An overview of the EU General Data Protection Regulation

The General Data Protection Regulation, or GDPR, is an important piece of legis­lation that ensures the protection of the privacy and personal data of EU citizens. It was designed to strengthen control over personal infor­mation and regulate the way organiza­tions collect, store and process it. In this article, we will take a close look at the GDPR and examine its impact on businesses and indivi­duals.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a European Union legal regulation that came into force on May 25, 2018. It was designed to strengthen the protection of EU citizens’ personal data and regulate the way organiza­tions process it. The regulation provides indivi­duals with more control over their personal infor­mation and sets clear guide­lines for organiza­tions that collect or process personal data.

Why was the GDPR intro­duced?

The intro­duction of the GDPR was a response to the evolving digital landscape and the need to ensure data protection and security. At a time when data leaks and breaches were becoming more common, the EU saw the need to introduce stricter rules to protect citizens’ privacy. The regulation also aims to create a uniform legal framework for handling personal data in all EU member states.

The Data Protection Directive 95 46 EC — Basis for Data Protection in Europe

The Data Protection Directive 95/46/EC, also known as the “EU Data Protection Directive”, was issued in 1995 and forms the basis for data protection within the European Union. This landmark directive estab­lished the funda­mental principles and rules for the processing of personal data, laying the foundation for the protection of privacy and individual rights in the digital era. The directive empha­sized the importance of consent, data minimization and security measures, and was instru­mental in estab­li­shing uniform standards for data protection in Europe.

Key principles of the Data Protection Directive 95/46/EC

The Data Protection Directive 95/46/EC estab­lished several key principles that still form the basis for data protection in the EU today. These include lawful processing of personal data, consent of data subjects, purpose limitation of data processing, accuracy of data, appro­priate security measures, and the right of access and recti­fi­cation. The Directive helped raise awareness of personal data protection and laid the foundation for subse­quent data protection regula­tions such as the General Data Protection Regulation (GDPR), which came into force in 2018 and further streng­thened data protection standards in the EU.

Key principles of the GDPR

The GDPR is based on several key principles that form the basis for the processing of personal data. These principles set out how companies should collect and process personal data lawfully and trans­par­ently.

Legality, fairness and trans­pa­rency

Companies must process personal data lawfully and fairly. Processing should be trans­parent and based on legally permis­sible grounds.

Earmarking

The data may only be collected for specified, explicit and legitimate purposes. Any processing outside of these purposes is not permitted.

Data minimization

Only the data necessary for the specified purpose should be collected. The idea is to limit the amount of data collected to the most necessary.

Data accuracy

The data collected should be accurate and up-to-date. Companies are obliged to ensure that the data is up to date.

Memory limitation

Data should only be kept for as long as is necessary for the purpose. This means that companies must regularly review data and delete it when it is no longer needed.

Integrity and confi­den­tiality

Companies must take appro­priate security measures to protect data from loss, misuse, or unaut­ho­rized access.

Accoun­ta­bility

Companies must be able to demons­trate that they comply with the principles of the GDPR. This requires a certain level of documen­tation and trans­pa­rency with regard to data processing.

Rights of the data subjects

The GDPR grants indivi­duals a number of rights in relation to their personal data.

Right to infor­mation

Indivi­duals have the right to know how their data is processed and what purposes it is used for.

Right of access

Indivi­duals may request a copy of personal data concerning them that is stored by companies.

Right to recti­fi­cation

If data is inaccurate or incom­plete, indivi­duals have the right to request that it be corrected.

Right to deletion

Also known as the “right to be forgotten,” it allows indivi­duals to request that their data be deleted.

Right to restriction of processing

Indivi­duals may request limited processing of their data if, for example, the accuracy of the data is disputed.

Right to data porta­bility

Indivi­duals have the right to receive their data in a struc­tured, common and machine-readable format and to transfer it to another controller.

Right of objection

Indivi­duals may object to the processing of their data for specific reasons, for example, if the data is used for direct marketing purposes.

Obliga­tions for companies

The GDPR also sets obliga­tions for companies to ensure that they respect indivi­duals’ data protection rights.

Data Protection Officer

Companies that process personal data on a large scale may need to designate a data protection officer to oversee data protection practices.

Data protection impact assessment

Before processing certain data, companies must conduct a data protection impact assessment to evaluate potential risks.

Data breach notifi­cation

Companies are required to report data breaches within 72 hours of discovery.

Extra­ter­ri­torial appli­ca­bility

The GDPR applies not only to companies based in the EU, but also to companies outside the EU that process personal data of EU citizens.

Fines and sanctions

The GDPR provides for severe fines for companies that violate its provi­sions. These fines can be signi­ficant depending on the nature and severity of the breach.

What has changed since the intro­duction of the GDPR?

Since the intro­duction of the GDPR, companies around the world have revised and improved their data protection practices. Increased awareness of data protection has led to companies imple­menting more secure and trans­parent data processing methods.

FAQ

Does the GDPR apply to all companies?

Yes, the GDPR applies to all companies that process personal data of EU citizens, regardless of their size or location.

What rights do I have as an individual under the GDPR?

As an individual, you have the right to access, correct, have deleted and object to the processing of your personal data.

What steps should my company take to be GDPR compliant?

Your company should review its data protection practices, appoint a data protection officer, conduct data protection impact assess­ments and train employees.

What are the penalties for non-compliance with the GDPR?

Non-compliance with the GDPR can result in severe fines, which can be substantial in serious cases.

Can the GDPR be enforced outside the EU?

Yes, the GDPR can also apply to companies outside the EU if they process personal data of EU citizens.

Conclusion

The General Data Protection Regulation (GDPR) has signi­fi­cantly changed the way personal data is processed in the EU and beyond. It sets clear rules for the protection of indivi­duals’ privacy and data and ensures that companies are accoun­table. As an individual, it is important to be aware of your data protection rights, while companies need to ensure they are GDPR compliant to avoid fines and legal conse­quences.

GDPR in the use of SAP: data protection in the enter­prise software

The General Data Protection Regulation (GDPR) plays a crucial role when it comes to the use of SAP software in companies. As a powerful enter­prise solution, SAP offers numerous functions and tools that are used to process sensitive data. It is of utmost importance to ensure that all aspects of the GDPR are strictly adhered to in order to guarantee the protection of personal data. Companies using SAP must therefore conduct a thorough audit of their processes and systems to ensure that they meet the strict requi­re­ments of the GDPR. Integrating the GDPR into the use of SAP requires close colla­bo­ration between data protection experts and IT profes­sionals. This is not only about compliance with the legal requi­re­ments, but also about ensuring trans­parent and traceable data processing. With appro­priate data protection measures in SAP, companies can not only minimize fines and legal risks, but also strengthen the trust of their customers and create a solid foundation for data protection-compliant business activities.

Make sure your SAP systems comply with GDPR requi­re­ments! Cobicon offers specia­lized SAP consulting on the collection, anony­mization and deletion of personal data in your BW system in order to comply with legal regula­tions and manage your data securely.