The General Data Protection Regulation (GDPR) is a law made by the European Union (EU) that governs how personally identifiable information is collected, processed, and eventually deleted from a computer system. 

What is GDPR?

The GDPS requires the controller and the processor to designate a DPO to oversee data security strategy and GDPR compliance. It is a regulation that requires businesses to protect their personal data. Personal data is defined broadly in GDPR:

• Basic identity information like name, address, and ID numbers.
• Health and genetic data.
• Biometric data.
• Racial data.
• Political opinions.

Blockchain technology provides an immutable, permanent, and replicated record of the data. These three characteristics will undoubtedly be present in a Hyperledger Fabric-based blockchain network. Thus, storing personal data on a blockchain network that cannot be deleted or modified can be difficult under GDPR. Similarly, it is critical to understand who has access to personal information.

Features 

Below are the features of GDPR:

1. Fines of up to 4% of turnover: Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million.
2. Increased territorial scope: Applies to any company processing personal data of EU citizens regardless of location.
3. Consent matters: Explicit consent must be provided in an intelligible and easily accessible form.
4. Right to access and portability: Users can inquire whether and how their personal data is being processed.
5. Breach notification within 72 hours: Breaches must be reported within 72 hours of becoming aware of them.
   Designing for privacy: Data protection should be built in from the start of system design, rather than as an afterthought.
6. The right not to be forgotten: Allows the data subject to request that the data controller deletes his or her personal information (and potentially third parties, too).
7. Officers in charge of data protection: Appointed in certain cases to help the company demonstrate GDPR compliance.

History Of GDPR

The timeline of GDPR evolution is as follows-

• On January 28, 1981: The convention regarding the safeguarding of individuals about automatic personal data processing was signed as Council of Europe Convention 108 on 28 January 1981, and it entered into force on 1 October 1985. Except for Turkey, all 47 members of the Council of Europe have approved the treaty.
• On December 1, 2009: the Article 29 Working Party (WP29) and the Working Party on Police and Justice (WPPJ) issued the “Future of Privacy” paper in response to the European Commission’s invitation for input on the emerging challenges for personal data protection. Despite new technology and globalization, the basic principles of data protection are still regarded as legitimate. However, the report emphasizes that the degree of data protection in the EU might gain with improved implementation of existing data protection principles and modernization of the legislative framework.
• On October 5, 2012: Article 29 Data Protection Working Party issued Opinion 08/2012 as additional input to the data protection reform discussion (WP199), which especially addresses the definition of personal data, the concept of consent, and the proposed delegated acts.
• On January 28, 2014: on European Data Protection Day, EU Vice-President Viviane Reding asks for a new data protection compact to rebuild faith in the digital economy in general and transatlantic flows of personal data in particular. Given that some businesses and governments continue to view data protection as a barrier rather than a solution to the issues of the digital era, she calls for a shift far from the lowest common denominator and toward a high level of personal data protection.
• On August 27, 2015: Politico reported that a broad industry coalition is lobbying the European Union to remove article 43a of the proposed GDPR, which might oblige companies to decline requests for personal data from non-member countries. Following Edward Snowden’s spying revelations, the EU Parliament included the so-called “anti-FISA” section in the draught (the Council had not included the clause in its preferred text for the regulation).
• On January 28, 2016: The 47 countries of the Council of Europe, as well as European organizations, agencies, and organizations, commemorated the 10th anniversary of the Council of Europe’s Convention 108. A meeting co-hosted by the European Parliament and the European Data Protection Supervisor for EU officials on the EU data protection reform was among the events commemorating this milestone.

Why Does GDPR Exist?

GDPR was born out of privacy concerns. Europe has long had stricter restrictions governing how firms utilize their citizens’ data. 

• The GDPR supersedes the EU’s Data Protection Directive, which became law in 1995. This was long before the internet evolved into the online business powerhouse that it is today. 
• As a result, the directive is out of date and does not address many of the current methods for storing, collecting, and transferring data.
• The public’s anxiety about privacy is substantial, and it intensifies with each high-profile data leak. 
• According to the RSA Data Privacy & Security Report, which polled 7,500 customers in France, Germany, Italy, the United Kingdom, and the United States, 80% of respondents stated that stolen banking and financial data is a top concern. 
• 76% of respondents expressed concern about lost security information (e.g., passwords) and identification information (e.g., passports or driving licenses).

What Types of Privacy Data does GDPR Protect?

Users must provide their permission to any corporation or organization that wants to acquire and utilize their personal information. Personal data, as defined under the GDPR, is information relating to “an identified or identifiable natural person” – referred to as a “data subject.”

• Identity information like user name, email address, etc. 
• Any information about “that natural person’s physical, physiological, genetic, mental, economic, cultural, or social identity”
• Biometric data is obtained by a technical procedure, such as facial imaging or fingerprinting.
• Health-related or healthcare-related information.
• An individual’s racial or ethnic information Political viewpoints or religious beliefs.

Seven Principles of GDPR

The GDPR establishes seven fundamental principles upon which it bases its data regulations and compliance rules:

1. Legality, fairness, and transparency: Organizations must have documented the lawful and legal purpose for processing the personal data and the data subject must be fully informed about how their information will be used.

2. Limitation of purpose: Organizations can only collect personal data for a specific purpose and the purpose must be well documented and ensure that the information is deleted when the purpose is fulfilled.

3. Data Minimization: The data collected should be adequate, relevant, and specific to the purpose for which it is necessary. 

4. Accuracy: Data collection organizations must ensure the accuracy of their data and update it as needed. When a data subject makes such a request, the data must be deleted or changed

5. Storage Limitation: Storage space is limited. Data collected will not be kept for any longer than necessary. Every data collected has an expiration date, after which the organization loses the right to store the data. 

6. Integrity and Confidentiality: Personal data must be safeguarded with appropriate safeguards to ensure its security and protection against theft or unauthorized use.

7. Accountability: Data collectors are responsible for ensuring GDPR compliance.

Which Companies does the GDPR Affect?

The companies affected by GDPR should have the following features:

• The company that sells to customers in the EU? (While generic marketing, such as a Google ad discovered by an EU customer, would not count, targeted marketing, such as a Facebook ad for European clients, would.)
• Companies with an existing customer base in the EU?
• Which company has staff working in the EU?
• Examples, Providers of cloud services, Companies that provide insurance, Telecommunications firms, and Online gaming platforms.

Who within my company will be responsible for compliance?

Compliance officers are employed by large corporations. They report to managers in charge of the business unit that is expected to comply with applicable laws or regulations. For example, customs compliance for an importing corporation (e.g., the Purchasing Department) or personnel issues for the Human Resources Department. Each department has a line of command, such as the Chief Financial Officer or the Chief Operating Officer.

However, in a well-organized organization, the compliance officer or even a line employee who notices a compliance concern should be able to speak directly with the General Counsel or Chief Legal Officer. The reason for this is that the CLO can I better determine the employee’s and the company’s legal liability and (ii) confer with the employee while maintaining legal privilege. As a result, what the employee said to his or her company’s legal counsel can be safeguarded from legal procedure attempts to force disclosure.

And, as someone else mentioned somewhere in this post, if the corporation breaks a rule or regulation, the CEO is held accountable.

How does the GDPR affect Third-party and Customer Contracts?

The GDPR requires enterprises to have “clear affirmative action voluntarily given, precise, informed, unambiguous authorization by the prospect to have personal data processed,” according to the SiriusDecisions 2017 Data Privacy Compliance Core Report. According to the SiriusDecisions report, organizations must keep documentation “that lists the personal information it collects and processes, the location of that information, the purpose for processing that data, records of consent received from prospects, and documented processes followed for the protection of personal data” under GDPR.

• These restrictions apply to both advertisers’ lead sources (such as website and landing page forms) and third-party lead providers who fulfill paid campaigns. 
• As a result, B2B marketing teams must have processes in place to verify that the media partners, publishers, and lead suppliers gathering prospect data on third-party sites on their behalf are GDPR-compliant. 
• Non-compliance leads to penalties.

Breach Notifications

The GDPR Act requires organizations to notify a Data Protection Authority of any security breach that affects personal data (DPA). Article 33 of the law requires organizations to inform the Data Protection Authority of a breach within 72 hours of finding out about it. However, it is possible to extend the time by requesting to inform DPA in stages. 
Non-compliance can result in penalties, which aren’t meant to punish organizations but to make sure that they have improved ability to cope with security flaws.

Fines and penalties for non-compliance

While not all GDPR violations will result in substantial fines, the following are some of the administrative fines that can be imposed on corporations. Typically, two tiers of fines are assessed, based on the many GDPR criteria outlined in the legislation, and they are as follows:

• The initial amount is up to €10 million, or 2% of the preceding fiscal year’s global annual turnover, whichever is greater.
• The latter is up to €20 million, or 4% of the preceding fiscal year’s global annual turnover, whichever is greater.

There is also a range of other actions that can be taken:

• Issuing warnings and reprimands to businesses and corporations, when appropriate.
• Imposing a temporary or permanent prohibition on data processing by any suspect firm or company.
• Data rectification, restriction, or erasure orders.
• Suspending data transfers to third nations that are not by legislation.

Six Steps to Ensure GDPR Compliance

1. Understand the GDPR law: The first step in ensuring compliance is to understand the legislation in place, as well as the consequences of failing to meet the required standards, by conducting a GDPR compliance audit. Understand your GDPR obligations in terms of data collection, processing, and storage, including the legislation’s numerous special categories.

2. Examine Other Organizations: GDPR affects businesses all over the world, not just those in the European Union. If anyone in the organization still doesn’t understand the steps required to achieve compliance, it is advisable to contact those who have reached GDPR Compliance. Many businesses will most likely share the steps they took to achieve compliance.

3. Classify Data, Mark Regulated Data: Businesses must first identify any Personal Identifiable Information (PII) of EU citizens (information that can directly or indirectly identify someone). It is critical to determine where it is stored, who has access to it, with whom it is shared, and so on.
First, determine whether the data falls into a GDPR special category. Then, categorize who has access to which types of data, who communicates the data, and which applications operate that data.

4. Pay Particular Attention to Company Website: Cookies, opt-ins, data storage, and other features can be easily configured on a website. Their GDPR compliance is a completely different story. While many tools used to collect and store contact data have compliance features, it is your responsibility to ensure compliance. Simply modifying forms and obtaining consent for cookies should solve 80% of the problems.

5. Pay Particular Attention to Your Data: If your organization has a presence (either digitally or physically) in the EU, all data in your organization must comply with GDPR. Plan out how data enters, stored, transferred, and deleted. Knowing every possible path that personal information can take is essential for avoiding breaches and providing effective data loss reporting.

6. Revise and Audit: The final step is to review the results of the previous steps and correct any potential flaws, amending and updating as needed. Only the personal information required to provide the service or product is collected. Furthermore, the data should not be shared for unrelated purposes.