1. Overview of GDPR#

The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union. It became fully enforceable on May 25, 2018, replacing the 1995 Data Protection Directive. GDPR is designed to harmonize data privacy laws across Europe and protect the personal data and privacy of EU citizens and residents.

2. Scope and Applicability#

GDPR applies to:

  • All organizations (regardless of location) that process the personal data of EU citizens or residents.
  • Companies based outside the EU if they offer goods or services to, or monitor the behavior of, individuals in the EU.
  • Data controllers and processors: Any entity that collects, stores, or processes personal data must comply with GDPR.

3. Key Objectives of GDPR#

  • Empower individuals by giving them greater control over their personal data.
  • Standardize data protection laws across the EU, simplifying the regulatory environment for international businesses.
  • Enhance data security by requiring organizations to implement robust data protection measures.
  • Increase transparency in how personal data is collected, used, and shared.

4. Core Provisions of GDPR#

GDPR consists of 99 articles that outline specific requirements for organizations, including:

A. Consumer Rights#

  • Right to Access: Individuals can request access to their personal data and information about how it is being processed.
  • Right to Rectification: Individuals can request corrections to inaccurate or incomplete data.
  • Right to Erasure (“Right to Be Forgotten”): Individuals can request the deletion of their personal data under certain conditions.
  • Right to Restrict Processing: Individuals can limit how their data is used.
  • Right to Data Portability: Individuals can obtain and reuse their personal data for their own purposes across different services.
  • Right to Object: Individuals can object to the processing of their data for specific purposes, such as direct marketing.

B. Data Protection Obligations#

  • Data Protection by Design and Default: Organizations must integrate data protection into their processing activities and business practices.
  • Data Protection Impact Assessments (DPIAs): Required for high-risk data processing activities.
  • Appointment of Data Protection Officers (DPOs): Mandatory for certain organizations to oversee GDPR compliance.
  • Record-Keeping: Organizations must maintain detailed records of their data processing activities.

C. Data Breach Notifications#

  • Organizations must report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach.
  • If the breach poses a high risk to individuals, those individuals must also be notified without undue delay.

5. Penalties for Non-Compliance#

GDPR introduces severe financial penalties for organizations that fail to comply with its requirements:

  • Fines of up to 20 million euros or 4% of the company’s global annual revenue (whichever is higher) for serious violations, such as:
    • Failure to obtain proper consent for data processing.
    • Violations of the core principles for processing personal data.
    • Inadequate technical and organizational measures to ensure data security.
  • Fines of up to 10 million euros or 2% of the company’s global annual revenue for less severe infringements, such as:
    • Failure to maintain proper records.
    • Non-compliance with certification bodies or data protection officers.

6. Global Impact of GDPR#

  • GDPR has set a global benchmark for data protection, influencing similar legislation worldwide (e.g., California Consumer Privacy Act, Brazil’s LGPD).
  • Organizations worldwide have had to adapt their data handling practices to comply with GDPR, even if they are not based in the EU.
  • GDPR has increased awareness of data privacy and security, leading to greater transparency and accountability in how personal data is managed.