Logo Threat Intelligence

General Data Protection Regulation (GDPR): Data Protection & Privacy of Individuals in the European Union (EU)

Anupama Mukherjee • Oct 20, 2022

This data privacy law was a breakthrough in the data protection field and is now considered a gold standard across the globe. The European Union’s General Data Protection Regulation (GDPR) is a law that is the result of efforts from many European countries and data protection authorities to harmonize their laws and regulations in order to address the challenges of data privacy in the digital age. It changed the way businesses collect, protect and use personal data and applies to all businesses that process the personal data of EU citizens.


In this blog post, we’ll be discussing the key points of GDPR and how it affects individuals and businesses.

What is the GDPR?

In a globalized world, where data can transcend physical and national boundaries, the need to protect personal data is crucial. Companies have long been known to process personal data for commercial purposes, without keeping the consumers’ privacy and rights in mind. To address this issue, the European Union (EU) enacted the GDPR, which established a framework for the protection of personal data of individuals in the EU. 

 

In May of 2018, a new set of regulations called the General Data Protection Regulation (GDPR) went into effect in the European Union. The GDPR requires companies to take extra steps to protect consumers' data. If you're doing business in Europe or have customers from there, it's important to understand what the GDPR is and how it affects you. The GDPR at its center, aims to provide citizens with more control over their personal data and how it is used by companies. It also makes it easier for people to find out what data companies have on them, file complaints against companies that mishandle their data, and enforce their rights.

Background and the Data Protection Directive

Back in October 1995, the EU had passed a new law called the Data Protection Directive. This was enacted at the onset of the internet, with the aim of providing basic protection of personal data in the new, online world. The Directive placed strict controls on how businesses could collect and use personal data, and required each EU Member state to establish an independent national body to oversee any activity related to the collection and free movement of personal data.


The GDPR was introduced in 2018, as a replacement for this directive and was intended to strengthen data privacy and protection. It differs from the Data Protection Directive in that it is a regulation, rather than a directive. While a directive leaves room for individual countries to interpret and implement the law, a regulation requires all member states to comply with it, with no exceptions or loopholes. The GDPR makes no fundamental changes to the 1995 Data Protection Directive's core rules. Rather, it significantly expands the Directive's requirements by introducing a series of new requirements for organizations to reinforce those core rules. The biggest change introduced by the GDPR was the definition of personal data. The GDPR accounts for the latest changes in technology and the ways in which organizations collect personal information.

Fundamentals of GDPR

In this section, we’re breaking down some of the fundamental concepts of the data privacy regulation, and explaining what you need to know. The following list is a short overview of these core concepts and the way in which they can be applied to your business.  For a more detailed description of each section, refer to the official GDPR website.


Important Definitions to Understand the GDPR

The GDPR includes a ton of legal and technical jargon that makes it challenging to understand. Here’s a rundown of the most important definitions related to data collection that you need to know about the GDPR:


Data processing - Data processing includes any action or changes brought on the data - right from collection, recording, organizing, storing, modifying, using, transferring, erasing, destroying etc. 


Data subject - A data subject is an identifiable person whose personal data is being processed. This can include customers, clients, or people who visit your website. 


Data controller - A data controller is the entity that determines how and why personal data is processed. Basically, the person that is in charge of handling the data collected. 


Data processor - A data processor is a third-party that processes data on behalf of or for the benefit of the data controller. This could be a marketing agency or a cloud service provider.


If you fall under the category of a data controller or processor, it is your responsibility to ensure that you adhere to the GDPR and can prove that you have done so.


What is Considered Personal Data Under GDPR?

Personal data is defined in the GDPR as any information that could be used to identify an individual, either by itself or in conjunction with other data. This includes but is not limited to:


  • Names
  • Email addresses
  • Location information
  • Ethnicity
  • Gender
  • Biometric data 
  • Religious beliefs
  • Web cookies
  • Political opinions
  • IP addresses
  • Mobile device identifiers


Data pertaining to a person's physical, psychological, genetic, mental, economic, cultural, or social identity is also considered personal data under the GDPR. 


Who Does GDPR Apply To?

The short answer is that the GDPR applies to any company that processes or intends to process the data of individuals in the European Union. Therefore, it includes companies based outside of the EU if they offer goods or services to, or monitor the behavior of, individuals in the EU. It also applies to companies processing EU citizens’ data on behalf of other businesses, no matter where those companies are located.


However, there are two significant exceptions to this rule: 


First, the GDPR is not applicable to any data collected for “purely personal or household activities”. This means that if you were to collect personal information to organize a birthday party, the GDPR does not apply to you. 


Second, the GDPR does not apply to organizations with less than 250 employees. While the GDPR does not completely exclude SMBs from its scope, they are exempt from most of its obligations. 


7 Principles of GDPR

If you process data, you must do it in accordance with the following 7 accountability and protection principles:

 

  1. Lawfulness, fairness and transparency — Processing must be legitimate, fair, and open to the data subject.
  2. Purpose limitation — You are only allowed to use data for the lawful reasons that were made clear to the data subject when it was collected.
  3. Data minimization — You should only collect and process the minimum amount of data required to fulfill the outlined objectives.
  4. Accuracy — Personal data collected must be accurate and up to date.
  5. Storage limitation — You may only keep personally identifying information as long as it's required for the intended use.
  6. Integrity and confidentiality — Processing must be carried out in a manner that provides the necessary security, integrity, and confidentiality
  7. Accountability — It is the data controller's duty to demonstrate compliance with all of these GDPR tenets.

8 User Rights of Individuals Under GDPR

The data subject has 8 core rights under GDPR:


  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

GDPR Non-Compliance Penalties

Fines for non-compliance recorded till date have run into millions of euros with companies such as Amazon and WhatsApp having to pay fines of €746 million and €225 million respectively. Other big companies such as Google and H&M have also come under fire of the EU regulators for not complying with GDPR. It’s clear - the price for not complying with the GDPR rules is steep.


Serious violations could result in fines of up to €20 million, or 4% of the firm’s global annual revenue from the previous financial year, whichever amount is higher. Whereas, less serious violations could lead to a penalty of up to €10 million, or 2% of the firm's global annual revenue from the previous financial year, whichever is greater.


Data protection regulators in the EU are responsible for administering fines under the GDPR. They decide whether a violation has occurred and if so how severe the penalty should be, based on the following criteria:


  • Gravity and nature — This includes the why and how of the violation, its impact and how long it took to resolve.
  • Intention — Was the violation intentional or a result of negligence?
  • Mitigation — Were actions taken to minimize the impact?
  • Precautionary measures — Was there enough technical and organizational preparation to stop the violation from happening?
  • History — Have there been any pertinent prior violations of the GDPR and the Data Protection Directive before? Were the corrective actions in compliance with the GDPR?
  • Cooperation — Was there enough cooperation and support from the company to help the supervisory authority to find the infringement and fix it? 
  • Data category — What type of personal data did the infringement affect?
  • Notification — Did the company notify the supervisory authority of the infringement?
  • Certification — Did the company follow approved codes of conduct and certification procedures prior to the violation?
  • Aggravating/mitigating factors — Did the violation cause any additional problems?

GDPR Compliance in 2022

While privacy laws like the GDPR are complex and keep evolving, the core principles of the GDPR are simple. Here’s a checklist you can follow to prepare for the GDPR compliance in 2022:


  • Know and understand all the personal data you’re collecting and processing including the source of the data, your reason for collecting it, when it’s disposed of, how it is processed, and whether you got the required consent to do so
  • As a data controller or processor, you must report data breaches to the supervisory authority within 72 hours of the breach
  • Before any data is collected, each data collection point must clearly display a data collection acknowledgment
  • While collecting cookies and similar data, organizations must shift from the “opt-out” mode to the “opt-in” mode, which means consumers must provide their consent before this data is used
  • To prevent non-compliance, designate a representative who is actually based in the EU, in addition to appointing a Data Protection Officer for your organization
  • Make your data privacy policies clear and easily accessible
  • Your business must also be aware of and keep an eye on vendors' privacy policies to ensure that they are also compliant


Current State of GDPR Compliance in Organizations

Today, four years after GDPR's implementation, businesses are still having trouble adhering to its new standards and paying astronomical fines as a result. In fact, in an audit of 300 European websites ranging from small and midsize businesses to enterprise giants, 81% of sites were found to be noncompliant with GDPR. Moreover, another survey revealed that a third of European companies were not sure if their data processing operations are GDPR compliant. 


The introduction of the General Data Protection Regulation (GDPR) in 2018 marked a new era in data privacy law and created a level of expectation that would change the way companies and organizations collect, store, and use data. However, the reality of the digital world is that while companies today have exponentially more data at their disposal than they ever did, the complexity of the regulation continues to make it difficult for them to comply. 


It doesn’t look like companies can expect any relief soon, though. In 2022, new regulations and standards will come into effect and continue to put pressure on companies to change the way they approach data. But at the same time, data privacy regulations like the GDPR are also gaining traction around the world, and will see continued growth in the coming years.

Achieve and Maintain GDPR Compliance with Threat Intelligence

Threat Intelligence offers a solution that goes beyond the typical compliance check-box. In order to help organizations meet their strategic and regulatory requirements, we review your key threats and risks, as well as your existing security architecture, to enable you to plan future security activities and budgets to maximize risk reduction and avoid any security breaches. Get in touch with our expert security team for more information.

Cybersecurity Project Management

Cybersecurity Project Management

By Threat Intelligence 24 Apr, 2024
In this blog, we're exploring cybersecurity project management and the role it plays in securing a business.

Defense Industry Security Program (DISP): Practical Tips and Best Practices

By Threat Intelligence 19 Apr, 2024
Unlock the secrets to navigating the intricacies of the Defence Industry Security Program (DISP) with confidence. Our expert team offers invaluable insights and tailored support to help you meet DISP's rigorous security assessment requirements.
Threat Modeling

Elevating Security with Threat Modeling

By Threat Intelligence 12 Apr, 2024
In this blog post, we'll explore what threat modeling is all about, why it's important, and how it can prevent cyberattacks.
CVE-2024-3094 Exposes Vulnerabilities in Linux Systems

Security Alert: CVE-2024-3094 Critical Threat in Linux Systems

By Threat Intelligence 04 Apr, 2024
Stay informed about the latest security threat - CVE-2024-3094 represents a supply chain compromise discovered within the latest versions of xz Utils. Read our blog post now for essential insights and mitigation strategies.
Share by: