Securiti launches Gencore AI, a holistic solution to build Safe Enterprise AI with proprietary data - easily
View
Listen to the content
Personal data is a precious asset for organizations aiming to deliver their products and services. These organizations make unprecedented use of personal data to pursue their activities. Consequently, data has become the very lifeblood of the modern digital economy. At the same time, it raises several critical concerns related to the user’s or customer’s right to data privacy and protection.
To that end, governments globally have been developing and enforcing laws to ensure that organizations collect data in a manner that respects users’ right to privacy.
In 2016, the European Commission replaced its long-existing Data Protection Directive with a modernised version, the General Data Protection Regulation (GDPR). The GDPR is based on the EU Charter of Fundamental Rights which considers the protection of personal data as an individual’s fundamental human right.
The objective of the GDPR is to ensure the protection of personal information through a human rights-centric approach and allow secure transfer of personal information within and across jurisdictions. At present, the GDPR is considered to be one of the best global practices in relation to data protection and privacy legal landscape.
The General Data Protection Regulation (GDPR) is one such regulation enacted by the European Union. It has served as the global standard and a blueprint for similar data protection legislations that have come into force globally.
The GDPR’s applicability extends beyond the territorial limits of the European Union, affecting businesses and organizations globally.
The GDPR is designed to ensure the thorough protection of EU residents' personal data. For that reason, its scope is not limited to the EU jurisdiction. The GDPR’s provisions apply to any organization that processes the personal data of EU residents, regardless of their nationality.
GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
However, the regulation does not apply to the processing of personal data in the course of an activity that falls outside the scope of union law by the member states when carrying out activities that fall within the scope of Chapter 2 of Title V of the Treaty on European Union (on common security and foreign policy), by a natural person in the course of a purely personal or household activity, and by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Owing to this, businesses worldwide must be extra mindful of whether their data processing and collection practices involve handling the personal data of EU residents since doing so can subject them to GDPR compliance.
The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.
The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the following:
An organization offering products or services to EU residents must adhere to GDPR provisions. Factors such as the use of a language or a currency generally used in one or more member states with the possibility of ordering goods and services in that other language or the mentioning of customers or users who are in the EU may make it apparent that the organization envisages offering goods or services to data subjects in the EU.
An organization that monitors the behavior of EU data subjects must comply with the GDPR. Such monitoring includes tracking natural persons on the Internet and subsequently using personal data processing techniques to create their profiles, analyze their digital usage patterns, and make predictions related to their personal preferences, behaviors, and attitudes.
The GDPR imposes notoriously strict conditions on the processing, collection, and handling of special categories of personal data, such as data revealing racial or ethnic origin, political opinions, religious beliefs, or health information. Processing of special categories of data can create significant risks to the fundamental rights and freedoms of natural persons.
GDPR prohibits organizations from processing special categories of data unless an exception applies, including if the data subject has explicitly consented to such processing, the processing is necessary for compliance with legal obligations to which the data controller is subject, the processing is necessary for the performance of a task carried out in public interest, etc.
Some key definitions mentioned within the official GDPR text include the following:
A person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data.
Any action performed on data, whether automated or manual, can include collecting, recording, organizing, structuring, storing, using, and erasing data.
The person whose data is processed. These can be your customers or visitors to your site.
A person, public authority, agency, or other body which processes personal data on behalf of the controller.
Information that relates to an individual who can be, directly or indirectly, identified. This includes names, email addresses, location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions.
Pseudonymous Data can also be considered personal data if it is not possible to attribute it to a specific data subject without using additional information. The additional information is kept separately and protected by technical and organizational measures to prevent the individual's re-identification.
The GDPR provides the following rights for individuals.
Data subjects have the right to be informed about the collection and use of their data. The information should be provided in “an easily visible, intelligible, and clearly legible manner, using clear and plain language” and present a meaningful overview of the intended processing of data subjects.
The data subjects have a right to confirm whether an organization is processing their personal data, obtain a copy of their personal data, and obtain certain information about the processing, including the purposes of the processing, categories of personal data concerned, the envisaged period for which personal data will be stored, and the appropriate safeguards relating to the transfer of their personal data.
The GDPR includes a right for data subjects to have inaccurate personal data rectified or completed if it is incomplete.
This right entails that the controller erases the personal data of the data subject without undue delay upon a data subject’s request. GDPR provides the grounds on the basis of which the right to erasure can be exercised, including when the personal data is no longer necessary in relation to the purposes for which it was collected, the data subject withdraws its consent, or where the personal data has been processed unlawfully, etc. The right to erasure is also known as ‘the right to be forgotten’.
Individuals have the right to request the restriction or suppression of processing of their personal data where the data subject contests the accuracy of personal data, the processing is unlawful, the controller no longer needs the personal data for the purposes of the processing, or the data subject has objected to the processing pending verification as to whether the controller’s legitimate interests override the data subject's interests. As per Article 18 of the GDPR, data subjects who have obtained restrictions on processing must be informed before any such restriction is lifted.
Learn more about all GDPR Articles: The Ultimate Reference Guide
As per Article 22 of the GDPR, data subjects have the right not to be subjected to decisions based solely on automated processing, including profiling that has legal or similarly significant effects on data subjects. GDPR further provides exceptions (consent, contract, legal authorization) to this prohibition and provides for appropriate safeguards for data subjects.
Get Compliance Checklist For Automated Decision-Making Under GDPR
The GDPR gives data subjects the right to object to the processing of their personal data, upon which the controller should no longer process personal data, unless the controller demonstrates the existence of compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
The right to data portability allows data subjects to obtain their personal data in a structured, commonly used, and machine-readable format and reuse it for their own purposes across different services in a structured, commonly used, and machine-readable format. It also allows data subjects to move, copy, or transfer their personal data easily from one IT environment, i.e., from one controller to another (where technically feasible), safely and securely, without affecting its usability.
Learn more about the other GDPR Data Subject Rights?
The GDPR consists of seven core principles. These principles not only act as mere guidelines but foundational requirements that ultimately determine how compliant an organization is with the broader provisions of the GDPR. These principles are as follows:
At the very heart of the GDPR is the absolute requirement that any data collection and processing be lawful, fair, and completely transparent. This means that data controllers and processors must have a legal basis for data processing, such as consent, contractual necessity, or compliance with a legal obligation.
Additionally, they must ensure that the entire data collection and processing process is fair and not in any way detrimental to the data subject's rights, freedoms, and legitimate interests. Furthermore, the data subject must also be appropriately informed about how their personal data will be processed, by whom, for what purpose, and what options are available to them in case they wish to rescind their consent for data collection.
Learn more: GDPR Article 15 - Complimenting the Transparency Requirement of the Law.
As per this principle, a data controller or processor may only proceed with collecting and processing a data subject's data for a specific purpose to which they have consented. Any processing for purposes incompatible with the initial purposes will require further consent from the user. However, processing of personal data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purpose.
Data minimization refers to the requirement that all data collectors and processors process and collect only as much personal data as is adequate, relevant and necessary for the specified purpose. This not only ensures an appropriate degree of protection for the data subject’s right to privacy, but also ensures that only the most relevant data is collected and processed, providing organizations access to precise and accurate data for use.
The GDPR requires all data controllers and processors collecting personal data to take reasonable measures to ensure the accuracy of any and all personal data they collect. Any personal data identified as inaccurate should either be rectified or erased without delay.
Furthermore, the data subjects themselves have the right to request that any of their collected data be corrected or modified if it has become inaccurate, obsolete, or incomplete since it was collected.
Data controllers and processors collecting data subjects’ personal data are required to ensure that they only retain such data for as long as it is necessary for the purpose it was collected. Under this principle, organizations cannot retain data indefinitely and are under strict obligations to securely dispose of the collected data once its initial purpose for collection has been fulfilled or is no longer applicable.
Security is a critical component of the GDPR. Under this principle, all data controllers and processors who collect personal data of the data subjects must undertake appropriate technical and organizational measures to ensure that all collected personal data is safe against any possible unauthorized or unlawful processing.
These measures should also afford adequate protection against accidental loss or damage to the data without compromising its integrity.
The onus is on the data controllers and processors to demonstrate their compliance with each of the aforementioned principles. Furthermore, they must prove their compliance in the form of documented data protection policies, data protection impact assessments (DPIA), and records of processing activities (RoPA).
Related: What is Article 35 of the GDPR - Data Protection Impact Assessment (DPIA)
This ensures that data protection is not just a formality but a core component of any organization’s data collection practices and ethics.
One aspect that ensured the GDPR was taken seriously by all entities subject to it was its penalty framework. It allows for enough flexibility to ensure hefty fines for those found in non-compliance. Hence, understanding these penalties can give organizations yet another reason to devote ample resources to their compliance efforts.
The GDPR introduces a two-tiered fine system based strictly on the subject organization’s severity of the violation and other factors such as the nature and duration of the infringement, the intentional or negligent character of the infringement, the categories of personal data affected by the infringement, and so on. This ensures that any fines levied are "effective, proportionate, and dissuasive."
For organizations found guilty of relatively less severe violations, fines of up to €10 million or 2% of their total worldwide annual turnover of the preceding financial year, whichever is higher, can be levied.
Violations at this level usually involve technical breaches, RoPA violations, failure to notify the relevant authorities of a breach appropriately, or a failure to conduct a data protection impact assessment.
Such fines are imposed for severe violations of the GDPR. These fines can reach up to €20 million or 4% of the company's total global annual turnover of the preceding financial year, whichever is higher.
Violations at this level usually involve violations related to the GDPR's core principles, data subject rights violations, unauthorized cross-border data transfers, and non-compliance with a supervisory authority’s orders.
Whether a punishable offense has occurred can be revealed by a proactive investigation and inspection activities to be carried out by the relevant supervisory authorities, by an internal employee or by customers or potential customers, through a self-denunciation by the company, or investigative journalism by the press.
The concepts of Data Protection by Design and Data Protection by Default are some of the key obligations placed on subject organizations per the GDPR. It represents a radical shift in how organizations are expected to approach data privacy and implement appropriate data protection measures in the development and lifecycle of products, services, and processes.
Data Protection by Design is a proactive approach to data privacy that requires including data protection as an important consideration throughout the entire engineering and development process, not just as an afterthought.
This concept has been in place long before the GDPR brought it into the spotlight in 2018.
The principle is fairly straightforward: organizations must view and treat data protection as an essential part of the design of products and services rather than a complementary addition. To this end, appropriate technical and physical measures, including relevant policies and procedures, must be implemented to meet the requirements of GDPR.
Related: What is a GDPR-Compliant Privacy Notice?
Data Protection by Default takes the concept of Data Protection by Design a step further by requiring the strictest possible privacy options be made the default option on any product/service a customer acquires.
As per the Data Protection by Default approach, processing and collection of personal data are allowed but only to the extent required for the product/service to complete the intended purpose. Any additional processing or collection will require a lawful basis under the GDPR.
This approach minimizes the chances of unintentional data exposure while also aligning with the GDPR’s critical data minimization principle.
Some actionable steps organizations can take to implement Data Protection by Design & Data Protection by Default principles within their operational practices include the following:
Related: Everything You Need To Know About Privacy-by-Design and Privacy-by-Default
Interestingly, the GDPR places several critical requirements on all organizations subject to it. Understanding these requirements is essential for any organization aiming to be GDPR-compliant and avoid penalties.
Consent is a major cornerstone of the GDPR. If consent is the applicable basis for any processing activity, the concerned individuals must provide clear and affirmative consent before any organization can process their data. Furthermore, any consent provided must be freely given, specific, informed, and unambiguous, with a clear affirmative action indicating the individual's agreement to having their personal data processed.
Hence, pre-ticked boxes or any other measure involving implied consent will not be considered valid under the GDPR.
Additionally, the request for consent must be separate from any other requests while also being easy to understand and access. Data subjects have the right to revoke any previously provided consent, and the organizations collecting their personal data must make it as easy to withdraw consent as it is to provide consent.
The GDPR empowers users with several rights known as “data subject rights.” As discussed in detail earlier, these rights ensure that users retain an extensive degree of control over their personal data after it has been collected.
Article 37 of the GDPR provides the scenarios where it is mandatory for entities collecting users’ personal data to appoint a Data Protection Officer (DPO). This requirement applies to public authorities (except for courts), organizations that carry out regular and systematic monitoring of data subjects on a large scale, or engage in wide-scale processing of special categories of data referred to in Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10.
The DPO must be appointed based on merit and their professional expertise related to data protection law and practices.
Related: The UK GDPR & Data Protection Act (DPA) 2018
As per the GDPR, organizations may only proceed with personal data processing after having satisfied a set of strict conditions. These conditions include the following:
The GDPR is a tough regulation to comply with. However, having a checklist of measures and steps an organization can take makes the task comparatively easier. Here are some steps an organization can take to elevate its compliance efforts.
This is arguably the most important step in any organization’s attempts to become GDPR compliant. An organization must have a comprehensive understanding of all the data it has collected and is processing, including what data has been collected, why, from whom, and from where, as well as other characteristics of the collected data, such as whether it includes special categories of personal data.
Knowing this about collected data can help in the overall development of an organization’s data protection strategy, with appropriate measures being developed depending on the organization’s needs and requirements.
Hiring a Data Protection Officer (DPO) is an obligation for certain entities as per the GDPR. However, other organizations may also appoint a DPO as a best practice. Just how good the DPO is can determine how reliable an organization’s data protection regime ends up becoming. The DPO determines the route an organization will take in its efforts to become GDPR compliant while also being the primary contact between the organization, the regulators and also the data subjects.
An organization that maintains an extensive database of its internal and external data collection practices will have an easier time demonstrating its compliance. This not only allows for compliance with GDPR requirements but also enables the proactive identification and mitigation of identified issues.
Modern data collection methods allow for extensive data collection in terms of volume, variety, and velocity. However, different businesses have different data collection needs. Hence, understanding an organization’s unique data needs is vital as it helps identify which data needs to be collected. Doing so not only allows for efficient data collection but also prevents an organization from unintentionally collecting unnecessary data and falling afoul of any GDPR provisions.
The GDPR mandates that all organizations be as prompt as possible when sending data breach notifications to both the authorities and affected data subjects. A reliable and effective reporting mechanism can ensure that all relevant information is appropriately collected, compiled, and sent to the appropriate parties within the time frame mentioned in the GDPR.
It is vital for an organization to ensure it appropriately informs each data subject about the implications of its data processing activities. This can include a thorough communication of exactly what data will be processed, how it will be processed, whom the data could potentially be shared with, the individual’s rights per the GDPR, and any other information deemed necessary for them to know.
Not being upfront or obfuscating any such information from the data subjects poses not only a regulatory risk but can lead to a permanent deterioration of user trust and brand reputation.
It is important for an organization to regularly assess its internal operations to validate them in a regulatory-compliant manner. Regular privacy and data protection impact assessments and audits can help organizations identify and address potential blindspots proactively.
Similarly, it is just as important to engage vendors that have a good industry reputation and have compliant data protection practices and policies. This should be complemented with regular checks to have an updated overview of each vendor’s compliance efforts. Knowing each vendor's overall compliance status can help organizations proactively manage risks and opt for new vendors in cases where the overall risk would not be suitable.
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Some of the most recognizable global enterprises rely on Securiti's Data Command Center for their data security, privacy, governance, and compliance needs.
The Data Command Center comes equipped with numerous individual modules and solutions designed to help organizations comply with the various requirements and obligations set forth by the GDPR. An organization may choose to opt for a People Data Graph to link personal data with each individual, conduct an automated internal assessment of their policies to detect and address any potential blindspots, evaluate the overall compliance of their third-party vendors, manage and monitor various consent-related activities and obligations, and so much more.
While businesses may hesitate to take the leap towards automation from their current manual methods with the fear of costs and change in infrastructure, it is evident that automation is truly the way forward. Not only does this directly translate into an increase in the overall ROI and productivity, but it also lowers cost and improves accuracy.
Request a demo today and learn more about how Securiti can help your organization in its GDPR compliance efforts.
Key facts under the GDPR include:
The GDPR stands for the General Data Protection Regulation.
The GDPR went into effect on May 25, 2018.
Penalties for non-compliance can reach €20 million, or 4% of the firm’s worldwide annual revenue.
The GDPR gives eight fundamental rights to the consumer, which include:
According to the GDPR enforcement tracker, the total number of GDPR fines paid globally from July 2019 to date is €436,948,087.
Here are some other commonly asked questions you may have related to the GDPR:
Companies based in the US will be subject to the GDPR if they process the personal data of EU residents and the processing activities are related to offering products/services to data subjects in the EU or monitoring their behavior as far as the same takes place in the EU.
Yes, as per the GDPR, organizations subject to a data breach are required to notify the relevant regulatory authorities within 72 hours of becoming aware of the breach. However, the notification may not be required if the breach is unlikely to significantly risk the rights and freedoms of data subjects.
Further, when the breach is likely to result in a high risk to the rights and freedoms of data subjects, the organization should communicate the breach to the data subject without undue delay.
There is no direct equivalent of the GDPR within the US since the US does not have a central data privacy law similar in scope to the GDPR. In contrast, the US has various sector and state-specific laws that require organizations to respect the digital rights of residents within these states. The California Privacy Rights Act (CPRA) is the most vivid example of such a legislative framework.
Per the GDPR’s definition, personal data is any information that can be used to identify an individual. This includes names, email addresses, location data, and online identifiers like IP addresses.
Penalties for GDPR non-compliance can reach €20 million or 4% of an organization's annual global turnover (in the preceding financial year), whichever is higher. The exact severity of the fine and any additional penalties may depend on the offense itself.
The GDPR requires that all data collection and processing be lawful, fair, and transparent. All data must be collected for specified, explicit, and legitimate reasons. Furthermore, it places tremendous emphasis on data minimization and protection.
Some of the most prominent rights guaranteed to data subjects under the GDPR include the right to access their data, correct inaccuracies, erase data, restrict processing, object to processing, and data portability.
Get all the latest information, law updates and more delivered to your inbox
December 11, 2024
Explore the key data regulations governing the financial sector in the Philippines. Learn about compliance, privacy laws, and guidelines ensuring secure and transparent financial...
December 3, 2024
Learn what is data security, its importance, best practices, solutions, risks, and how to stay compliant with data security regulations.
November 27, 2024
Learn about the Information Privacy and Other Legislation Amendment Act (IPOLA), its guidelines, and the Queensland Privacy Principles to aid your compliance efforts.
See how easy it is to manage privacy compliance with robotic automation.
At Securiti, our mission is to enable organizations to safely harness the incredible power of Data & AI.
Copyright © 2024 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, Inc.
300 Santana Row
Suite 450
San Jose, CA 95128
