GDPR (General Data Protection Regulation) is a current privacy law adopted by the European Union. GDPR is effective from May 25, 2018. Its purpose is to ensure the protection of the privacy and personal data rights of individuals who are EU citizens, also defined as data subjects.
Personal data, or personally identifying data is a very important term under GDPR. It means any information that relates to an individual with which they can be directly or indirectly identified. For example, personal data includes the following:
- email addresses
- information regarding the person’s location
- web cookies
- political opinions etc.
Under the GDPR, any piece of data that makes it possible to identify a particular person is personal data. Pseudonymised data can also constitute personal data if it allows to identify an individual without much difficulty.
GDPR is applied to every company registered within the EU and any company that processes EU residents’ personal data.
There are two main roles for a company under the GDPR. These are the data controller and data processor. The data controller decides why and how personal data will be processed. The data processor is a person (a legal entity or an individual) that processes personal data on behalf of a data controller.
Article 5 of the GDPR defines seven principles for protection and accountability of personal data:
- Lawfulness, fairness, and transparency: processing must be lawful, fair, and transparent (understandable) to the data subject.
- Purpose limitation: a company must process data for legitimate purposes and explicitly notify the data subject when such data is collected.
- Data minimization: a company should collect and process only as much data as is absolutely necessary for the purposes of personal data processing.
- Accuracy: a company must keep personal data accurate and up to date.
- Storage limitation: a company may only store personal data for as long as necessary for the purposes of personal data processing.
- Integrity and confidentiality: personal data processing must be done in a way to ensure appropriate security, integrity, and confidentiality of personal data.
- Accountability: a data controller must be able to demonstrate GDPR compliance with all of the GDPR principles to a competent data protection authority.
If a company fails to comply with GDPR, a competent data protection authority may either fine or undertake administrative measures against such a company.
Administrative measures are described in Article 58 of the GDPR. For example, they include issuance of warnings and reprimands to a company or ordering the company to comply with the request of the data subject. Fines for failure to comply with the GDPR provisions are high:
- for significant violations, either 4% of annual global turnover or up to €20 million;
- for other violations, either 2% of annual global turnover or up to €10 million.
If you have any other questions about Snov.io platform, don’t hesitate to contact us at firstname.lastname@example.org or via live chat.