Our Portfolio
Start a Project
sidebar-img.svg

Have a project for us?

Let's Talk

map-pin.svg 71-75 Shelton Street, Covent Garden, London,

GDPR

General Data Protection Regulation (GDPR) – EU 2016/679

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law concerning data protection and privacy within the European Union (EU) and the European Economic Area (EEA). It also governs the transfer of personal data outside the EU and EEA. The primary objective of the GDPR is to give individuals greater control over their personal data, while simplifying the regulatory environment for international businesses by unifying data protection regulations across the EU.

The GDPR replaces the Data Protection Directive 95/46/EC and sets out provisions regarding the processing of personal data of individuals (data subjects) within the EEA. The regulation applies to any business, regardless of location, that processes the personal data of individuals within the EEA.

Key Principles of Data Processing:

  1. Data Protection by Design and by Default:
    Data controllers and processors must implement appropriate technical and organizational measures to ensure that data protection principles are integrated into business processes. This includes using techniques such as pseudonymization or anonymization when appropriate to safeguard personal data.

  2. Lawful Basis for Processing:
    Personal data may only be processed when one of the six lawful bases is met (consent, contract, legal obligation, vital interests, public task, or legitimate interests). If processing is based on consent, individuals have the right to withdraw their consent at any time.

  3. Transparency and Accountability:
    Data controllers must inform data subjects about data collection practices, specify the lawful basis and purpose of processing, and outline the data retention period. Data controllers must also disclose if personal data is shared with third parties or transferred outside the EEA.

  4. Rights of Data Subjects:
    Data subjects have the right to:

    • Access their personal data.
    • Request a portable copy of the data in a structured, commonly used, and machine-readable format.
    • Request the erasure of their data under certain conditions (right to be forgotten).

  5. Data Protection Officer (DPO):
    Public authorities, or businesses whose core activities involve regular or systematic processing of personal data, must appoint a Data Protection Officer (DPO) to oversee compliance with the GDPR.

  6. Data Breaches:
    In the event of a data breach that affects user privacy, businesses must notify the relevant national supervisory authority within 72 hours.

  7. Penalties for Non-Compliance:
    Failure to comply with the GDPR may result in fines up to €20 million or 4% of the annual global turnover, whichever is higher.

The GDPR came into effect on 25 May 2018, and it is directly applicable in all EU member states. While it provides a unified legal framework, individual member states have the flexibility to adapt certain aspects of the regulation.

Global Impact:
The GDPR has influenced data protection laws worldwide, including in countries such as Chile, Japan, Brazil, South Korea, Argentina, and Kenya. It also serves as a model for the California Consumer Privacy Act (CCPA), which was adopted in 2018.

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR's primary aim is to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1] Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects' citizenship or residence—that is processing the personal information of individuals inside the EEA.a

Controllers and processors of personal data must put in place appropriate technical and organizational measures to implement the data protection principles. Business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data (for example, using pseudonymization or full anonymization where appropriate). Data controllers must design information systems with privacy in mind. For instance, using the highest-possible privacy settings by default, so that the datasets are not publicly available by default and cannot be used to identify a subject. No personal data may be processed unless this processing is done under one of the six lawful bases specified by the regulation (consent, contract, public task, vital interest, legitimate interest or legal requirement). When the processing is based on consent the data subject has the right to revoke it at any time.

Data controllers must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties or outside of the EEA. Firms have the obligation to protect data of employees and consumers to the degree where only the necessary data is extracted with minimum interference with data privacy from employees, consumers, or third parties. Firms should have internal controls and regulations for various departments such as audit, internal controls, and operations. Data subjects have the right to request a portable copy of the data collected by a controller in a common format, and the right to have their data erased under certain circumstances. Public authorities, and businesses whose core activities consist of regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report data breaches to national supervisory authorities within 72 hours if they have an adverse effect on user privacy. In some cases, violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

The GDPR was adopted on 14 April 2016, and became enforceable beginning 25 May 2018. As the GDPR is a regulation, not a directive, it is directly binding and applicable, but does provide flexibility for certain aspects of the regulation to be adjusted by individual member states.

The regulation became a model for many national laws outside EU, including Chile, Japan, Brazil, South Korea, Argentina and Kenya. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with the GDPR.[2]

Are you looking for

Contact
We use cookies to give you the best online experience. By continuing to browse the site you are agreeing to our use of cookies. Read more