The concept of GDPR compliance can sometimes feel quite abstract. After all, discussions on the subject of data - whether it’s digital or physical - can understandably cause eyes to glaze over and minds to wander. As a result, approximately 30% of European businesses are still not compliant with the 2018 rules and regulations.
Reading that statistic, you would be forgiven for asking: “So what?”.
It’s a valid question, and one that suggests the punishment for non-compliance surely cannot be so severe that it warrants worrying about, can it? In fact, 2023 saw the biggest fine - 1.2 billion euros - levied against an organisation for the mishandling of data transfers, handed out to social media giant Meta by Ireland's Data Protection Commission.
While Meta’s penalty might be the highest-profile example of GDPR retribution - and a small drop in the ocean of their $1 trillion value - independent data protection authorities can still charge up to €20 million or 4% of your annual revenue (depending on whichever is more) for non-compliance, so it is important that the subject is taken seriously.
That then begs the question of who is responsible for enforcing the GDPR rules and regulations, both within your organisation and outside of it. To outline exactly what obligations you might have and how they could be shared and fulfilled, it is worth defining first exactly what we mean by GDPR.
GDPR, short for the General Data Protection Regulation, was created by the European Union in 2018. This comprehensive framework lays down a series of regulations meticulously crafted to ensure the security of personal data belonging to EU residents. Irrespective of whether an organisation is geographically located within an EU country or not, it has a legal obligation to prevent any mishandling of sensitive information relating to the bloc’s citizens.
Despite having officially left the European Union in 2020, the UK has retained a commitment to upholding GDPR standards, and several other countries outside the EU have created their own framework that is very similar to GDPR.
GDPR provides strict guidelines for the collection, processing, and storage of personal data. All of these things must adhere to principles of legality, fairness, and transparency. What that means in practice is that your organisation must have a lawful reason for collecting personal data, the processing must be conducted in a fair and transparent manner, and individuals should be informed about how their data will be used.
Individuals must also be given the easy opportunity to opt out of having their data collected and processed, and they also have the explicit right to know what data is being collected about them and how it is being used.
The short answer to this question is that every single member of your organisation should adhere to GDPR rules. If, for example, you operate a customer service call centre, its associated personnel are likely to be handling personal data on a regular basis. It would, therefore, be inappropriate for the employee to share that data with any other person or organisation without a genuine reason and if the individual has not given explicit permission for them to do so.
GDPR can be a difficult subject for an employee to fully understand. Therefore, many organisations provide regular training to communicate the EU framework’s fundamental principles and how they relate to the employee’s day-to-day duties.
While the above suggestions will certainly reduce the likelihood of a data breach, you may also be legally obligated to appoint a data protection officer (DPO). This mandatory appointment will apply if your organisation’s core activities involve processing sensitive data on a large scale or include the large-scale, regular and systematic monitoring of individuals. Furthermore, all public sector organisations must appoint a DPO, with the exception of courts acting in their judicial capacity.
An NHS hospital, for example, processes sensitive data on a large scale. It, therefore, is required to appoint a data protection officer. Likewise, a security company that operates in a shopping centre will need to appoint a DPO because they track and monitor the behaviour of many individuals each day.
But appointing a specific GDPR person shouldn’t only be reserved for when you are regulatorily obliged to do so. Instead, large companies might hire a specific data protection officer who can regularly assess the information that your company is handling, and ensure that it is stored, processed, and - where necessary - disposed of correctly. In smaller companies, that data protection officer might also have another job within the organisation, such as compliance officer, HR manager, or risk management assistant.
Broadly speaking, GDPR guidance splits the responsible parties for handling data into two categories - data controllers and data processors. Data controllers have the biggest burden of responsibility - they must obtain consent from any individual whose data they would like to process. For example, if you run an online clothes store, being a data controller means you are not only responsible for collecting and storing customer data securely but also for ensuring that you have explicit consent before using this information for marketing purposes or other activities.
A data processor, on the other hand, operates on behalf of data controllers and is entrusted with executing specific tasks related to data processing. In our online clothes store scenario, a third-party company handling the actual delivery of purchased items would be a data processor (because they have been given the data by the controller to carry out a specific task - delivery). While they play a crucial role in the same sale cycle, it's ultimately the data controller's responsibility to ensure that the processor adheres to GDPR guidelines.
Yes. The General Data Protection Regulation applies to all forms of data, whether that consists of client addresses within a digital spreadsheet or medical notes that have been handwritten in a physical notebook.
Consider, for instance, a law firm maintaining paper records containing sensitive legal information. Under GDPR, these physical documents are subject to the same stringent data protection principles as their digital counterparts. You, as an organisation, have a responsibility to safeguard information that can be linked to an identifiable person, whether that data is online or written in the real world.
If an organisation mishandles a client’s information or does not put the necessary security measures in place to prevent it from being stolen, for example, they are likely to face a large fine. GDPR fines can be as much as € 20 million or 4% of a company’s annual revenue (whichever is higher) for severe or repeated offences. The fine is lower - € 10 million or 2% of a company’s annual revenue (whichever is higher) - for milder or first-time offences.
We have already mentioned that the creation and fulfilment of a dedicated data protection officer role is sometimes a legal requirement, and often advantageous when ensuring GDPR compliance. There are other ways to ensure you meet your legal obligations, such as monitoring how you process and store your data, being aware of any changes to GDPR legislation - after all, this is likely to evolve as technology does the same - and only working with trusted third-party processors.
But there is one final method of ensuring your organisation is GDPR-compliant; you can entrust that responsibility to data storage specialists such as ourselves, who have been providing hassle-free, affordable solutions for more than 20 years. Whether you want to store digital or physical files, or dispose of them in a way that keeps confidential data confidential, speak to our team today.