GDPR
Compliance.

The EU's General Data Protection Regulation (GDPR) is a comprehensive law that governs how personal data of EU residents is collected, stored, and processed. Introduced in 2016 to modernize outdated data protection rules, GDPR ensures individuals have greater control over their personal information in an increasingly digital world.

GDPR applies to any organization handling the personal data of EU residents, regardless of where the organization is based. It establishes clear obligations for data controllers and processors.

GDPR has global reach. Any organization worldwide that processes personal data of EU residents falls under its jurisdiction.

Violating GDPR can result in severe penalties:

• Up to 4% of the organization's annual global turnover, or
• €20 million, whichever is higher.

• Data Subject: Any natural person residing in the EU whose personal data is being processed.
• Data Controller: Determines the purpose and methods of processing personal data.
• Data Processor: Processes data on behalf of the controller.
• Supervisory Authorities: Public authorities that monitor GDPR compliance and investigate breaches.

Personal data is any information that identifies or can identify a natural person. It can be:

• Direct identifiers: Name, email, phone number, etc.
• Indirect identifiers: Date of birth, gender, location, and other characteristics.

GDPR introduces enhanced rights for data subjects and stricter obligations for organizations:

• Explicit Consent: Individuals must be informed and give clear permission for their data to be processed, with the ability to withdraw consent easily.
• Right to Access: Data subjects can request details of personal data being held.
• Right to Be Forgotten: Individuals can request deletion of their personal data.
• Processor Obligations: Processors must demonstrate GDPR compliance and follow controller instructions.
• Data Protection Officer (DPO): Organizations may need a DPO to oversee GDPR compliance.
• Privacy Impact Assessments (PIA): Large-scale processing requires assessments to minimize risks.
• Breach Notification: Controllers must notify authorities and affected individuals within 72 hours of a breach.
• Data Portability: Individuals can receive their data in a machine-readable format and transfer it to another controller.

Controllers can process personal data under six lawful bases:

• Contract: Processing necessary to fulfill contractual obligations or customer requests.
• Legal Obligation: Processing required by law or regulatory authority.
• Vital Interests: Processing needed to protect life or health.
• Public Task: Processing carried out by public authorities for official duties.
• Legitimate Interests: Processing for business or societal interests, documented through a Legitimate Interests Assessment (LIA).
• Consent: Freely given, specific, informed, and unambiguous permission from the data subject.

An LIA evaluates whether the organization has a valid reason to process personal data. It includes:

• Assessment of the legitimate interest
• Determining necessity for processing
• Balancing test to ensure rights of data subjects are protected

For more information, refer to the following:

• Find Your Supervisory Authority
• EU Data Protection Supervisor
• Official GDPR Website
• EU Rules for Businesses and Organizations
• Your Organization's Guide to GDPR

Note: Brilliance One is not responsible for the content of these external pages and does not endorse them.