GDPR Rules - bounswe/bounswe2022group1 GitHub Wiki

Overview

The General Data Protection Regulation (GDPR), is a European Union law which "requires organizations to safeguard personal data and uphold the privacy rights of anyone in EU territory"; according to its official webpage. The GDPR was adopted after passing European Parliament in 2016; and as of May 25, 2018, all organizations were required to be compliant. Since GDPR affects any organization (whether an organization in EU or not) that processes the personal data of people in the EU, it has a massive world-wide impact. Violations of GDPR causes big problems for enterprises due to the high fines. Maximum penalty is €20 million or 4% of global revenue (whichever is higher). This article details the GDPR violation fines.

7 Principles of GDPR

Though it is very extensive, the 7 data protection principles lie in the heart of the GDPR and give a summary of the most important points that the regulation cover. These principles are indicated in the Article 5 of the regulation:

Lawfulness, fairness and transparency: Processing must be lawful, fair, and transparent to the data subject.
Purpose limitation: You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
Data minimization: You should collect and process only as much data as absolutely necessary for the purposes specified.
Accuracy: You must keep personal data accurate and up to date.
Storage limitation: You may only store personally identifying data for as long as necessary for the specified purpose.
Integrity and confidentiality: Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
Accountability: The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

3 Large-Scale Cases of GDPR Violations (Source: Tessian)

1. Amazon ($877 million)

This is by far the largest violation in terms of the quantity of the fine, it is announced in the July 2021 earnings report of Amazon. The underlying reason is not fully confirmed but it is mainly due to an issue regarding cookie consent.

2. Whatsapp ($255 million)

Irish Data Protection Commission fined Whatsapp $255 million just a few months after the collossal fine that Amazon received. The violation stems from an ambiguity in the explanation of its legal basis for certain data processing operations. The company must have provided a more clear and easily accesible privacy notice.

3. Google Ireland ($102 million)

The French data protection authority (the CNIL) fined Google Ireland with this huge amount on January 6, 2022. The reason of the violation is the lacking of a easy ignoring option for the cookies that Youtube sets on our devices to track our online activity for marketing purposes. According to GDPR consent must be "freely given", which also requires equally easy acceptance and refusion processes.

Suggested Steps to Ensure GDPR Complience (Source: Digital Guardian)

1. Reading and understanding GDPR rules

It is probably the most straight forward but challenging part. Every person that can effected by GDPR rules should learn them.

2. Inspecting what others do

It is always good to make a research about what other similar people do in similar situations before actually doing something. GDPR rules isn't an exception. It is recommended every people who needs to comply with GDPR rules to inspect what similar people do.

3. Knowing what your product do

Whatever your product is, you should know what kind of data your product can collect and what it can do with that data. Website cookies, opt-ins and data storage should be considered.

4. Knowing what your data is

For every product that collects data, Data should be checked to think about if there can be a discrepancy between the data and GDPR.