General Data Protection Regulation (GDPR) 2016 Explained

Picture of Quiyue Zhao, Ph.D.

Quiyue Zhao, Ph.D.

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that was adopted by the European Union (EU) in 2016 and implemented in 2018.

It is designed to protect the personal data and privacy of individuals within the EU and the European Economic Area (EEA).

The GDPR applies to all organisations that process the personal data of individuals in the EU, regardless of the organisation’s location.

It sets out strict requirements for obtaining consent, handling data breaches, and providing individuals with access to their personal data.

The regulation also establishes the rights of data subjects, including the right to be forgotten, the right to access personal data, and the right to data portability. Non-compliance with the GDPR can result in significant fines.

The regulation aims to unify data protection laws across the EU and give individuals greater control over their personal data.

Who Does The GDPR Apply To?

The GDPR applies to a wide range of entities involved in the processing of personal data. It applies to organisations that process personal data in the context of the activities of an establishment in the EU, regardless of whether the processing takes place in the EU or not – Art. 2

Additionally, it applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the EU, where the processing activities are related to offering goods or services to such data subjects in the Union or monitoring their behaviour within the Union – Art. 3.

The regulation also applies to Union institutions, bodies, offices, and agencies, and it sets rules for the protection of natural persons with regard to the processing of personal data and the free movement of such data.

Therefore, the GDPR applies to a wide range of organisations and entities involved in the processing of personal data within the EU and the European Economic Area (EEA).

What Are Personal Data Under The GDPR?

Personal data, as defined by the GDPR, refers to any information relating to an identified or identifiable natural person.

An identifiable natural person is someone who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person – Art. 4 (5-8).

The GDPR’s definition of personal data is broad and encompasses a wide range of information that can be used to identify an individual.

This includes not only traditional identifiers such as names and identification numbers but also online identifiers, location data, and other specific factors related to an individual’s identity – Art. 4 (16-17).

The regulation aims to protect the privacy and rights of individuals in relation to the processing of their personal data.

How Does The GDPR Define Data Processing?

The GDPR defines data processing as any operation or set of operations performed on personal data, whether or not by automated means.

This includes a wide range of activities such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data – Art. 4 (2-4).

The GDPR’s definition of data processing is comprehensive and covers both automated and non-automated operations on personal data, emphasising the need for appropriate safeguards and compliance with data protection rules.

What Are The Record-Keeping Requirements Under GDPR?

The GDPR imposes comprehensive record-keeping requirements on both data controllers and processors.

Controllers and processors are obligated to maintain records of processing activities under their responsibility, containing detailed information such as the name and contact details of the controller, the purposes of the processing, a description of the categories of data subjects and personal data – Art. 30 (1).

They should also maintain the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations, and where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and documentation of suitable safeguards – Art. 30 (2).

Additionally, the records should include the envisaged time limits for erasure of different categories of data, a general description of the technical and organisational security measures, and the name and contact details of the processor or processors and each controller on behalf of which the processor is acting – Art. 14 (1).

These records must be made available to the supervisory authority on request to serve for monitoring the processing operations.

What Are The Roles Of Data Controllers And Data Processors Under GDPR?

Under the GDPR, the data controller is the entity that determines the purposes and means of the processing of personal data, while the data processor is the entity that processes personal data on behalf of the controller.

The controller is responsible for ensuring that the processing of personal data complies with this regulation, including obtaining consent from data subjects, providing transparency about data processing activities, and facilitating the exercise of data subjects’ rights – Art. 29.

On the other hand, the processor is required to process personal data only on documented instructions from the controller, implement appropriate security measures, and assist the controller in meeting its GDPR obligations – Art. 30.

Both the controller and the processor have specific obligations related to the protection of personal data, and they are required to cooperate with supervisory authorities and data protection officers to ensure compliance with the regulation.

What Constitutes Valid Consent Under The GDPR?

Valid consent under the GDPR must meet specific criteria to ensure that it is freely given, specific, informed, and unambiguous.

Consent should be obtained through a clear affirmative act, such as a written or oral statement, or an electronic means, that indicates the data subject’s agreement to the processing of their personal data – Recital 32, Recital 42. It should not be inferred from silence, pre-ticked boxes, or inactivity.

The request for consent must be presented in an intelligible and easily accessible form, using clear and plain language, and should cover all processing activities carried out for the same purpose or purposes.

Additionally, consent should be freely given, and the data subject should have a genuine choice and the ability to withdraw consent without detriment.

When processing personal data of a child for information society services, consent must be given or authorised by the holder of parental responsibility over the child, with the controller making reasonable efforts to verify such consent – Art. 7 (4) and Art. 8 (1).

What Are The Best Practices For Obtaining Consent Under GDPR?

The GDPR outlines best practices for obtaining consent to ensure that the processing of personal data is lawful and respects individuals’ rights.

Consent should be obtained through a clear affirmative act, such as a written or oral statement, or by electronic means, establishing a freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of their personal data – Art. 7.

This could include actions like ticking a box on a website, choosing technical settings for online services, or another statement or conduct clearly indicating the data subject’s acceptance of the proposed processing.

Consent should cover all processing activities carried out for the same purpose or purposes, and when the processing has multiple purposes, consent should be given for all of them.

Additionally, the request for consent must be presented in a clear, concise, and easily accessible manner, using clear and plain language, and must not be unnecessarily disruptive to the use of the service for which it is provided.

It should be as easy to withdraw consent as it is to give it, and the data subject should be informed of this right prior to giving consent.

Read post: Cyber Background Checks: Laws, Regulations and Compliance

How Does GDPR Affect The Transfer Of Data Outside The EU (Third Countries)?

The GDPR significantly impacts the transfer of data outside the EU by imposing strict requirements and safeguards to ensure the protection of personal data.

When transferring personal data to a third country or an international organisation, the GDPR requires that the data controller or processor complies with specific conditions – Art. 30 (1), Art. 48 – 49.

These conditions include obtaining explicit consent from the data subject, implementing appropriate safeguards such as binding corporate rules or standard data protection clauses, and ensuring that the transfer is necessary for the performance of a contract, the establishment of legal claims, or other specific situations – Art. 49 (1).

Additionally, the GDPR empowers the European Commission to make adequacy decisions regarding the level of data protection in third countries, territories, or international organisations, and it provides for the prohibition of data transfers to countries that do not ensure an adequate level of data protection – Recital 103.

The regulation also establishes mechanisms for international cooperation and mutual assistance to facilitate the enforcement of data protection legislation outside the EU.

What Is The Significance Of The GDPR For U.S. and Non-EU Businesses?

The GDPR’s extraterritorial scope means that it applies to non-EU businesses if they offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU.

As a result, non-EU companies, including those in the USA, must comply with the GDPR’s requirements when processing the personal data of EU residents.

This includes obtaining valid consent for data processing, implementing appropriate security measures, appointing a representative in the EU, and adhering to the principles of data protection by design and by default.

Failure to comply with the GDPR can result in significant fines and penalties, making it essential for non-EU businesses, including those in the USA, to understand and adhere to the regulation’s requirements when processing the personal data of individuals in the EU – Art. 49 (1).

What Are The Penalties For Non-Compliance With The GDPR?

Non-compliance with the GDPR can result in various penalties, including administrative fines, criminal penalties, and other measures.

Administrative fines for infringements of the GDPR can be substantial, with the maximum amount set at €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The fines are intended to be effective, proportionate, and dissuasive, taking into account factors such as the nature, gravity, and duration of the infringement, as well as the intentional or negligent character of the violation.

In cases of minor infringements or where the fine would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.

Member States are also empowered to lay down rules on criminal penalties for GDPR infringements, ensuring that penalties are effective, proportionate, and dissuasive.

Additionally, supervisory authorities have the power to issue warnings, reprimands, and orders to bring processing operations into compliance with the GDPR, as well as to impose temporary or definitive limitations on processing.

How Does GDPR Address Data Breaches?

The GDPR addresses data breaches by imposing specific requirements on data controllers and processors to promptly and effectively respond to such incidents.

When a personal data breach occurs, the controller is obligated to notify the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless it can demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of individuals – Art. 33; Art. 34 (1).

The notification to the supervisory authority should include a description of the nature of the breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach.

Additionally, the processor must notify the controller without undue delay after becoming aware of a breach.

Furthermore, GDPR requires the controller to communicate a personal data breach to the data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms, providing clear and plain language descriptions of the breach and recommendations to mitigate potential adverse effects – Art. 33.

The controller should also document any personal data breaches, including the facts, effects, and remedial actions taken, to enable the supervisory authority to verify compliance.

These provisions aim to ensure that individuals and supervisory authorities are promptly informed about data breaches, allowing for the necessary precautions to be taken and enabling appropriate actions to mitigate the impact of the breach on individuals’ rights and freedoms.

What Are Special Categories Of Personal Data Under GDPR?

Special categories of personal data, as defined by the GDPR, refer to sensitive information that merits specific protection due to the potential risks to fundamental rights and freedoms – Art. 9.

These categories include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a person’s sex life or sexual orientation – Recital 50, Recital 51.

The processing of these special categories of personal data is subject to stringent requirements and safeguards to ensure the protection of individuals’ rights and freedoms.

Additionally, the GDPR prohibits the processing of such data unless specific conditions and derogations apply, such as explicit consent from the data subject or processing for specific needs in the public interest, health-related purposes, or other lawful grounds outlined in the regulation.

Read article: What is Data Democratization? Laws, Regulations and Best Practices

How Does GDPR Address Children’s Data?

The GDPR addresses children’s data by recognising that children merit specific protection with regard to their personal data due to their potential vulnerability.

The GDPR stipulates that the processing of children’s personal data should be lawful, fair, and transparent, and that specific protection should apply to the use of children’s personal data for marketing or creating personality or user profiles – Recital 38, Recital 39.

The regulation requires that the consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

Additionally, the GDPR emphasises the importance of providing clear and easily accessible information to children and their parents or guardians about the processing of their personal data, including the risks, rules, safeguards, and rights related to such processing – Recital 38.

These provisions aim to ensure that children’s personal data is processed in a manner that respects their rights and safeguards their privacy and well-being

What Steps Should Organisations Take To Become GDPR Compliant?

Firstly, organisations should conduct a thorough assessment of their data processing activities to identify the personal data they collect, store, and process, as well as the legal basis for such processing.

This includes conducting a data protection impact assessment (DPIA) for processing operations that are likely to result in a high risk to the rights and freedoms of data subjects, such as large-scale processing, profiling, or processing of special categories of data – Recital 90, Recital 91.

Next, organisations should review and update their data processing practices, ensuring that they have appropriate technical and organisational measures in place to protect personal data, including encryption and other security measures.

They should also establish procedures for obtaining valid consent for data processing activities, ensuring that consent is freely given, specific, informed, and unambiguous.

Furthermore, organisations should appoint a data protection officer (DPO) if required, and establish mechanisms for data subjects to exercise their rights, such as the right to access, rectify, erase, and object to the processing of their personal data – Art. 38 (4, 5, 6).

Additionally, they should implement measures to respond to and notify data subjects and supervisory authorities in the event of a personal data breach – Recital 86.

Finally, organisations should document their compliance efforts, maintain records of processing activities, and develop internal policies and procedures to ensure ongoing compliance with the GDPR – Art. 30 (2).

These steps are essential for organisations to demonstrate their commitment to protecting personal data and complying with the GDPR’s requirements.

How Does GDPR Affect Data Retention Policies?

The GDPR significantly impacts data retention policies by imposing requirements for the lawful and responsible retention of personal data.

Under the GDPR, personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Organisations are required to establish specific retention periods for different categories of personal data, taking into account the purposes for which the data are processed and the legal basis for processing – Recital 156.

Additionally, the GDPR emphasises the principle of data minimisation, requiring that personal data be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

Furthermore, the regulation stipulates that personal data should be erased or anonymised when it is no longer necessary for the purposes for which it was collected, subject to certain exceptions such as archiving in the public interest, scientific or historical research purposes, or statistical purposes – Art. 17.

How Does GDPR Address The Use Of Cookies And Online Tracking?

The GDPR addresses the use of cookies and online tracking by imposing requirements for obtaining valid consent from website visitors before placing cookies or engaging in online tracking activities – Recital 30, Recital 32.

According to the GDPR, consent for the use of cookies and similar technologies must be obtained through a clear affirmative act, establishing a freely given, specific, informed, and unambiguous indication of the individual’s agreement to the processing of their personal data – Recital 60.

This means that pre-ticked boxes, inactivity, or silence do not constitute valid consent, and individuals must have the ability to withdraw their consent at any time.

Additionally, the request for consent must be presented in a clear, concise, and easily accessible manner, using clear and plain language, and must not be unnecessarily disruptive to the use of the website.

Furthermore, the GDPR requires that individuals be provided with clear and comprehensive information about the purposes of the cookies and tracking technologies used, as well as the identity of the entities carrying out the processing – Recital 42.

This information should be easily accessible and easy to understand, and individuals should have the right to refuse or withdraw consent without detriment.

These requirements aim to ensure that individuals have control over their personal data and are informed about and able to make choices regarding the use of cookies and online tracking technologies on websites.

How Does GDPR Impact Marketing Activities?

The GDPR has a significant impact on marketing activities, particularly in relation to the processing of personal data for marketing purposes.

Under the GDPR, the processing of personal data for marketing activities, such as the offering of goods or services or the monitoring of individuals’ behaviour, is subject to strict requirements to ensure the protection of individuals’ rights and freedoms.

One of the key impacts of the GDPR on marketing activities is the requirement for obtaining valid consent from individuals for the processing of their personal data.

Consent must be freely given, specific, informed, and unambiguous, and individuals must have the ability to withdraw consent at any time – Recital 32.

This means that organisations engaging in marketing activities must ensure that they have obtained explicit consent from individuals before processing their personal data for marketing purposes.

Additionally, the GDPR imposes obligations on organisations to provide transparent information to individuals about the processing of their personal data for marketing, including the purposes of the processing, the categories of data being processed, and the recipients of the data.

Individuals also have the right to object to the processing of their personal data for direct marketing purposes, and organisations must respect these objections.

Furthermore, the GDPR requires organisations to implement appropriate technical and organisational measures to ensure the security and confidentiality of personal data used for marketing activities – Art. 32 (1).

This includes measures such as pseudonymisation and encryption to protect individuals’ data from unauthorised access or disclosure – Art. 4 (5).

How Does GDPR Affect Employee Data Processing?

The GDPR significantly impacts the processing of employee data by imposing specific requirements and safeguards to protect the rights and freedoms of employees.

EU Member State law or collective agreements may provide specific rules for processing employees’ personal data in the employment context, including conditions for processing based on employee consent, purposes of recruitment, performance of employment contracts, management, planning, equality, health and safety, and termination of employment – Recital 155, Recital 156.

Additionally, the processing of employee data for archiving, scientific, or historical research purposes must be subject to appropriate safeguards to ensure the rights and freedoms of the data subjects, including technical and organisational measures to ensure data minimisation and pseudonymisation where feasible – Art. 9 (2).

Furthermore, GDPR allows processing of employee data when necessary for the exercise of specific rights, public interest, or legal claims, subject to appropriate safeguards and conditions.

Read article: The Democratization of Analytics: Laws and Regulations

How Does GDPR Impact Data Sharing And Collaboration Between Organisations?

The GDPR significantly impacts data sharing and collaboration between organisations by imposing requirements for lawful and transparent data processing, as well as by emphasising the protection of individuals’ rights and freedoms.

When organisations engage in data sharing and collaboration, they must ensure that the processing of personal data is carried out in compliance with the GDPR’s principles and requirements.

This includes obtaining valid consent from data subjects, providing clear and comprehensive information about the purposes and recipients of the data, and implementing appropriate technical and organisational security measures to protect the data – Art. 30.

Additionally, organisations must maintain records of processing activities, including details about the purposes of the processing, categories of data subjects, recipients of the data, and security measures implemented.

Furthermore, organisations must cooperate with supervisory authorities and, in certain cases, conduct data protection impact assessments to assess and mitigate the risks associated with data sharing and collaboration.

These requirements aim to ensure that data sharing and collaboration between organisations are conducted in a manner that respects individuals’ rights to privacy and data protection.

How Does GDPR Address The Processing Of Data For Institutional Research Purposes?

The GDPR addresses the processing of data for institutional research purposes by imposing specific requirements and safeguards to ensure the lawful and ethical use of personal data in research activities.

The GDPR recognises the importance of scientific research and historical research for the public interest and aims to facilitate such activities while protecting individuals’ rights to privacy and data protection.

The regulation applies to the processing of personal data for scientific research purposes, including technological development, fundamental research, applied research, privately funded research, and studies conducted in the public interest, particularly in the area of public health – Recital 159.

To meet the specificities of processing personal data for research purposes, the GDPR sets out specific conditions and safeguards, particularly regarding the publication or disclosure of personal data in the context of scientific research.

Additionally, the regulation emphasises the need for appropriate measures, safeguards, and mechanisms to mitigate risks, ensure the protection of personal data, and demonstrate compliance with the GDPR – Recital 90, Recital 91.

Furthermore, the GDPR allows for the further processing of personal data for archiving purposes, historical research, and research for genealogical purposes, with appropriate safeguards in place to protect the rights and freedoms of data subjects – Recital 160, Recital 161.

What Is The Impact Of Brexit On GDPR Compliance For UK Businesses?

Following Brexit, the UK has implemented its own data protection framework, known as the Data Protection Act (DPA) 2018, which largely mirrors the EU GDPR but includes some specific provisions tailored to the UK’s legal and regulatory environment.

UK businesses that process the personal data of individuals in the EU are still required to comply with the DPA when handling the data of EU residents.

This means that UK businesses must continue to adhere to the EU GDPR’s requirements when processing the personal data of individuals in the EU, including obtaining valid consent, implementing appropriate security measures, and facilitating data subject rights.

Additionally, UK businesses that transfer personal data from the EU to the UK are required to follow the EU GDPR’s guidelines on international data transfers, such as implementing standard contractual clauses or other appropriate safeguards to ensure the lawful transfer of personal data from the EU to the UK.

The UK’s departure from the EU has also led to changes in the application of data protection laws, and UK companies must navigate the complexities of complying with both the DPA and the EU GDPR, particularly when conducting cross-border data transfers and processing the personal data of individuals in the EU.

Read article: By Law, Who Is Responsible For Providing Safety Data Sheets?

References

Picture of Quiyue Zhao, Ph.D.

Quiyue Zhao, Ph.D.

Quiyue possesses an undergraduate degree in Law with International Relations, an LLM in International Law and Doctorate in Human Rights and Legal Technology. Her PhD thesis was based on the impact of crypto-assets regulation on financial inclusion for women in emerging markets. Quiyue is a senior research fellow in London and has an interest in Constitutional Law, Economic Crime, European Union Law and Family and Child Law.

Table of Contents

Subscribe
Notify of
guest

0 Comments
Oldest
Newest
Inline Feedbacks
View all comments

Read Other Articles

Data Protection Impact Assessments (DPIA) - data breach - GDPR - data protection law - privacy law - online privacy
Private Law Blog
Quiyue Zhao, Ph.D.

What is Data Protection Impact Assessment (DPIA)? A Legal Analysis

What is a Data Protection Impact Assessment (DPIA)? A Data Protection Impact Assessment (DPIA) is a systematic process to identify, assess, and mitigate privacy risks in data processing activities, ensuring compliance with data protection laws and safeguarding individuals’ rights and

Family Law Act 1996 - family justice system - domestic violence, family law, divorce in the UK
Private Law Blog
Ben Shaw-Parker, Ph.D.

Family Law Act 1996: Legal Analysis and Commentaries

What is The Family Law Act 1996? The Family Law Act 1996 is a comprehensive piece of legislation in the United Kingdom designed to reform and modernise various aspects of family law. It aims to address the legal procedures associated

The Democratization of Analytics- Laws and Regulations - legal anaytics - non-experts - data analytics 123
Law and Technology Blog
Rowan T. Moyo, Ph.D.

The Democratization of Analytics: Laws and Regulations

What is Democratization of Analytics? The democratization of analytics refers to making data analysis tools and capabilities accessible to non-experts, enabling a wider range of individuals and organisations to utilise data-driven insights for decision-making without needing specialised skills in data

Join Thousands of Subscribers Who Read Our Legal Opinions And Case Analysis.