GDPR: What does this dreaded acronym really mean?
The General Data Protection Regulation (GDPR) is the world’s most stringent data protection and security law. Its primary objective is to strengthen the control and rights of individuals over their personal data and to simplify the regulatory environment for international business. Data protection is not a new trend, the latest moves by the GDPR replaced almost two decades of data protection rules across Europe.
Although developed and adopted by the European Union (EU), it imposes obligations on all organizations around the world that collect data on people living in the EU. The regulation came into force on 25 May 2018 and imposes severe fines on those who violate data protection and security standards. With the GDPR, Europe is expressing a strong position on data protection and security in a world where more and more people are entrusting their personal data to various cloud-based services. 100% GDPR compliance is an almost impossible task, especially for small and medium-sized businesses.
GDPR common terms
Personal Data – Personal data can be any information that relates directly or indirectly to an identifiable individual. Names and email addresses are considered personal information. On top of that, location data, ethnicity, gender, biometrics, religious beliefs, cookies, and political opinions can also be personal data. Pseudo-anonymous data (such as an IP address) can also be included if one can easily identify someone from it.
Data Processing – All operations with data, whether automated or manual. Such is the collection, recording, systematization, storage, use, deletion… so basically everything.
Data Subject – The person whose data is being handled, ie customers and visitors.
Data Controller – The person who decides why and how personal information is handled. Most of the time it is the company manager or the owner.
Data Processor – A third party who processes personal data on behalf of the data controller.
Personality rights guaranteed in the GDPR:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Principles of the GDPR:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
What to expect in the coming years?
Privacy regulations are getting stricter year by year, with GDPR penalties becoming more common. While the year 2021 was relatively slow in terms of new data protection regulations, the opposite was the case in terms of enforcement – regulators strictly enforced the law and imposed higher fines than ever before.
Experts expect in 2022 that user contribution trends are unlikely to change, and that individual states will standardize their laws more. Perhaps the biggest change will come from the 2022 Artificial Intelligence Act. Different development technologies are expected to continue to affect GDPR compliance in the future. “The data protection risks posed by artificial intelligence, machine learning, facial recognition and profiling will be even more important for EU regulators.” – said Müge Fazliogu, Senior Research Fellow at the International Association of Data Protection Professionals.