The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).
History of The GDPR
The right to privacy is part of the 1950 European Convention on Human Rights, which states, “Everyone has the right to respect for his private and family life, his home and his correspondence.” From this basis, the European Union has sought to ensure the protection of this right through legislation.
As technology progressed and the Internet was invented, the EU recognized the need for modern protections. So in 1995 it passed the European Data Protection Directive, establishing minimum data privacy and security standards, upon which each member state based its own implementing law. But already the Internet was morphing into the data Hoover it is today. In 1994, the first banner ad appeared online. In 2000, a majority of financial institutions offered online banking. In 2006, Facebook opened to the public. In 2011, a Google user sued the company for scanning her emails. Two months after that, Europe’s data protection authority declared the EU needed “a comprehensive approach on personal data protection” and work began to update the 1995 directive.
The GDPR entered into force in 2016 after passing European Parliament, and as of May 25, 2018, all organizations were required to be compliant.
Scope, Penalties, and Key Definitions
First, if you process the personal data of EU citizens or residents, or you offer goods or services to such people, then the GDPR applies to you even if you’re not in the EU. We talk more about this in another article.
Second, the fines for violating the GDPR are very high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages. We also talk more about GDPR fines.
The GDPR defines an array of legal terms at length. Below are some of the most important ones that we refer to in this article:
Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.
Data processing — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… so basically anything.
Data subject — The person whose data is processed. These are your customers or site visitors.
Data controller — The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.
Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. They could include cloud servers like Tresorit or email service providers like Proton Mail.
What the GDPR Says about
For the rest of this article, we will briefly explain all the key regulatory points of the GDPR.
Data Protection Principles
Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified. Accuracy — You must keep personal data accurate and up to date. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption). Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
What is the Right to get your Data Deleted?
Also known as the ‘right to erasure or ‘right to be forgotten, the GDPR gives individuals the right to ask organizations to delete their personal data.
Based on information from Article 17 of the GDPR, the right to erasure is defined as follows, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” (“undue delay” is considered to be about a month). Personal data can be erased only if one of a number of conditions applies (see below). You might also be asked to verify your identity as we must ensure that the person requesting erasure is actually the data subject.
When Can I Request For My Personal Data To Be Deleted?
You have the right to have your personal data erased if:
The organization no longer needs your data for the purpose they originally collected it or used it for
You initially consented to the organization using your data, but have now withdrawn your consent
You have objected to the use of your data, and your interests outweigh those of the organization using it
You have objected to the use of your data for direct marketing purposes
The organization has collected or used your data unlawfully
The organization has a legal obligation to erase your data
The data was collected from you as a child for an online service
An organization is processing personal data for direct marketing purposes and the individual objects to this processing
An organization processed an individual’s personal data unlawfully
An organization must erase personal data in order to comply with a legal ruling or obligation
An organization has processed a child’s personal data to offer their information society services
How Do I Ask For My Data To Be Deleted?
There are no particular guidelines on what a valid request should look like. You can make a request for erasure verbally or in writing. However, we highly recommend you reach us via email. This will allow you to precisely describe your concern, let us know what personal data you want us to delete, and explain the next steps you expect from us. Both sides will also have clear proof of communication in case of potential confusion, misunderstanding, or just as a reminder of circumstances.
As previously mentioned, there isn’t one correct way to use your words, but you may find it useful to use the template below to help you cover all information we might need.
Please send an email to email@example.com with following format
[Your full address]
[Reference / customer number (if applicable)]
Dear [Sir or Madam / name of the person you have been in contact with]
Right to erasure
[Your full name and address and any other details such as account number to help identify you]
I wish to exercise my right to erasure under data protection law.
[Give details of what personal data you want to be erased/deleted.]
Please send a full response within one calendar month confirming if you will comply with my request. If you cannot respond within that timescale, please tell me when you will be able to respond.
If there is anything you would like to discuss, please contact me.