What is GDPR and what are the compliance basics of GDPR in the European Union?
Back in 2018, a large proportion of the world were subjected to many emails regarding GDPR from companies that did business in Europe. While the average person on the street was perhaps annoyed by the sheer amount of correspondence they received on the matter, it had become a legal requirement for companies to be GDPR compliant. Those emails helped companies achieve that aim.
But what exactly does being GDPR compliant mean? And what is GDPR? It is imperative to know the answer to these questions if you are a company conducting business in Europe. Here, we give a GDPR definition as well as shed light on the GDPR law by providing examples of it in practice. Finally, we examine how companies become and stay compliant with GDPR requirements so that they are always abiding by the law.
GDPR stands for General Data Protection Regulation. To be held accountable to this regulation, companies must conduct business in Europe. Briefly defined, it is the regulatory framework that all companies and businesses which hold personal data have to abide by.
It was ratified by the European Union. The reason they did so was due to the large amount of information we all divulge to companies, either online or by some other means. As a result, the European Union wanted to set out strict guidelines on that data. The aim was to make companies accountable for how they treat personal data with the result that they would do so responsibly, fairly and legally. Finally, the guidelines were established to give individuals more control over their own personal information.
GDPR law by example
Within the GDPR laws and framework are 8 different rules that companies have to adhere to, to be compliant with GDPR requirements. They are:
Companies must gather data lawfully, keep it lawfully and use it lawfully. In practice, this means that a European company like L’Oreal cannot collate data simply by stealing it. Plus, once they have data, they then cannot use it illegally. So if L’Oreal has a customer’s credit card details, it cannot buy illegal goods with those details.
- Fairness and transparency;
For companies to be GDPR compliant, they have to collate data honestly or in a transparent manner. L’Oreal, to continue our example, would need to be open about why they are collating a person’s data in the first place. To do so fairly, they must not offer any deceptive explanations.
- Purpose limitation;
When data is collated, it must be used for the purpose that it was intended. So if L’Oreal collated hair colour and hair type data to help them research their hair dye products, they must only use that data for its specified research. They cannot then use it to send targeted marketing materials to their customers about good shampoo and conditioners for their hair type.
- Data minimization;
This element of the GDPR seeks to lessen the amount of data a company can or should hold on individuals. With respect to our L’Oreal example, in practice this means they can only hold information that helps them with their business. So if they were to hold medical details or credit ratings, this could be argued as superfluous to their needs.
Perhaps one of the most important parts of the GDPR is the onus on a company to ensure the details they hold are accurate. This is imperative as inaccuracies can be harmful to a person’s identity in future.
- Storage limitation;
This rule within the framework stops companies from holding data on individuals indefinitely. Additionally, individuals need to be informed how long the information they are disclosing is going to be held for.
The framework was established to help people have confidence in divulging information so that businesses could use that data to run more efficiently. Without that confidence, individuals are likely not to relay any information at all. So, the framework requires firms to hold personal data safely and securely. In practice, firms like L’Oreal must ensure that where data is held physically and electronically, it is not accessible to anyone but for whom it was intended.
Firms, whatever their size, must realise that they will be held accountable for any breaches of the GDPR. They need to have a robust procedure in place that actively questions whether the GDPR is being adhered to. Importantly, it also requires companies to own up to times when data is subject to misuse in any way. So, if L’Oreal was to find that their data centres had been hacked, they must confess to this to their relevant authorities. Additionally, they must also do due diligence on what went wrong for that breach to occur.
How do companies become and stay compliant with GDPR requirements?
The last target of accountability, set by the European Union with regards to the GDPR framework, was perhaps the most important part of their legislation. It was what set apart these new regulations in comparison to country specific laws that had been set by individual governments. Accountability meant that companies had to take ownership of their data collation and retention. Firms could not just hope that they would stay GDPR compliant. The framework required companies and businesses to do their homework to ensure they stayed on the right side of the law.
In effect, this means that most companies or firms will have a person responsible for GDPR compliance. That person will know the framework inside out. Plus, they most likely have set up a robust set of GDPR compliant procedures for the company to follow. Importantly, employees who handle data must be educated in the legal and proper way to process it.
GDPR rules - the bottom line
GDPR was an important framework for the EU to establish. It helps ensure the integrity of data and helps protect people against identity fraud. As a consequence, people have more confidence in their data security and so will continue to divulge their personal information. This in turn helps companies operate as effectively as possible.
Additionally, by consolidating data protection laws all in one place, the EU also helped to streamline data protection processes for companies too. Before, there were many differences between countries and their approaches to data protection. Now, all companies that carry out business in Europe know where they stand.