A complete guide to GDPR – meaning, purpose, and implementation

The General Data Protection Regulation (GDPR) specifies how personal data should be collected, used, processed, and stored. It aims to protect personal information and privacy of users.

The exponential growth of data produced worldwide, and the increasing exposure of people on social media have created opportunities for companies to use information in different types of analysis. This excess of freedom caused the need to develop a specific legislation to address this new scenario.

The discussion became stronger after events such as the Cambridge Analytica data scandal, where data from Facebook users were used during the US presidential campaign.

In Europe, this debate led to the creation of the GDPR, which inspired data protection legislations in other countries as well.

This article presents an overview of the GDPR and how it can affect the activities of IT professionals.

What is the GDPR – General Data Protection Regulation?

The General Data Protection Regulation (GDPR) is a regulation in the European Union (EU) law on data protection and privacy. The GDPR was adopted in 2016 and became enforceable in 2018.

As it also addresses the transfer of personal data outside the EU, it became a model for many other laws across the world. As a result, many countries have created their own specific legislation to regulate data processing, including Brazil and the United States.

A specific standard for data protection became a requirement with the fast production and leakage of information. Today, anyone can use a smartphone and generate a variety of data every minute.

In addition, connected objects (with the Internet of Things – IoT) collect information from users and monitor them. In this aspect, the GDPR limits possible data misuse and objectively punish the unregulated use of data by companies.

Purpose of the GDPR

The primary objective of the GDPR is to enhance users’ control and rights over their personal data and simplify the regulatory environment for international businesses. Users may allow companies to use their personal data for specific purposes, as long as such use is clearly explained. In addition, users can also withdraw their consent and request deletion of information whenever they want.

Data uses must be clearly described by the companies, with well-defined responsibilities and commitments for every party, establishing a relationship of transparency and security. Therefore, the GDPR has a great impact on companies, especially their marketing, IT, commercial, and legal departments.

What are the key determinations of the GDPR?

The GDPR determines that users must always have control over their information. So they must be able to modify, move, or delete their data whenever they want and without obstacles.

Also, companies must clearly inform the reasons for storing and processing data, avoiding tricks such as:

• terms of use in very small fonts;
• use of extensive and non-objective terms, so most people end up not reading;
• preset buttons like “OK,” “I agree,” “Yes,” and others, which mean automatic acceptance.

According to the GDPR, companies must explain why they are collecting and processing data from users. This explanation must be clear and objective, describing how they will use such data and how long they will store them, as well as when the information will be deleted from their database.

Also, companies have to offer methods for users to access and control their data at any time. In case of leaks or any change in data processing, they must inform users immediately.

Organizations must also assign one professional for data management and data practices. This person will act as a mediator and search for solutions in case of any obstacle or problem regarding the information. The professional must also explain the GDPR to all employees who are directly involved with user data.

Now, let’s analyze every item addressed in the GDPR and what is expected in relation to them.

1. Personal data

Personal data are those that allow, alone or together with others, the identification of its owner. With personal data, the following information can be identified:

• full name;
• nickname;
• home address;
• email;
• IP address;
• credit/debit card information;
• cookies.

Companies must ensure protection of these data, which should be used only for the purposes authorized by data owners.

2. Sensitive data

The GDPR also aims to protect sensitive data, which contain more private information about a person.

Some examples of sensitive data are information regarding:

• religion;
• ethnicity;
• gender;
• political positioning;
• biometry;
• bank data;
• others that allow a system or tool to perform group segmentation.

This information requires even more attention from the company that intends to store and process such data.

3. Data processing

Data processing refers to how data are used. That is, it involves what a company does or intends to do with collected data. These intentions must be clearly described to users, who may agree or not. One example is communication between banks.

Without the GDPR, banks interconnect their customer data, among other actions. This way, banking and financial data of a bank customer can be accessed by another bank, even if this is not an ethical or legal practice.

With the GDPR, users have their financial data protected because they have to give permission for their data to be informed between banks – an issue regulated by the Open Finance system.

It should be noted that every authorization must be explicit; i.e., consent terms in very small fonts, long and complex terms of use, or confusing texts to users are not valid. 

User consents should be transparent and clear, ensuring companies the right to process collected data according to agreed terms.

4. Data subject

Data subject is any natural person who has provided personal data and information, virtually or otherwise. Therefore, data subjects have rights over their data, including the right to be forgotten.

If someone has data exposed on a website, for example, although such exposure has been authorized in the past, this person has the right to request data deletion whenever he/she wants.

Other important user rights of the GDPR are the right of access and the right to information, which allow users to understand what information is being stored by the company and why.

The GDPR foresees data subjects can request the following actions, at any moment and without any justification:

• confirmation of a data processing system;
• access to own data;
• correction of incomplete, inaccurate, or outdated data;
• anonymization, block, or deletion of data not processed in compliance with the GDPR;
• data portability to another service or product provider;
• deletion of processed personal data;
• information from public and private entities with which the controller has shared user data;
• information about the possibility of not providing a consent and about the consequences of such refusal;
• withdrawal of consent;
• review by a human agent of automated actions.

Providing data subjects with full control over their information is important to prevent companies from taking advantage of legal gaps and using data to favor them, as seen in the famous case of Cambridge Analytica.

5. IT responsibilities

The IT department is deeply linked with data of users. After all, that’s where data are processed and stored. Therefore, the responsibility of IT professionals has increased with the law.

One of the key factors is the adoption of Privacy by Design. It means that privacy is incorporated into the system architecture, providing access to data subjects and allowing autonomous data management, collection, and processing.

The IT department is responsible for incorporating this new model into business. IT governance is a strategy that will provide the necessary support to organizations, ensuring their digital security, privacy, and asset maintenance policies.

6. Anonymization and pseudonymization

Data anonymization is a technique to ensure the privacy of personal data. It involves data encryption, allowing a direct link of the information with a specific user. For the GDPR purposes, anonymous data are not considered personal data.

Pseudonymization has no clear association between data and user, but does not prevent such association. For this reason, when data are anonymized but still allow a connection between them with their owners, they will be considered personal data.

7. Data controller and data processor

Controller and processor are roles that are part of the GDPR, with different responsibilities in relation to personal data.

Data controller makes decisions related to data processing. It can be a natural person or a legal entity and will be responsible in case of violation of law provisions.

Data processor performs data processing as defined by the data controller. It can be a natural person or a legal entity, also legally responsible in case of non-compliance with law provisions.

Penalties for not complying with the GDPR

Any company with a business relationship with a country that has adopted the GDPR or a similar data protection regulation must comply with its provisions. It means that foreign companies from countries without a specific legislation on the subject must respect and comply with the provisions of the GDPR or specific data protection law.

When a company fails to comply with the GDPR, its activities related to data processing may be interrupted or prohibited.

Partial non-compliances, or non-conformities, also cause fines that may correspond to a percentage of the company’s turnover or be charged per infraction.

ATTENTION: In case of data leakage, every piece of data can be interpreted as a violation!

Some punishments and fines of the GDPR include the following:

• a warning with the deadline for the adoption of corrective measures;
• a single fine of a percentage of a company’s turnover of its preceding fiscal year, excluding taxes;
• a daily fine observing the total limit defined in the GDPR;
• infraction after its occurrence has been duly investigated and confirmed;
• personal data related to the violation can be blocked until the issue is resolved;
• deletion of personal data related to the violation.

Considering the GDPR punishments and fines, companies must adopt all required and expected adaptations to fulfill the GDPR provisions, reviewing or creating processes, contingency plans, etc.

Relationship between information security and the GDPR

When learning about the GDPR, questions related to information security may come up because the two fields are related. After all, the GDPR seeks to protect user data.

Therefore, the IT departments and technology partners of companies must spare no effort to ensure compliance with legislation so that information can be properly accessed or used, avoiding penalties and fines.

For this reason, good governance and compliance practices must be in place, adopting measures that provide:

• system adequacy;
• access control;
• constant analysis and testing to find weaknesses in the company’s technological environment;
• proper corrections after feedback.

This way, companies can ensure effective incident and risk management.

Nine steps for GDPR implementation

The GDPR implementation in companies may seem challenging at first, but it can be an easier task by following some steps, as described below:

1. Identify risks and threats

The starting point is to perform a detailed analysis of internal processes and systems in order to identify risks and threats, which can be more difficult to address in the adaptation stage. After that, solutions can be planned and implemented, always observing the GDPR rules.

2. Map your company’s data

Mapping your company’s data refers to analyzing data owners, the types of stored data, and how they have been processed. Also, check where and how they have been stored and who can access them, based on data permissions, as applicable.

3. Review collected data and their legitimacy

After data identification, analyze them carefully, observing if they are required and if data collection and storage comply with the legislation. In this process, undue records can be deleted.

4. Create transparent communication with data subjects

As you have seen, user consent is critical. Therefore, your company must have a clear policy for data collection, processing, and storage. Also, improve your company’s communication and information channels so that data owners can have easy access to data.

5. Review agreements and privacy policies

Review all agreements, privacy policies, and other related documents. They must be adapted to comply with the GDPR. Collect pending consents when sharing your updated terms.

6. Assign a Data Protection Officer (DPO)

The DPO is the manager responsible for data protection. This role includes making sure the company complies with all GDPR provisions. According to the GDPR, a DPO must be assigned, so choose a qualified employee to avoid errors in the processes.

7. Train your teams

Another step for the GDPR implementation in your company is to ensure teams are prepared to guarantee data protection, user privacy, and transparency. Then provide training to make sure everyone has understood the legal requirements and rules, including:

• user’s right of access to stored data;
• user’s right to withdraw a consent;
• user’s right to erasure data.

8. Improve governance measurement systems

Governance support is critical in the GDPR implementation, as it involves processes, policies, and practices that guide strategic decisions and planning. Then, review and improve systems to ensure transparency and reliability in data processing.

9. Have the support of a GDPR tool

Finally, another important suggestion is the adoption of a suitable tool to help you in this process. Specialized solutions have been designed to help implement the GDPR in companies and support customers in their process to comply with the legislation.

Webinar: GDPR + Cybersecurity

IT support professionals can use the GDPR to their advantage, using the legislation to sell their services. It ensures data security best practices in companies, avoiding fines and punishments for data misuse.

Customers who provide data collection services have to dedicate special attention to their systems, ensuring more rigorous backup strategies and protection against intrusion. This way, IT professionals who master the GDPR will use it to offer personalized products and services.

Legal basis for data processing

Are you an IT professional who uses digital marketing strategies to win new customers? Do you get prospect data from leads (potential customers) using forms on landing pages and applications?

If yes, you should know that you must adapt your data collection techniques to the GDPR, because this new legislation reduces data misuse – which, if well structured, can even influence election results. 

IT professionals must study the GDPR in detail to offer more segmented services based on data protection and develop marketing strategies that make proper use of information.

Using a management software solution is an important tool in this new scenario, as it allows organized centralized management, supporting automation and monitoring of actions focused on data security and protection (such as backup and update).

So the GDPR is deeply related to cybersecurity – the practice of protecting devices, networks, and data from malicious attacks, considering that cyberthreats have evolved at the same speed as business technology.

This way, even if a company is compliant with the GDPR in terms of data storage and processing, the IT department must be prepared to control and prevent external attacks to avoid theft of data and other strategic information.

Want to know everything about the GDPR and cybersecurity? Milvus has a specific webinar to discuss this subject. Access it for free: GDPR + CYBERSECURITY.

Conclusion

As you have seen, the GDPR is a legislation that regulates the collection, storage, and processing of personal and sensitive data, ensuring user privacy.

The GDPR provides data subjects with rights and full control over their information. This way, companies cannot rely on a lack of user awareness, legal gaps or strategies to confuse data owners or use data for their own benefit.

Therefore, data processing companies must clearly explain to users the purpose of data collection and use. This way, users have the option to authorize or not data sharing and processing.

In addition, users can request data deletion from the company’s database at any time. Failure to comply with the new law can cause significant damage to companies, including full or partial interruption of related activities.

In this scenario, using an automation and control system for your IT department can be essential for data management, supporting compliance with the GDPR.

The Milvus system

The Milvus system helps optimize your IT team’s actions, leading to improved team efficiency and productivity without changing the staff structure.

In addition, you can use the Milvus GDPR tool, which helps your company implement the solution for your customers. Take a free trial or request a demo!

Did you like this article about the GDPR? Follow Milvus on LinkedIn, Instagram, and YouTube and check the latest news of the IT universe.