In 2018, a new data protection law was implemented in the EU. The new legislation was named the General Data Protection Regulation, GDPR in short. It was the replacement of a dated policy for online protection. The former policy hadn’t been changed for over two decades. Of course, our online presence has changed a lot during this period. Modernization of the law was therefore much needed.
The new GDPR modernized the legislation with the aim to better protect individuals online. Especially when it comes to the sharing of personal information, this was a much-needed change.
What is GDPR and why was it implemented?
As said earlier, GDPR is the latest legislation for data protection. It was introduced to standardize data protection law across the single market of Europe. In a growing digital economy, it gives people greater control over the usage of the data that they generate. So basically, GDPR harmonizes data privacy laws across the EU.
Privacy protection under GDPR
As a consumer and online buyer, you probably have received unwanted emails. Oftentimes, as soon as you buy something and share your data, organizations include you in all their mailing traffic. Indeed, sometimes you might wonder if you even signed up for their mailing lists.
The GDPR was implemented to counter such unwanted spam mail, or unwanted commercial interactions in general. In the current online environment, everything can be digitized. Evermore personal information is collected and stored. Under the GDPR, the idea is that websites can only gather personal data when they can show why it is needed. It, therefore, alters how businesses and organizations can handle the information from their online visitors.
What are the 7 principles of GDPR?
Conveniently, the GDPR sets out seven key principles. The principles are a way for organizations to ensure they abide by the legislation on all levels. The seven principles of the GDPR are the following:
- Your data needs to be processed lawfully, fairly and transparently.
- The purpose of data collection must be limited. This means that data can only be gathered explicitly and for legitimate purposes. The data can not be shared or archived for public interests.
- Websites are obliged to gather as minimal data as possible. The gathering of data must be done adequately, must be relevant, and must be limited to what is absolutely necessary in relation to the purposes for which it is processed.
- Every reasonable step must be taken for the gathering of accurate data.
- Data storage should be limited. Organizations can hold personal data no longer than absolutely needed.
- Data can only be processed with integrity and confidentiality. Organizations have to ensure appropriate security to battle accidental loss, destruction or damage.
- Organizations that control data must be able to demonstrate their compliance with the above principles. Indeed, organizations are always held accountable.
Who is affected by GDPR legislation?
In theory, the GDPR is a legislation of the European Union. However, it also applies to companies that have European visitors. So while in theory it only applies to Europe, in practice it applies to plenty of other organizations.
There are two parties that can be distinguished when it comes to the people who should abide by the above principles. These are:
- Data controllers: parties that determine how and why data is processed;
- Data processors: parties that actually process the data.
What is the maximum fine for a GDPR breach?
Since GDPR is a piece of legislation, not abiding to GDPR will have its consequences. The penalties or fines that organizations can expect differ, based on the size of the organization. As a rule of thumb, a fine of up to 4% of an organization’s annual turnover can be expected.
So, what has really changed?
We have discussed what GDPR stands for, what GDPR is, and how it relates to cybersecurity. Organizations are, indeed, held more accountable than ever before. However, it is still questionable if it offers full data protection for the individual. Does it indeed protect your privacy online?
Critique on the GDPR
As indicated earlier, some websites are exempt from the GDPR. While in a health emergency this is fully justified, exemptions are also given to journalists and government agencies. The more parties are given an exemption, the more risk there is that data is still legally or illegally sold and stored.
Another critique on the legislation is that it is already somewhat dated. The legal instrument of the GDPR is a step towards more individual control, but some threats to individual control remain entrenched in the GDPR. This has mostly to do with the fact that in the end, the person on the other side is responsible for the protection of your personal data. Trust is, therefore, a big factor, but unfortunately trust is often broken. Especially when you are not physically in the same room.
So, how to protect your privacy online?
To be sure that your data is protected, you will need extra measurements. As an individual, but especially as an employer or business. To be sure your data will not be stored and shared, make use of data blockers, make sure to cover your webcam, or take a look at these five ways to protect your privacy online.