top of page

Everything you need to know about GDPR!

Updated: Mar 16

‘Data’ is the new buzzword of the digital world we live in today. Fundamentally, almost every aspect of our lives revolves around data. From social media, to banks, retailers, and governments. Almost every service we use involves the collection and analysis of our personal data.

The growing number of data privacy breaches that have been reported globally in recent times, has only increased the insecurity amongst the users over the years.

Regulations guarantee that data protection safeguards are built into products and services from the earliest stage of development, providing ‘data protection by design’ in new products and technologies.

The GDPR is one such step taken to tackle this dire situation.

The acronym GDPR stands for General Data Protection Regulation, and its implementation signaled a turning point for privacy protection in the new era of big data.

The GDPR created a consolidated data protection legal framework across all European Union member states (EU), plus Iceland, Lichtenstein, Norway, and Switzerland, which are part of the European Economic Area (EEA) single market.

It was implemented on May 25, 2018 and is one of the most wide-ranging legislation passed by the EU. The intent of introducing GDPR was to standardize data protection law across the single market and give people greater control over how their personal information is used.

Let’s try to understand what is contained in this very critical regulation.

1) Personal data

Article 4 of the GDPR defines personal data as ‘any information relating to an identified or identifiable natural person’. The GDPR expands the definition of personal data to include all information that could be used to indirectly identify individuals. So any data that helps in identifying a person directly or indirectly classifies as personal data. Examples of personal data include:

  • ID numbers

  • IP addresses and cookie IDs

  • HR records

  • Customer contact details

  • CVs and employment details

  • CCTV and call recordings

Businesses cross into personal data when a third party can take information from said business, put it with other data, and figure out individual identities. For example, say your company knows that Alice pays property tax of $1,000 in Capital City. Suppose a third party can access a public piece of data and finds that only one Alice resides in Capital City. In this case, that information is personal data, because Alice can indirectly become identified.

A sub-category of personal data requires enhanced data protection measures due to its sensitive and personal nature. Special category data includes data that reveals a data subject’s:

  • Racial or ethnic origin.

  • Political opinions.

  • Religious and philosophical beliefs.

  • Trade union membership.

  • Genetic data.

  • Biometric data for the purpose of uniquely identifying a natural person.

  • Data concerning health.

  • Sex life and sexual orientation.

2) Who does the GDPR apply to?

Any European citizen who has their data collected by a company is a data subject under the GDPR. There are two different types of data-handlers the legislation applies to: ‘processors’ and ‘controllers’.

A controller is a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”, while the processor is a “person, public authority, agency or other body which processes personal data on behalf of the controller”.

The GDPR applies to businesses that target EU data subjects in the following instances:

a) offering goods or services b) monitoring online behavior.

3) What is GDPR Compliance?

To be GDPR compliant, means ensuring data is collected, used, and stored legally. This includes gathering consent from data subjects, disclosing why information is collected and how it is used, and keeping the data secure.

Also, to become compliant, public authorities and companies that process data on a large scale need to employ a Data Protection Officer (DPO) to oversee their processing activities.

In addition, any company that engages in high-risk data activities, such as processing special categories of personal data (like biometric or genetic data), must complete a Data Protection Impact Assessment (DPIA).

4) The Seven Core GDPR Guidelines

GDPR has seven key principles that dictate how businesses process data to conform to new EU data protection standards.

1. Lawfulness, fairness, and transparency: Data processing must be legal, and the information collected used fairly. It must also not mislead users about how their data is used. To comply with this principle, GDPR provides six legal bases for processing:

  • Consent: The data subject has given permission for the organization to process their personal data for one or more processing activities

  • Performance of a Contract: The data processing activity is necessary to enter into or perform a contract with the data subject.

  • Legitimate Interest: If legitimate interest is used as a legal basis for processing, the organization must perform a balancing test: is this processing activity necessary for the organization to function? Does the processing activity outweigh any risks to a data subject’s rights and freedoms? If the answer to either of those questions is “no,” then the organization cannot use legitimate interest as its legal basis for processing.

  • Vital Interest: A rare processing activity that could be required to save someone’s life. This