data processors, the legislation is designed to help protect the rights of individuals. There are eight rights set out by the GDPR which apply to everyone. These range from giving individuals easier access to the data companies hold about them, to the deletion of data when it is no longer needed.
The full GDPR rights for individuals are:
- The right to be informed about information in clear, understandable language
- The right to know who has access to the data
- The right to know how long the data will be kept
- The right to erasure of data
- The right to have inaccurate data amended
- The right to withdraw consent
- The right to object to direct marketing
- The right to be provided with all relevant information
Fines for breaching GDPR rules
One of the biggest and most talked about elements of the GDPR has been the ability for regulators to issue fines to companies that do not comply with the GDPR rules.
If an organisation does not process an individual's data in the right way, it can be fined. If a company is required to have a data protection officer but does not have one, it can be fined. If a security breach occurs and is not reported, the company can be fined.
Before the GDPR was implemented, there was much speculation that data protection authorities would impose huge fines on companies that broke the law, but this almost never happened. Data protection investigations can be lengthy and complex - and if they are wrong, they can be challenged through the courts.
However, since the implementation of GDPR, there have been changes in the enforcement of GDPR rules, and now companies can, and are, hit with large fines.
One of the largest fines under GDPR to date has been against Google: the French data protection authority, the National Data Protection Commission (CNIL), fined the company €50 million in 2020.
According to CNIL, the fine was issued for two main reasons: Google did not provide sufficient information to users about how the company uses their data, which it receives from 20 different services, and Google also did not obtain proper consent to process user data.
CNIL also fined La Liga's app for spying on people who downloaded it and Bulgaria's DSK Bank for accidentally revealing customer data.
GDPR breaches in Denmark
Although the GDPR has become known for its high fines for companies handed out by administrative authorities, it doesn't quite work like that in Denmark.
The administrative authority in Denmark is Datatilsynet, which does not have the right to issue high fines. This is because the thinking in Denmark is that high fines should be left to the courts. Instead, the Data Protection Authority reports serious infringements to the police so that the data controller of the company concerned is brought to justice.
About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.