Contact us

General Data Protection Regulation (GDPR): Key Requirements and How to Comply

Key Takeaways

  • The General Data Protection Regulation (GDPR) is a world-leading piece of data protection and privacy legislation which applies across the European Union, and to any organization dealing with EU residents. 

  • The GDPR sets out some key principles for controlling and processing data, and consequences for those who breach the relevant rules and principles. 

  • The new EU AI Act adopts the same risk-based regulatory philosophy which underlies the GDPR. 

As artificial intelligence (AI) continues to advance and reshape our world, the need for regulatory safeguards becomes increasingly evident. The European Union’s (EU) AI Act is a groundbreaking legislative measure that sets the stage for a global ripple effect, influencing AI regulations and standards across the globe. 

In this in-depth guide, we look at how the EU AI Act works, and how it balances innovation with security and privacy concerns. 

Table of Contents

What Is the GDPR? 

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that was adopted by the European Union (EU) in April 2016 and came into effect on May 25, 2018. It replaced the 1995 EU Data Protection Directive, representing a significant overhaul of the EU’s approach to data protection and aiming to harmonize the data protection laws across the member states.

The GDPR was designed to enhance and unify data protection rights for EU citizens, and its provisions apply to organizations both within and outside the EU that process the personal data of these citizens. In essence, it provides individuals with greater control over their personal data, ensuring that organizations treat such data with the utmost care and responsibility.

Who Does the GDPR Apply To?

The General Data Protection Regulation (GDPR) has a broad scope of applicability that covers a wide range of entities and situations, particularly in its attempts to protect the personal data of EU citizens. Here’s a detailed explanation of who the GDPR applies to:

1. Organizations Established in the EU

The GDPR applies to all organizations that are established in the European Union, regardless of where they process personal data. “Established” here refers to any effective and real activity through stable arrangements, which can be a branch, subsidiary, office, or other forms of presence in the EU.
It’s not merely about the geographic location of data processing. For instance, if a company has an office in an EU member state and makes decisions about processing personal data there, the GDPR will apply even if the actual data processing happens outside the EU.

2. Organizations Outside the EU Targeting EU Data Subjects

If an organization is not established in the EU but offers goods or services (irrespective of whether a payment is required) to individuals in the EU, then the GDPR applies.
Similarly, if an organization not established in the EU monitors the behavior of EU residents (e.g., tracking online activities for advertising purposes), then it also falls under the purview of GDPR.

3. Organizations Outside the EU that Process Data on Behalf of Those Within the EU

This is a particularly significant aspect for service providers and entities that might act as data processors. If, for example, an EU-based company outsources data processing to a service provider outside the EU, that service provider must comply with the GDPR.

4. Public Authorities

Public authorities and bodies, except for courts acting in their judicial capacity, are covered by the GDPR when processing personal data in the course of their official duties.

5. Data Controllers and Data Processors

The GDPR distinguishes between “data controllers” and “data processors”. A data controller determines the purposes and means of processing personal data, while a data processor processes the data on behalf of the controller. Both have obligations under the GDPR, but the responsibilities vary. For instance, a data controller decides what data to collect and for what purpose, while a data processor might be a cloud service provider storing that data.

6. Individuals (Natural Persons)

The GDPR aims to protect the personal data of natural persons (living individuals) and does not extend these protections to legal persons such as companies or organizations.

It’s important to note that GDPR’s penalties for non-compliance can be severe, including significant fines. Therefore, any organization that processes the personal data of EU individuals, whether they are established in the EU or not, should thoroughly assess their GDPR obligations and ensure compliance. 

Video: Wall Street Journal on the GDPR

Scope, Penalties and Key Definitions

The GDPR, or General Data Protection Regulation, is a transformative piece of legislation that establishes robust data protection standards. Here’s a detailed breakdown of its scope, penalties, and key provisions:

1. Scope of the GDPR

  • Territorial Scope: The GDPR has extraterritorial effect, which means it applies not only to organizations located within the EU but also to organizations located outside the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.
  • Material Scope: The regulation applies to the processing of personal data by automated means, as well as to non-automated processing if the data is part of a filing system or intended to be part of one. It covers both data controllers (those who decide the ‘how’ and ‘why’ of data processing) and data processors (those who conduct the processing on behalf of a controller).
    Penalties under the GDPR:

2. Penalties

The GDPR introduced significant administrative fines for non-compliance, which can be broadly categorized into two tiers:

  • Lower Tier: For less severe infringements, organizations can be fined up to €10 million or 2% of their total worldwide annual turnover of the preceding financial year, whichever is higher.
  • Upper Tier: For more severe infringements, the fines can reach up to €20 million or 4% of the firm’s total worldwide annual turnover of the preceding financial year, whichever is higher.

It’s important to note that these are the maximum fines and national Data Protection Authorities (DPAs) have the discretion to impose lesser fines based on the specific circumstances of each case.

2. Key Definitions

  • Consent: Organizations must obtain clear, affirmative consent from individuals before processing their data. This means that vague or blanket consent is no longer acceptable. Consent should be easy to withdraw as it is to give.
  • Data Subject Rights: The GDPR bolsters a range of rights for EU citizens, such as the right to access their data, the right to be forgotten (erasure), the right to data portability, the right to object, and the right to restrict processing.
  • Data Protection Impact Assessments (DPIA): Organizations are required to conduct DPIAs where data processing is likely to result in high risks to data subjects. This is essentially a process to help organizations identify and minimize data protection risks.
  • Data Protection Officers (DPO): Certain organizations are required to appoint a Data Protection Officer (DPO), particularly those whose core activities involve large-scale regular and systematic monitoring of data subjects or large-scale processing of special categories of data.
  • Breach Notification: Data breaches that are likely to result in a risk to the rights and freedoms of individuals must be reported to the relevant DPA within 72 hours of the organization becoming aware of it. Data subjects must also be notified if there’s a high risk to their rights and freedoms due to the breach.
  • Privacy by Design and Default: Organizations must incorporate data protection considerations into the initial design of projects and ensure that, by default, only data that is necessary for each specific purpose is processed.
  • Transfers of Personal Data: There are restrictions on the transfer of personal data outside the European Union to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
  • Record Keeping: Organizations are required to keep detailed records of their data processing activities if they have more than 250 employees or if their data-processing activities could result in a risk to the rights and freedoms of data subjects.

Transfers to Non-EU Countries

Under the GDPR, personal data can flow freely among the Member States of the European Union, as they all follow the same rigorous data protection standards. However, transferring personal data outside the European Economic Area (EEA) requires special considerations to ensure that the level of protection guaranteed by the GDPR is not undermined.

The GDPR has a set of rules governing such transfers to ensure that the personal data of EU citizens remains protected, even when it leaves the EU/EEA borders. Here’s how transfers to non-EU countries work under the GDPR:

1. Adequacy Decisions

The European Commission has the authority to determine whether a country outside the EU/EEA offers an adequate level of data protection.
If the Commission has made an “adequacy decision” about a particular country, personal data can flow from the EU/EEA to that country without needing any further safeguard. Some countries that have received such decisions include Canada (for commercial organizations), New Zealand, and Japan.
These decisions are continuously reviewed and can be revoked if the third country no longer provides adequate protection.

2. Appropriate Safeguards

If a country has not received an adequacy decision, transfers are still allowed if the data exporter has provided “appropriate safeguards”. These can include:

  • Binding Corporate Rules (BCRs): Legal tools for multinational corporations, allowing them to transfer personal data internationally within their group while ensuring GDPR-compliant protection.
    Standard Contractual Clauses (SCCs): Set forms of contracts between the sender and the receiver of personal data, approved by the European Commission, that impose strong data protection obligations on both parties.
  • Derogations for Specific Situations: The GDPR allows for certain exceptions where data can be transferred based on specific conditions. Some of these include consent, where it is necessary fo contract performance, where there are important public interest grounds and where a transfer is in the “vital interests” of data subjects or others. 

3. Supplementary Measures

Given the challenges posed by certain legal systems where surveillance regimes might infringe on the rights of EU citizens, data exporters are expected to assess the context of the transfer and put in place supplementary measures, when necessary, to ensure an equivalent level of protection. These measures can be contractual, organizational, or technical.

4. Data Transfers in the Context of Binding Decisions

For certain sectors or types of data processing activities, the competent supervisory authority can approve binding and enforceable instruments for data transfer.

5. Complications and Evolving Jurisprudence

The famous “Schrems II” ruling by the European Court of Justice in July 2020 invalidated the EU-US Privacy Shield, a major mechanism that facilitated data transfers between the EU and the US. This ruling emphasized the importance of ensuring the protection of EU citizens’ data rights even in the face of foreign surveillance laws.

Organizations that wish to transfer personal data outside the EU/EEA should always be aware of these provisions and ensure they have the necessary mechanisms in place. It’s also advisable to keep abreast of evolving regulations and jurisprudence, as the landscape of international data transfers continues to change.

Which Activities Are Not Subject to the GDPR?

The GDPR is a comprehensive data protection regulation, but there are certain activities and situations which it does not cover. Here are some examples of activities not subject to the GDPR:

  • Personal or Household Activities: The GDPR does not apply to the processing of personal data by an individual purely for private purposes or for activities carried out in one’s personal life. This means that everyday activities like keeping personal contacts, social networking, and online activities carried out within the context of private and family life are outside the GDPR’s scope.
  • Law Enforcement Directive: The GDPR does not apply to the processing of personal data by competent authorities for law enforcement purposes. Instead, this is covered by the Law Enforcement Directive, which complements the GDPR.
  • National Security and Defense: Activities related to national security, defense, and the activities of the state in areas of criminal law are generally outside the scope of the GDPR. Member states might have their own national regulations for these activities.
  • Deceased Individuals: The GDPR applies to the personal data of living individuals. Some member states may have their own rules regarding data related to deceased persons, but the GDPR does not govern this.
  • Legal Entity Data: While GDPR protects personal data of natural persons (living individuals), it does not generally protect data related to legal persons such as companies, organizations, or public authorities. For example, the business email address of a company or the contact details of a legal entity (as opposed to an individual within that entity) wouldn’t be subject to the GDPR.
  • Anonymous Data: If data is genuinely and irreversibly anonymized – that is, if individuals can no longer be identified from it – then the GDPR does not apply. It’s essential to differentiate between anonymous data and pseudonymous data (data that can’t identify a person without additional information). Pseudonymous data is still subject to the GDPR.
  • Statistical and Research Data: If personal data is processed solely for journalistic, academic, artistic, or literary purposes and appropriate safeguards are applied (like data minimization or pseudonymization), such processing might be exempted from certain GDPR obligations.
  • Activities by Courts: The processing of personal data by courts acting in their judicial capacity is exempt from the GDPR to maintain the independence of the judiciary.

It’s crucial for individuals and organizations to be aware of when the GDPR applies and when it does not. However, just because an activity might be exempt from the GDPR doesn’t mean there aren’t other data protection or privacy regulations that apply. Always check local laws and regulations in specific contexts.

 

How Are the GDPR and the EU AI Act Related?

The General Data Protection Regulation (GDPR) and the EU Artificial Intelligence (AI) Act are both regulatory frameworks from the European Union, aiming to ensure the protection of individual rights in the face of technological advancements. While the GDPR focuses on data protection and privacy, the AI Act zeroes in on the regulation of artificial intelligence applications and their potential risks. Here’s the connection between the two:

  • Shared Philosophy: Both the GDPR and the AI Act arise from the EU’s commitment to ensuring that technological advancements respect fundamental rights, democratic values, and the rule of law. The EU wants to ensure that AI technologies are used ethically and responsibly.
  • Data as the Bedrock of AI: AI, especially machine learning models, often rely on vast amounts of data to be trained and operate. The way this data is collected, stored, processed, and used needs to adhere to the GDPR. The AI Act complements this by setting requirements for AI systems themselves.
  • High-Risk AI Systems and GDPR: The AI Act categorizes certain AI applications as “high-risk” due to their potential impact on individuals’ rights or safety. Many high-risk AI applications involve processing personal data, and thus, there’s an inherent overlap with GDPR considerations. For instance, biometric identification systems are high-risk AI systems, and they have clear GDPR implications as they process special categories of personal data.
  • Transparency and Accountability: Both the GDPR and the AI Act emphasize the importance of transparency and accountability. While the GDPR mandates transparency in data processing and grants individuals rights like the right to explanation, the AI Act focuses on ensuring that AI systems are transparent in their operations and outcomes.
  • Overlap in Regulatory Authorities: The national data protection authorities (DPAs) responsible for enforcing the GDPR might also play a role in the enforcement of the AI Act, especially when there’s an overlap involving data protection concerns.
  • Impact Assessments: Both frameworks emphasize the importance of assessing risks before deploying technologies. The GDPR introduced Data Protection Impact Assessments (DPIAs) for high-risk data processing activities, while the AI Act mandates risk assessments for high-risk AI systems.
  • Addressing Biases and Discrimination: One of the concerns about AI systems is that they might perpetuate or amplify biases present in their training data, leading to discriminatory outcomes. While the GDPR doesn’t specifically address AI biases, it does set principles of fairness and prohibits unlawful discrimination. The AI Act further builds on this by laying down requirements to ensure AI systems are designed and used without leading to societal biases or discrimination.
 

GDPR — Final Take 

Any business based in the EU or doing business there needs to ensure that they are in compliance with the General Data Protection Regulation. If you would like further information on how to comply with the GDPR, get in touch and we can put you in contact with some of the top EU GDPR compliance specialists. 

 

FAQ

If a data breach poses a risk to individuals’ rights and freedoms, you must report it to the relevant data protection authority within 72 hours of becoming aware of it. In cases where the breach poses a high risk to individuals, you must also inform the affected individuals without undue delay.

Always consult with a legal or data protection expert for your specific circumstances, especially when dealing with the intricacies of the GDPR in research or other professional activities

Yes. If you are collecting or processing personal data within a GDPR-covered country, even temporarily as a visitor, that data is subject to the GDPR. If you transfer it to the U.S. or another third country, you need to ensure appropriate safeguards are in place, especially if transferring personal data.

Some notable breaches and fines under GDPR include British Airways (£20 million), Marriott International (£18.4 million), and Google (€50 million by the French regulator CNIL). For the most recent breaches and fines, you’d need to consult the websites of relevant national data protection authorities or other recent sources.

The GDPR establishes several rights for individuals: right to be informed, right of access, right to rectification, right to erasure (or “right to be forgotten”), right to restrict processing, right to data portability, right to object, and rights related to automated decision-making including profiling.

Picture of Drew Donnelly, PhD

Drew Donnelly, PhD

Drew is regulatory expert, specializing in AI regulation and compliance

Share the Post:

Related Posts

Trust Innovate are the leading online AI compliance educators

Facebook-f Twitter
Quick Links
Get In Touch

© All Rights Reserved.