GDPR – General Data Protection Regulation

In a digital world, more and more personal data is being created and collected by organizations. The General Data Protection Regulation therefore aims to protect personal information, preventing it being misused and providing consumers and citizens with greater control over it. This article explains which organizations it covers and the countries it applies to.

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation came into force in the EU on May 25, 2018. It also applies in the UK. The GDPR was imposed to better protect personal data, and aims to apply and update the founding principles of the Data Protection Act of 1978.

The objective of this European regulation is to make organizations responsible for the processing and security of the personal data they collect.

Personal data is any information relating to a natural or identifiable person. This concerns, among other things, a person’s first or last name, address, social security number, etc.

Even if the data does not directly name a person, but allows their identification, the GDPR applies. This is the case, for example, with a marketing database that includes the age, gender, location and purchasing behavior of users – even if the names of these people are missing.

It is important to know that the GDPR doesn’t just cover digital data – it also covers paper-based personal information processed by organizations.

The processing of personal data covers the entire data lifecycle, including collection, storage, modification, sharing, and re-use.

What are the principles of the GDPR?

The General Data Protection Regulation is built on several founding principles:

• Purpose: the processing of data must pursue a lawful purpose. For example, customer management, prospecting, creation of a new service, payment of an invoice, taxes, etc.
• Proportionality and relevance: in the same spirit, companies can process personal data as long as the processing is proportional and relevant to the purpose.
• Retention period: in the context of proportionality, the retention period depends on the type of data and the purpose.
• Consent: the consent of data subjects must be obtained before processing their data.
• Security and confidentiality: organizations must ensure the security of their data. If sensitive data is disclosed, it is their responsibility. This is the case, for example, for payment information kept by banks or e-commerce sites.

Who is the data protection regulation aimed at?

All organizations that process third party data must comply with the GDPR. This is true even if the information is collected on behalf of others (such as subcontractors). In other words, the General Data Protection Regulation applies to all organizations, whether they are public or private.

Moreover, since it is a European regulation, it applies to all companies located in Europe, or whose data concerns European citizens. Thus, American companies that offer products or services in Europe. Additionally, similar legislation, such as the California Consumer Privacy Act (CCPA), have been introduced that apply the principles of the GDPR in other territories.

What are the risks in case of non-compliance with the GDPR?

Data protection bodies in each EU country (such as CNIL in France) are responsible for ensuring that organizations comply with the GDPR. In case of violations, these bodies can apply various sanctions, such as:

• Issuing warnings and reprimands
• Imposing temporary or permanent bans on data processing
• Ordering the rectification, restriction or erasure of data
• Suspension of data flows to third countries
• Financial penalty (20 million euros or 4% of annual turnover).

How do organizations comply with the GDPR?

To avoid these sanctions, organizations need to take particular actions:

• The appointment of a data protection officer (DPO): they are responsible for ensuring compliance with the General Data Protection Regulation.
• The implementation of a governance strategy: it is advisable to make an inventory of all internal data processing to ensure GDPR compliance.
• Identification of vulnerabilities: it is essential to detect security vulnerabilities in the system and to inform the local supervisory body quickly in order to avoid any sanctions.

Even if the GDPR was initially seen as a constraint on organizations, it also provides new opportunities, ensuring they improve data governance and build trust with customers, prospects or citizens.