GDPR is the acronym for the General Data Protection Regulation, the specific data privacy laws for individual citizens in the European Union (EU) and the European Economic Area (EEA).
What is GDPR?
General Data Protection Regulation (GDPR) is a European data protection law for citizens within the European Union. GDPR regulation was created by the European Parliament in April of 2016 and supports data security, data processing, and the transfer of personal data outside of the EU.
GDPR law exists mainly to give individuals control over their personal data, as well as to simplify data regulation for international business by setting unified standards of regulation within the EU. GDPR standards are requirements for data controllers (organizations handling data) to put in place appropriate technical and organizational measures to protect personal data. For example, implementing safeguards into business processes that handle data like pseudonymization or full anonymization, high privacy settings, and informed consent.
What is GDPR Compliance?
Any company that collects, processes or stores the personal data of citizens in the EU must follow strict GDPR compliance requirements or else they face heavy GDPR fines. Security teams inside companies that deal with transactions within the EU or exportation of data outside the EU now have high expectations for the protection and processing of personal data. A GDPR Data Protection Officer (DPO) is an enterprise security leadership role required by GDPR law to oversee the data protection strategy of the company and to ensure compliance with GDPR requirements.
GDPR text leaves much to interpretation, saying that companies need to provide “reasonable” protection of personal data, without specifying the exact definition of “reasonable”. This leaves scope for GDPR supervisory authorities to assess fines for data breach and lack of compliance.
How to be GDPR Compliant
Controllers of personal data should ensure GDPR compliance in their firm by implementing strict privacy safeguards and transparencies into everyday business processes. For SMBs, complete compliance of GDPR requirements can be a very daunting set of tasks.
To make this integration easier, many websites display a GDPR compliance checklist like this comprehensive checklist for data controllers. Broadly, this list covers tasks for data controllers and GDPR data protection officers including:
- Conducting an information audit to see who is involved with data at the company
- Establishing principles of data protection by design into all organizational processes
- Building processes for data security awareness, assessment and breach
- Designating responsibility for compliance of GDPR standards, giving accountable parties the power to evaluate and implement data protection policies
- Constructing agreements between the firm and any third parties involved with personal data
- Ensuring data subjects have complete transparency, access, and the rights to all information your firm has about them.
How Much are GDPR Fines for Non-Compliance?
A company or data controller that infringes on set regulations may be subject to GDPR penalties. Individual member state supervisory authorities follow 10 criteria to determine the amount of GDPR fines a non-compliant company should owe (per gdpreu.org):
- Nature of Infringement – number of people affected, damage they suffered, duration of infringement, and purpose of processing
- Intention – whether the infringement is intentional or negligent
- Mitigation – actions taken to mitigate damage to data subjects
- Preventative Measures – how much technical and organizational preparation the firm had previously implemented to prevent non-compliance
- History – past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and past administrative corrective actions under the GDPR, from warnings to bans on processing and fines
- Cooperation – how cooperative the firm has been with the supervisory authority to remedy the infringement
- Data Type – what types of data the infringement impacts
- Notification – whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party
- Certification – whether the firm had qualified under approved certifications or adhered to approved codes of conduct
- Other – other aggravating or mitigating factors may include financial impact on the firm from the infringement
If multiple infringements occur for a firm, they are required to pay fines according to the most significant violation as opposed to a combination thereof. Lower level GDPR fines equate up to €10 million or 2% of the international annual revenue for the prior year of the firm, whichever is higher. Upper level GDPR penalties reach up to €20 million or 4% of annual revenue for the prior year, whichever is higher.
Why was the GDPR Introduced?
In regards to the background of the General Data Protection Regulation, the European Commission website states simply that “Stronger rules on data protection mean 1. People have more control over their personal data and 2. Businesses benefit from a level playing field.”
GDPR legislation was established to provide greater protection and rights to individuals by creating a standard for data protection within all businesses operating in the EU. The General Protection Data Regulation replaces the previous set of European Union data protection laws titled as Data Protection Directive, established in 1995.
Is EMOTIV GDPR Compliant?
Data generated by EMOTIV products or services is automatically encrypted, stored and securely backed up to user accounts through our proprietary EMOTIV Cloud software. EMOTIV is committed to securing and handling your information with administrative, technical, and physical safeguards by design and follows GDPR regulations closely, using industry-standard encryption.
You can store and access your EEG data from anywhere with peace of mind, knowing that it’s fully protected and private. All EMOTIV employees are trained in secure and respectful handling of personal data, as per GDPR and California Consumer Privacy Act (CCPA) requirements.