[NEW REPORT] The State of European Energy Data Maturity - In-depth research with E.DSO and GEODE

Download here
Glossary

GDPR – General Data Protection Regulation

The General Data Protection Regulation (GDPR) is legislation designed to protect and control the use of personal data in the EU and other countries.

In a digital world, more and more personal data is being created and collected by organizations. The General Data Protection Regulation therefore aims to protect personal information, preventing it being misused and providing consumers and citizens with greater control over it. This article explains which organizations it covers and the countries it applies to.

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation came into force in the EU on May 25, 2018. It also applies in the UK. The GDPR was imposed to better protect personal data, and aims to apply and update the founding principles of the Data Protection Act of 1978.

The objective of this European regulation is to make organizations responsible for the processing and security of the personal data they collect.

Personal data is any information relating to a natural or identifiable person. This concerns, among other things, a person’s first or last name, address, social security number, etc.

Even if the data does not directly name a person, but allows their identification, the GDPR applies. This is the case, for example, with a marketing database that includes the age, gender, location and purchasing behavior of users – even if the names of these people are missing.

It is important to know that the GDPR doesn’t just cover digital data – it also covers paper-based personal information processed by organizations.

The processing of personal data covers the entire data lifecycle, including collection, storage, modification, sharing, and re-use.

What are the principles of the GDPR?

The General Data Protection Regulation is built on several founding principles:

  • Purpose: the processing of data must pursue a lawful purpose. For example, customer management, prospecting, creation of a new service, payment of an invoice, taxes, etc.
  • Proportionality and relevance: in the same spirit, companies can process personal data as long as the processing is proportional and relevant to the purpose.
  • Retention period: in the context of proportionality, the retention period depends on the type of data and the purpose.
  • Consent: the consent of data subjects must be obtained before processing their data.
  • Security and confidentiality: organizations must ensure the security of their data. If sensitive data is disclosed, it is their responsibility. This is the case, for example, for payment information kept by banks or e-commerce sites.

Who is the data protection regulation aimed at?

All organizations that process third party data must comply with the GDPR. This is true even if the information is collected on behalf of others (such as subcontractors). In other words, the General Data Protection Regulation applies to all organizations, whether they are public or private.

Moreover, since it is a European regulation, it applies to all companies located in Europe, or whose data concerns European citizens. Thus, American companies that offer products or services in Europe. Additionally, similar legislation, such as the California Consumer Privacy Act (CCPA), have been introduced that apply the principles of the GDPR in other territories.

What are the risks in case of non-compliance with the GDPR?

Data protection bodies in each EU country (such as CNIL in France) are responsible for ensuring that organizations comply with the GDPR. In case of violations, these bodies can apply various sanctions, such as:

  • Issuing warnings and reprimands
  • Imposing temporary or permanent bans on data processing
  • Ordering the rectification, restriction or erasure of data
  • Suspension of data flows to third countries
  • Financial penalty (20 million euros or 4% of annual turnover).

How do organizations comply with the GDPR?

To avoid these sanctions, organizations need to take particular actions:

  • The appointment of a data protection officer (DPO): they are responsible for ensuring compliance with the General Data Protection Regulation.
  • The implementation of a governance strategy: it is advisable to make an inventory of all internal data processing to ensure GDPR compliance.
  • Identification of vulnerabilities: it is essential to detect security vulnerabilities in the system and to inform the local supervisory body quickly in order to avoid any sanctions.

Even if the GDPR was initially seen as a constraint on organizations, it also provides new opportunities, ensuring they improve data governance and build trust with customers, prospects or citizens.

Download the ebook making data widely accessible and usable
Learn more
Scaling smart city projects beyond the pilot phase Public Sector
Scaling smart city projects beyond the pilot phase

Delivering smart city success starts with pilot projects to prove that concepts benefit the community. However, often projects fail to scale beyond their initial rollouts, meaning their benefits are lost. We explain the importance of data portals to maximize the chances of project success by seamlessly sharing information with stakeholders.

Taking the next steps with data portals in the Middle East Open data & transparency
Taking the next steps with data portals in the Middle East

Even more than in other areas data portals have a key role to play in delivering innovation, transparency and new services to citizens, businesses and governments across the Middle East. Based on best practice examples, we explain where should organizations focus when it comes to transforming their portals.

Data portals: a major asset for players in the energy sector Energy & Utilities
Data portals: a major asset for players in the energy sector

An in-depth exploration of the impact of data portals in the energy sector. From decarbonization to collaborative innovation, discover how data drives innovation and strengthens regulatory compliance.

Scaling smart city projects beyond the pilot phase Public Sector
Scaling smart city projects beyond the pilot phase

Delivering smart city success starts with pilot projects to prove that concepts benefit the community. However, often projects fail to scale beyond their initial rollouts, meaning their benefits are lost. We explain the importance of data portals to maximize the chances of project success by seamlessly sharing information with stakeholders.

Taking the next steps with data portals in the Middle East Open data & transparency
Taking the next steps with data portals in the Middle East

Even more than in other areas data portals have a key role to play in delivering innovation, transparency and new services to citizens, businesses and governments across the Middle East. Based on best practice examples, we explain where should organizations focus when it comes to transforming their portals.

Data portals: a major asset for players in the energy sector Energy & Utilities
Data portals: a major asset for players in the energy sector

An in-depth exploration of the impact of data portals in the energy sector. From decarbonization to collaborative innovation, discover how data drives innovation and strengthens regulatory compliance.

Start creating the best data experiences
Request a demo