The General Data Protection Regulation (GDPR) is a European regulation that governs how companies and other organizations handle personal data. It is the most significant data protection measure in the last 20 years and has important implications for any organization worldwide that deals with citizens of the European Union.
The legislation aims to give individuals control over the use of their data, protecting "the fundamental rights and freedoms of natural persons." To achieve this, it sets precise and stringent requirements for data processing, transparency, the documentation to be produced and retained, and user consent.
Every organization must document and monitor personal data processing activities.
As a data controller, each organization must record and monitor personal data processing activities. This includes personal data processed not only within the organization but also by third parties—the so-called data processors.
Data processors can include various entities, from Software-as-a-Service providers to embedded third-party services that track and profile visitors to the organization's website.
Both data controllers and processors must be able to account for the types of data processed, the purpose of their processing, as well as the countries and third parties to which the data is transmitted.
If personal data is sent to organizations or jurisdictions that are not covered by the GDPR or are not deemed "adequate" by the GDPR, the user must be specifically informed of this and the associated risks.
All consents must be recorded as proof that consent has been given.
On May 4, 2020, the European Data Protection Board (EDPB) adopted guidelines on valid consent under the GDPR.
Valid consent must be a free, specific, informed, and unambiguous indication of the user's intentions, meaning a clear and affirmative action on the part of the user.
The EDPB guidelines clarify that scrolling or continuing to browse a website does not constitute valid consent, and cookie banners cannot have pre-ticked boxes.
Cookie walls (forced consent) are also deemed non-compliant.
The EDPB, the highest supervisory authority responsible for enforcing the GDPR across the EU, is composed of representatives from the data protection authorities of each EU member state. Its guidelines and decisions form the basis for implementing the GDPR at the national level.
Every individual now has the "right to data portability," the "right to better access to their data," along with the "right to be forgotten," and can withdraw their consent at any time. In such a case, the data controller must delete the individual's personal data if it is no longer needed for the purpose for which it was collected.
In the event of a data breach, the company must be able to notify the data protection authorities and the affected individuals within 72 hours.
Additionally, the GDPR requires public administrations, organizations with more than 250 employees, and businesses that process sensitive personal data on a large scale to appoint or train a Data Protection Officer (DPO). The DPO must take measures to ensure GDPR compliance throughout the organization.
As for Brexit, after the transition period during which EU laws still apply, the UK government plans to introduce equivalent legislation that closely follows the European GDPR and will be known as the UK-GDPR.