With data privacy being the utmost priority of both governments and organisations across the world, we see an influx of privacy laws that ensures the much-needed regulatory requirements in place. One such, or possibly one of the very first data protection and privacy laws that the world has known is the General Data Protection Regulation law or GDPR.
In a nutshell, GDPR is a legislation that gives the consumer the right to control their data that is being legitimately collected by organisations or service providers. Established in the EU on 25th May 2018, the GDPR act holds supreme importance for not just consumers but also for organisations operating in and within the region.
Table of contents
Introduction
Just a few days back, Europol – the European Union’s guardian of law and order, confirmed a web portal breach; another news states that a massive data breach that hit Dell affected approximately 49 million users. We get to hear about several data breaches across the globe that affects organisations of all ranges. And while it is practically impossible to eliminate such breaches altogether, there are certainly ways to ensure that user data is not affected to extreme extents. The data protection and privacy laws ensure just that. As a matter of fact, the web data breach that hit Europol didn’t affect any operational data; even with the data breach in Dell, it said in its statement that no customer data like financial and payment information, email addresses and phone numbers were not stolen in this attack. Thanks to data privacy laws like the General Data Protection Regulation, the risk of user data being stolen is potentially decreasing.
What is the General Data Protection Regulation?
Touted to be the toughest privacy and security law in the world, the General Data Protection Regulation or the GDPR, outlines a framework that focuses on how an organisation can collect, process, store, and transfer personal data. This comprehensive data protection regulation helps control data privacy laws across all the member countries of the European Union.
An important point to keep in mind – though the legislation was drafted and passed by the EU, the law imposes obligations onto non-EU organisations if they collect data related to the citizens within the member countries of the European Union. With the implementation of GDPR, Europe solidifies its stance on the importance and priorities of data privacy, especially at a time when the digital era has been gaining more and more acknowledgement.
The regulation is pretty strict on its specifics, which may make GDPR compliance a tad bit tedious for organisations, mainly the ones operating under small and medium-sized enterprises. Having said that, companies failing to comply with the requirements of the General Data Protection Regulation act will have to pay quite heavy fines and penalties, reaching into the tens of millions of Euros.
Overall, the GDPR act was designed to provide better, more enhanced protection and rights to the individuals that are consenting to organisations capturing their personal data. In addition to this, this data privacy law also emphasises on how user data must be collected, sorted, and used, along with its required limitations.
It is said that the General Data Protection Regulation act harmonised the regulations for data protection across the member countries of the European Union. As a matter of fact, apart from EU and non-EU nations, the GDPR also applies to any organisation that offers services in the EU, regardless of their base location.
The history of the General Data Protection Regulation law
While we see more voices advocating for data privacy and protection today in the digital word, the fact of the matter is that ‘Right to Privacy’ has always been a hot topic of interest in the world. As for the EU, ‘Right to Privacy’ has been a part of the 1950 European Convention on Human Rights, which states – “Everyone has the right to respect for his private and family life, his home and his correspondence.”
As we advanced into the world with more advanced technological inventions, the magic of the internet, the European Union recognised the need for modern, more efficient, and stricter data protection and privacy laws. In 1995, the EU passed a mandate, the European Data Protection Directive, that established minimum data privacy and security standards. In 1998, the directive came into effect and using this, each member state was tasked with implementing their own law as per the directive.
However, by then, the internet already stormed into the world and the era of digitalisation and online functioning. Therefore, understanding the importance of having a refined yet stronger and stringent data privacy law, the European Parliament introduced and passed the General Data Protection Regulation act in 2016. And on 25th May 2018, the GDPR finally came into effect in the EU.
The basics of the General Data Protection Regulation law
In this section, we will see the basics of the GDPR, divided into three sections – who does it apply to, the different penalties, and the key definitions.
Who does the GDPR apply to?
The gist of it is that if your organisation processes personal data of citizens belonging to the member nations of the EU, or if your organisation offers goods or services to people within the EU, then the GDPR applies to you, even if your company is not based in the EU. The reason behind the implementation of the General Data Protection Regulation law is to protect any data that belongs to the EU citizens. Therefore, it applies to businesses that handle these data, regardless of whether they are EU-based organisations or not. As a matter of fact, the law applying to the non-EU organisations is touted to be as “extra-territorial effect”.
In Article 3, the territorial scope of the GDPR has been mentioned. Here’s what you need to know –
- According to the text, the regulation applies to personal data processing in the context of the activities of an organisation pertaining to a controller or a processor in the Union, irrespective of whether the processing takes place within the EU or not.
- The GDPR is applicable to the personal data processing of subjects that are in the EU by a controller or a processor of the Union, if the processing activities are related to –
- Goods and services offerings, whether payment of the data subject is required, to such data subjects in the Union; or
- Monitoring of their behaviour as far as it takes place within the Union.
- According to the text in Article 3, the General Data Protection Regulation applies to personal data processing by a controller outside the EU but in a place where Member State law applies by virtue of public international law.
Furthermore, Article 3.1 states that the GDPR is applicable to organisations that are based out of the EU, regardless of whether the data is stored or used outside the region. Article 3.2 takes a step forward and applies the law to organisations that are not within the EU if the following two conditions are met –
- The organisation offers goods and services in the EU
- Monitors online behaviour of the citizens in the EU.
Having said that, Article 3.3 covers a few more scenarios like the EU embassies; we will discuss about the same in-depth in our future articles.
What are the exceptions to this rule?
To be fair, it is imperative to understand GDPR’s scope of application as it applies to both EU and non-EU members, making it a tad bit challenging. While you have already read about where it applies, let’s see what the exceptions to this rule are.
There are two important exceptions to this rule, namely –
- The GDPR is not applicable to “purely personal or household” activities. Therefore, if your organisation has collected an email address, for example, to organise a day out with your team members/colleagues, there is no need to encrypt their contact details for GDPR compliance. (however, it is always a good idea to do so). That said, the GDPR applies to organisations engaged in “professional or commercial activities”. So, for example, if you need are collecting email addresses from your known circle to fundraise an event, the GDPR law may apply to you.
- The second exception to the GDPR compliance applies to organisations that have less than 250 employees. Keep in mind that small and medium-sized companies are not totally exempt from the GDPR; however, the regulation does free them from obligations of record-keeping in most cases.
Penalties under GDPR compliance
Failing to comply with the requirements of the General Data Protection Regulation can result to be a costly affair – majorly burning a hole in your pocket. According to Article 83, the fines imposed by the EU for non-compliance in GDPR are flexible and scale with the firm, but regardless of its size, the liability is significantly high.
The two tiers of the GDPR fines
The less severe violations can result in a fine of up to €10 million or 2% of the firm’s worldwide annual revenue from the preceding financial year, depending on whichever amount is higher. The fines include any violations of the articles governing –
Controllers and processors: Under Articles 8, 11, 25-39, 42, and 43, organisations that collect and control data i.e., controllers and those that process data i.e., processors must without a miss adhere to the rules governing data protection. Along with this, rules concerning the lawful processing of data must also be strictly adhered to. Failing to adhere these will lead to heavy penalties. As organisations, the aforementioned Articles 8, 11, 25-39, 42, and 43 are to be read to ensure adherence to the GDPR compliance requisites.
Certification bodies: Accredited bodies that are in charge of providing organisations with the needed certifications must ensure that their evaluations and assessments are done fairly and transparently without any bias. Read Articles 42 and 43 for more information on the same.
Monitoring bodies: As per Article 41, monitoring bodies assigned to have the appropriate level of expertise must demonstrate independence while following the established procedures when handling complaints or reported infringements – impartially and transparently.
Under GDPR, the more severe infringements go against the principles of right to privacy and right to be forgotten; violations of these can result in penalties up to €20 million, or 4% of the organisation’s worldwide annual revenue from the preceding financial year, whichever amount is higher. These include any violations of the articles governing –
Controllers and processors: Under Articles 8, 11, 25-39, 42, and 43, organisations that collect and control data i.e., controllers and those that process data i.e., processors must without a miss adhere to the rules governing data protection. Along with this, rules concerning the lawful processing of data must also be strictly adhered to. Failing to adhere these will lead to heavy penalties. As organisations, the aforementioned Articles 8, 11, 25-39, 42, and 43 are to be read to ensure adherence to the GDPR compliance requisites.
Certification bodies: Accredited bodies that are in charge of providing organisations with the needed certifications must ensure that their evaluations and assessments are done fairly and transparently without any bias. Read Articles 42 and 43 for more information on the same.
Monitoring bodies: As per Article 41, monitoring bodies assigned to have the appropriate level of expertise must demonstrate independence while following the established procedures when handling complaints or reported infringements – impartially and transparently.
2. Under GDPR, the more severe infringements go against the principles of right to privacy and right to be forgotten; violations of these can result in penalties up to €20 million, or 4% of the organisation’s worldwide annual revenue from the preceding financial year, whichever amount is higher. These include any violations of the articles governing –
The fundamentals for processing: Under Articles 5, 6, and 9, organisations must process data lawfully, fairly, and transparently. The data has to be collected and processed for legitimate purposes and must be kept accurate and up to date. That said, the data processing must be done in a manner that ensures its security. Organisations are allowed to process data only if they meet one of the six lawful requirements listed in the Article 6. Additionally, certain types of personal data like racial origin, sexual orientation, political and religious beliefs, trade union memberships, and health or biometric data are strictly prohibited from capturing, except for specific circumstances. Read the aforementioned Articles 6, 6, and 9 for more information on this aspect.
The conditions for consent: Whenever an organisation’s processing of data is justified based on the user’s consent, it is mandatory to have it documented, in case the organisation needs to prove it under any circumstances. For this, the details are provided under Article 7.
The rights of the data subjects: Under Articles 12-22, individuals have the right to know about the data the organisation is collecting, and moreover, what those data are used for. In addition to this, individuals also have the right to obtain a copy of the collected data, correct the data in case of inaccuracies, as well as erase the data in certain circumstances. Moreover, under this, individuals also have the right to transfer their data to other organisations.
Transfer of individual’s personal data: This is specifically related to the transfer of personal data to an international organisation or a recipient in any third country. Under Articles 44-49, it is stated that before an organisation transfers personal data to a third country or international organisation, the EU must decide that the country or organisation takes adequate measures of protection while ensuring safeguarded transfer of the data.
The other fines under GDPR
Apart from the two tiers of the GDPR penalties, the other fines levied are as follows –
Violation of member state laws: Any violation of member state laws that are adopted under Chapter IX will result in penalties. Chapter IX grants EU member states the right to pass additional data privacy and protection laws; however, they must be in accordance with the GDPR. If there is any violation in following the national laws, penalties are guaranteed.
Non-compliance of an order by a supervisory authority: If an organisation fails to comply with an order from any supervisory authority or monitoring body of the GDPR, regardless of what the original violation was, a huge penalty will follow.
These are just administrative fines. As a matter of fact, Article 82 allows data subjects (users) the right to seek compensations from organisations that have caused them material or non-material damages, as a result of GDPR violations.
How are the GDPR fines levied?
Under the General Data Protection Regulation act, the penalties are administered by the data protection regulator in each of the EU country. The authority determines whether a law has been violated and its severity of the penalty. Following are the criteria that determines the infringement and the amount of fine –
The nature and gravity of the violation: Under this, the overall reason of the violation like what happened, why it happened, how many people were affected, what were the damages, and the time of its resolution are considered.
The intention of the violation: In this phase, the data protection regulator checks if the infringement was intentional or a result of negligence.
Mitigation: Here, it is checked if the organisation took any actions to mitigate the damages suffered by data subjects by the violation.
Precautionary measures: The amount of technical and organisational preparation implemented by the organisation for GDPR compliance.
The history of the firm: Any relevant violations done previously, including the ones under the Data Protection Directive (not just the GDPR) and compliance with past administrative corrective actions under GDPR.
Cooperation: Under this, the organisation’s cooperation with the supervisory authorities to discover and rectify infringements are checked.
Category of the data: Here, the type of personal data affected by the violations are checked.
Notification: Whether the organisation or the designated third party reported the violations to the data protection regulator or supervisory authority proactively.
Certification: Whether the organisation followed the approved and appropriate code of conduct as well as whether it is certified.
Aggravating factors: Lastly, any issues arising from the circumstances of the case that includes financial benefits gained as well as losses avoided as a result of the violation.
Once the data protection regulators determine these points and if the organisation has multiple GDPR violations, it will be penalised for the most severe one, provided all the violations are part of the same processing operations. Otherwise, the organisation will be in for a heavy amount of penalty.
Key definitions
Coming to the last basics of the General Data Protection Regulation act, it defines several legal terms at length; however, the most pivotal ones are as listed below –
Personal data: Personal data, basically, is any information relating to an individual that can be directly or indirectly identifiable. The most obvious personal data are names and email addresses; other ones include – location, ethnicity, gender, religious and political beliefs, web cookies, and biometric data. As a matter of fact, pseudonymous data also fall under the definition of personal data, if it is even remotely easy to ID an individual.
Data processing: Whether automated or manual – any action performed on data falls under the definition of data processing. Actions include collecting, recording, structuring, storing, using, organising, or erasing data.
Data subject: Data subject is the individual whose data is being processed; customers, site visitors, users, etc., are data subjects.
Data controller: The authority that decides why and how an individual’s personal data must be processed. For example, in your organisation, if you are the one responsible for handling data, you are the data controller.
Data processor: Data processor is a third party that processes personal data on behalf of a data controller. Under the GDPR, there are special rules for data processing individuals and organisations. The fact of the matter is that data processors can include cloud servers, email service providers, and so on.
Applying GDPR to SAP systems
Personal data is everywhere, right from HR records to bank records, and more. Furthermore, they are scattered across several modules in SAP like in multiple tables, documents, CRMs, etc. These data can also be found in documents like payslips, emails, invoices, and so on; however, they cannot be just stored in SAP systems without a legit purpose. Therefore, as it stands, applying and ensuring GDPR compliance into SAP systems can be a difficult nut to crack. However, if we speak in generally, the following steps can be followed –
- The first step is identifying what type of personal data is stored and where it is stored.
- The second step is to define rules for data retention, locking, and deletion after defined periods. The retention period is determined by the purpose for which the personal data was collected. For example, invoice management, application management, order management, etc.
- After this, the personal data must be archived, deleted, or anonymised.
Most importantly, keep in mind that there is no single solution to handle GDPR requests in SAP; rather, it is a combination of tools. The primary solution for GDPR provided by SAP is the SAP Information Lifecycle Management or SAP ILM that helps SAP users define data retention policies and destruction at the end of the retention periods. That said, some other tools provided by SAP partners, like the Archiving Sessions Cockpit (ASC) by TJC Group also makes it possible to automate this process.
SAP Information Lifecycle Management for GDPR compliance
With regulations like GDPR, there are a few personal data processing obligations imposed on organisations. For businesses, especially those operating or offering services in the EU, the best course of action to ensure GDPR or legal compliance is defining data retention rules with solution provided for free by SAP when used to comply with data privacy laws. SAP ILM goes beyond your standard data archiving while trying to achieve a good balance between total cost of ownership (TCO), risk, and legal compliance. It comes with a set of policies, processes, practices, and tools, required to align the business value of the information with the most appropriate and cost-effective infrastructure.
Applying SAP ILM into your operations for ensuring GDPR compliance can be a tricky affair. However, you can say goodbye to its challenges with TJC Group. We are experts in data management and with our proven SAP ILM process, organisations can sit back and relax. We can show regulators evidence of a clear project scope and proven methodology, that too, all fully automated.
Check the case study of Dürr Group, a world-leading machine and plant manufacturer, that reached out to us to draw a plan to delete personal information at project level.
Connect with us to learn and implement SAP ILM and ensure compliance with the GDPR act in the EU!
Commonly asked questions
Is the GDPR act applicable to organisations in the United States?
Answer: GDPR is an EU law at its core; however, it is applicable to any company that makes its website or services available to the EU citizens, including organisations in the US. Basically, any organisation that extends its services and goods to the EU citizens and its member states must be GDPR compliant without a miss, irrespective of its base country.
What is a GDPR consent for organisations?
Answer: As a part of ensuring that individuals have more control over their personal data, the GDPR makes it a requirement for organisations to get the individual’s consent before collecting or processing their personal data. However, this scenario is plausible only during certain circumstances; not always.
What is considered personal data under the EU GDPR?
Answer: The fact of the matter is that GDPR largely applies to personal data. So, identifying which data falls under personal data, subject to GDPR, will help organisations focus on their data privacy and protection effortlessly. Under the EU’s GDPR, the most common personal data are names and email addresses. Other than these, location, ethnicity, gender, religious and political beliefs, web cookies, and biometric data are also personal data. Additionally, pseudonymous data also fall under the definition of personal data if it is even remotely easy to ID an individual.
