General Data Protection Regulation (GDPR)

What is GDPR? What is Data? The European Union General Data Protection Regulation (EU GDPR) entered into force on 25 May 2018. Individual countries within…

4 Min Read

Written by yichengchen

What is GDPR? What is Data?

The European Union General Data Protection Regulation (EU GDPR) entered into force on 25 May 2018. Individual countries within the Europe Union were given the flexibility to amend the EU GDPR to suit each local needs. For instance, this flexibility led to the creation of the Data Protection Act (2018) in the United Kingdom.

In a nutshell, GDPR seeks to impose obligations on organisations which do business with individuals in the EU. This is regardless of where these businesses were incorporated, as long as during the course of doing business, they target or collect data related to people in the EU.

Personal data means any information which, directly or indirectly, could identify a living person. Name, phone number, and address are schoolbook examples of personal data. Interests, information about past purchases, health, and online behaviour is also considered personal data as it could identify a person.

Real Cases, Hefty Fines.

Generally, penalties under GDPR can go up to either 4% of your business’ total annual revenue, or €20 million, whichever is higher. Below are a couple of notable case studies:

  • 21st January 2019, the French Data Protection Authority (“CNIL”) imposed a fine of €50 million on Google LLC under GDPR for lack of transparency and failure to obtain consent for ad targeting.
  • 2nd October 2020, Germany fined H&M €35.3 million. After a technical error, the data on the company’s network drive was accessible to everyone in the company for a few hours. The press picked up the news making the Commissioner aware of the violation. The case is pretty interesting since the company collected sensitive personal data of their staff through whispering campaigns, gossip, and other sources to create profiles of staff and used that data in the employment process. The personal data included medical records, diagnoses and symptoms of the illness, and private details about vacation and family affairs.
  • In May 2023, Irish’s Data Protection Commission (“DPC”) imposed a historic fine of €1.2 billion on US tech giant Meta (also formerly known as Facebook) for the transfer of personal data of European users to the United States without adequate data protection mechanisms.

What should businesses do?

Business should consider having a dedicated data protection officer (“DPO”). In some countries, such as in Singapore, it is mandatory to appoint a DPO.

The DPO can then look into how businesses are informing their customers and staff on how data is collected, processed and shared. The idea is to be as transparent as possible.

Any personal data breaches must be reported immediately to both the authorities and also to each affected individual.

Lastly, businesses should keep the 7 principles of GDPR close to their hearts:

(1) Lawfulness, fairness and transparency. Information collected fairly. Transparently inform your users about what information you collect, how you share.

(2) Purpose limitation. Businesses must collect and process personal data only for the purposes they explicitly specified to the data subjects concerned.

(3) Data minimisation. Organisations shouldn’t collect more personal information than they need from their users.

(4) Accuracy. Ensuring the data collected is accurate and taking steps to correct any inaccuracies.

(5) Storage limited. Controllers should not store and hold onto data for longer than necessary for the purposes for which data was collected.

(6) Integrity and Confidentiality (Security). Personal data must be protected against “unauthorised or unlawful processing,” as well as accidental loss, destruction or damage. In laments terms, this means that appropriate information and security protections, must be put in place to make sure information isn’t accessed by hackers or accidentally leaked as part of a data breach.

(7) Accountability. This means documenting how personal data is handled and the steps taken to ensure only people who need to access some information are able to. Accountability can also include training staff in data protection measures and regularly evaluating and data handling processes.