Skip to Main Content

Online Privacy and Security: GDPR

General Data Protection Regulation (GDPR)

Transparent outline map of Europe on EU flag, that transtions to very light blue, with padlock reading GDPR instead the stars

The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union (EU) that came into effect on May 25, 2018. It is designed to protect the privacy and personal data of individuals within the EU and to regulate how organisations worldwide handle personal data.

What is Personal Data?

In the context of GDPR, personal data is any data or information that can identify or be used to help (when collected together) identify a living person. This applies even to data that has been encrypted or anonymised, so long as the encryption/anonymisation can be reversed.

Personal data can include, name, date of birth, address, location, IP address, email etc. 

Some sensitive personal data, called "special categories", are subject to additional protection under GDPR, with their processing not allowed unless specific requirements are met (for example, explicit consent), The special categories include: 

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data
  • health data
  • sexual orientation

What Is Meant by Data Processing?

Data processing covers a wide range of use of personal data, both manual or automated. It includes, for example data:

  • collection
  • recording
  • organisation
  • storage
  • adaptation or alteration
  • retrieval
  • usage

Processing Personal Data

Under the GDPR, there are six legitimate contexts - "lawful bases" -  for processing personal data.  Each of these provides a different legal justification for processing data, and organisations must determine and document which basis or bases applies to their processing activities.

Consent

You have given clear and explicit consent for your personal data to be processed for a specific purpose.   Consent must be freely given, specific, informed, and unambiguous and must involve a clear affirmative action on your part. e.g., by ticking a box that says you are giving consent for your data to be processed You have the right to withdraw your consent at any time.

Contract

The processing is necessary for the performance of a contract to which you are party, or about to enter and applies when data processing is required to fulfil contractual obligations, for example providing services or goods that you have ordered.

Legal Obligation

The processing is necessary for compliance with a legal or regulatory obligation to which the data controller is subject, for example, processing data for tax reporting.

Vital Interests

The processing is necessary to protect your vital interests, such as releasing your medical information in a medical emergency.

Public Task

The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller., for example, processing data for public health, education, or government functions.

Legitimate Interests

The processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party, except where such interests are overridden by your interests, rights, or freedoms. This is a bit of a grey area; "flexible" is the word often used to describe this use. An example of legitimate interest might be a company keeping job applicant details on file because, while they weren't suited for the role being advertised, they might be a good fit for future positions. Processing examples considered legitimate interest by GDPR include fraud prevention and network security.

Key Objectives

The key objectives of GDPR are to:

  • enhance privacy rights
  • strengthen the data protection rights of individuals.
  • Increase the accountability of organisations in how they collect, process, store and share personal data.
  • harmonise data protection laws across the EU, providing a consistent legal framework.

Key Principles

The key principles underpinning GDPR are:

  • Personal data must be processed lawfully, fairly, and transparently
  • Data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • Data collected must only be adequate, relevant, and limited to what is necessary for the intended purpose
  • Personal data help by organisations must be accurate and kept up to date.
  • Personal data can only be kept for as long as it is needed for the purposes for which it was collected.
  • Data must be processed in an appropriately secure manner and must be protected against unauthorised or unlawful processing and accidental loss, destruction, or damage.
  • Organisations must be able to demonstrate compliance with these principles

Rights of Individuals

GDPR is intended to protect individuals against excessive sharing or use of their personal data and therefore privacy rights have been enshrined in the legislation:

  • Right to Access: Individuals have the right to access their personal data and obtain information about how it is being processed.
  • Right to Rectification: Individuals can request the correction of inaccurate or incomplete personal data.
  • Right to Erasure (Right to be Forgotten): Individuals can request the deletion of their personal data under certain conditions.
  • Right to Restrict Processing: Individuals can request the restriction of processing of their personal data in specific circumstances.
  • Right to Data Portability: Individuals can request their personal data in a structured, commonly used, and machine-readable format and have the right to transmit that data to another controller.
  • Right to Object: Individuals can object to the processing of their personal data in certain situations, including direct marketing.
  • Rights Related to Automated Decision-Making: Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or significantly affects them.

 

Obligations for Organisations

Obviously, GDPR puts the onus on organisations to comply and therefore companies have some obligations to fulfil:

  • Organisations must appoint a Data Protection Officer (DPO) if they engage in large-scale systematic monitoring or process large amounts of sensitive personal data.
  • A Data Protection Impact Assessment (DPIA) is required under the GDPR any time an organisation starts a new project that is likely to involve “a high risk” to people’s personal information. The DPIA should identify and reduce potential risks to data subjects.
  • Organisations must report certain types of data breaches to the relevant supervisory authority within 72 hours and to affected individuals without undue delay.
  • Organisations must obtain explicit consent from individuals for processing their personal data in many cases. Consent must be freely given, specific, informed, and unambiguous.
  • Organisations must maintain records of data processing activities and ensure that these records are available to supervisory authorities upon request.

Enforcement and Penalties

Each EU member state has its own supervisory authority responsible for enforcing GDPR. In Ireland, this is the Data Protection Commission (DPC). The DPC has other roles and functions relating to privacy legislation.

Laws and regulations that are not enforced are sometimes ignored. Therefore, to ensure adherence to GDPR, organisations can face significant fines for non-compliance. The maximum fines are up to €20 million or 4% of the organisation's annual global turnover, whichever is higher.

Impact of GDPR

The GDPR is a far-reaching piece of legislation that has transformed the privacy landscape and helped raise the standard for privacy and security in the digital age.

Public Awareness

GDPR has raised public awareness about data privacy and protection, leading individuals to be more conscious of their rights and more deliberate about how their data is shared.

Global Reach

To operate in the EU,  the world's largest single market area, companies must be GDPR compliant.

Withdrawal of Website Access

Rather than comply, or being able to comply with GDPR, some organisations have had to withdraw or have chosen to withdraw access to their websites from within the EU. Many of these sites are US (local) news organisations.

Webpage showing http 451 error code: unavailable due to legal reasons

An organisation may choose not to comply with GDPR because:

  • it collects too much data
  • compliance is too costly
  • it doesn't have much of a presence in Europe (e.g., the websites of US local news outfits won't receive much traffic from the EU)

Enhanced Data Protection

Because of the global reach of GDPR, there is raised awareness of, and improved data protection practices worldwide. More and more countries are enacting data privacy legislation, often based on GDPR itself

Better Accountability

Organisations are required to demonstrate compliance with GDPR principles and those that engage in large-scale systematic monitoring or processing of sensitive data must appoint a DPO to oversee compliance with GDPR. They must also maintain detailed records of data processing activities and be able to provide these records to supervisory authorities upon request.

Increased Data Security & Transparency

Organisations active in the EU are more transparent about their data processing activities and provide better information to people about their rights and must implement appropriate technical and organisational measures to ensure data security.

Cookie Pop-Ups and Banners

In addition to more high-level impact, the GDPR also has day to day implications for web users.All those cookie pop-ups and banners that you see when you arrive at a website? The GDPR is responsible for this. To comply with the GDPR, websites based in any EU country or has visitors from the EU must:

  • Display a cookie consent pop-up/banner that informs you about the use of cookies and gives you the option to accept or decline non-essential cookies.
  • Obtain explicit consent from you before placing cookies on your devices.
  • Allow you to manage your cookie preferences at any time.

As an aside, some sites try to get round these requirements by using what are called dark (or deceptive) patterns -  tricks to make you do things that you didn't mean to or wouldn't have wanted to do, like agree to have non-essential tracking cookies placed on your device. Some cookie-related dark patterns to watch out for:

  • The pop-up/banner is notice-only: where the site tells you that you consent to cookie use if you're using the site
  • An 'Accept Cookies' but no  'Reject Cookies' button in the pop-up/banner: making it difficult for you to reject cookies (there might be a "Manage cookies" link instead - but isn't it so much easier just to click 'Accept'?)
  • Pre-ticked cookie categories: where non-essential cookies are approved by default
  • Selective use of colours and font size to highlight cookie acceptance and draw attention away from the reject button: where the large "Accept Cookies" button might be black/white and the smaller 'Reject Cookies' dark/grey light grey
  • Legitimate interest: some sites might claim legitimate interest to use cookies without asking for your consent for their use, but legitimate interest can be justified when obtaining personal data is necessary, and that really isn't the case here.

Cookie pop-ups can be annoying (banners less so, as they are part of the page) but there are some browser extensions/addons that block them and decline the use of non-essential cookies (see the Links and Resources page).

Image sources:

GDPR: Dooffy, CC0, via Wikimedia Commons

http 451 error: Miserlou, CC BY-SA 4.0 , via Wikimedia Commons

ETBI organisation logo

ETBI
Piper's Hill, Kilcullen Road, Naas,
Co Kildare, Ireland
+353 (0)45-901070 Email info@etbi.ie


SOLAS logo