The General Data Protection Regulation (GDPR) is a regulation in the European Union in the field of data protection. It replaces the Data Protection Directive 95/46/EC, which was introduced in 1995. The GDPR was adopted on April 14, 2018, and came into force on May 25, 2018. The GDPR regulates the handling of personal data by controllers and processors.
The regulation sets out strict rules about how personal data must be collected, used, and protected. It gives individuals the right to know what personal data is being collected about them, the right to have that data erased, and the right to object to its use.
The regulation applies to any company that processes the data of individuals in the EU, regardless of whether the company is based inside or outside the EU.
The 7 principles of GDPR are:
Lawfulness, fairness and transparency
Integrity and confidentiality
Lawfulness, fairness, and transparency
The law requires that data processing activities be carried out in a lawful, fair, and transparent manner. This means that individuals must be informed of the purposes for which their data will be used, and they must be given a chance to object to its use if they so choose.
The law restricts the use of personal data to the specific purpose(s) for which it was collected. This principle ensures that data is not used for any other purpose that the individual has not consented to.
The law requires that data be collected and processed only to the extent necessary to achieve the specific purpose for which it was collected. This principle helps to protect individuals from having their data used for purposes that they did not consent to, or that are not necessary for the purposes for which it was collected.
The law requires that personal data be accurate and up-to-date. This principle helps to ensure that individuals are not unfairly disadvantaged by incorrect or outdated data.
The law requires that personal data be kept for no longer than is necessary for the purpose(s) for which it was collected. This principle helps to protect individuals from having their data stored for longer than is necessary, or from having it used for purposes that it was not collected for.
The law requires that personal data be protected from unauthorized access, disclosure, or destruction. This principle helps to ensure that individuals’ data is safe and secure, and that their privacy is respected.
The law requires that data controllers be held accountable for their compliance with the GDPR. This principle helps to ensure that individuals’ rights are respected and that data controllers are transparent in their handling of personal data.
Under the GDPR, fines for non-compliance can be up to 4% of a company’s global annual revenue or €20 million (whichever is greater). In addition, companies can be ordered to stop processing data, and ordered to delete data that has been processed unlawfully.
Some specific examples of cases where companies have been fined for GDPR violations include:
Google was fined €50 million by the CNIL (the French data protection authority) in January 2019 for a lack of transparency, inadequate information, and lack of valid consent regarding the use of personal data for advertising purposes.
In July 2019, the British Airways was fined £183 million (around $230 million) by the UK’s Information Commissioner’s Office (ICO) for a data breach that affected 500,000 customers.
In December 2018, the Marriott International was fined €110 million (around $124 million) by the ICO for a data breach that affected 339 million customers.