GDPR: A Guide to the General Data Protection Regulation

We updated this article in 2023 to include information on fines and penalties for GDPR non-compliance, its international dimension, and a business guide to data handling.

As of May 2018, the European Union's General Data Protection Regulation came into circulation, a regulation with a great impact worldwide on the way companies handle people's data.

The GDRP (General Data Protection Regulation) affects organizations that process personal data in the European Union, impacting the storage, access, processing, disclosure and transfer of an individual's personal records.

General principles of the General Data Protection Regulation

The GDRP, also known as "Regulation 2016/679", is a statute by which the European Parliament, the European Commission and the Council of the European Union seek to strengthen and unite data protection for all individuals within its territory.

Its main objective is to give citizens and residents control over their personal data, in addition to simplifying and unifying the regulation of international business.

The General Data Protection Regulation (GDPR) establishes six general principles to ensure adequate protection of personal data:

1. Legal Use, loyalty and transparency

Personal data must be processed in a lawful, fair, and transparent manner, to ensure the trust of individuals.

2. Limited purpose

The data must be collected for a specific purpose and must not be used for any non-compliant incompatible with the original ones. 

3. Data minimization 

The data must be adequate, relevant, and limited to what is necessary for the purposes for which it is collected and processed. 

4. Accuracy

Data must be accurate and, where necessary, updated. 

5. Retention limitation

Data should be held for the permissible and compliant timeframe to fulfill the purposes for which it is collected and processed. 

6.  Integrity and confidentiality

Data must be protected against unauthorized access, manipulation, loss and destruction by implementing appropriate technical and organizational measures. 

*Any failure to comply with these principles may result in serious administrative and civil penalties. 

What is Personal Data Under GDPR?

According to the General Data Protection Regulation (GDPR), personal data is any information relating to an identified or identifiable natural person. This includes information such as name, identification number, contact information, financial, health information, geographical, habits and preferences, among others.

It also includes sensory information such as visual and audio recordings, any other information that can be used to identify a person or indirect information that can be combined with other data to identify someone.

To whom does the GDPR apply?

If an organization processes data of EU residents, it must comply with the GDPR, regardless of where it is located. This includes European and non-European companies that offer products or services to EU citizens or monitor their behavior.

The GDPR also applies to public authorities and anyone who processes personal data as part of their professional or personal activity.

Data processors and data controllers will be required to enforce GDPR regulation.

Data controllers are responsible for determining the purposes and means of personal data processing and have primary responsibility for ensuring compliance with the GDPR such as privacy impact assessment, documentation of data processing activities, notification of any data security incidents to the appropriate supervisory authority and cooperation with the supervisory authority in any investigation.

On the other hand, data processors are responsible for performing personal data processing on behalf of the controller, complying with the controller's instructions and GDPR regulations.

Fines and penalties for non-compliance with the GDRP

Failure to comply with the General Data Protection Regulation (GDPR) can result in serious administrative and civil penalties. Fines for non-compliance may be imposed by the European Union data protection supervisory authorities.

Penalties include fines and penalties with a maximum limit of up to EUR 20 million or up to 4% of the company's annual global turnover, whichever is higher.

These fines can be imposed for any failure to comply with the obligations set out in the GDPR, such as failure to comply with general rules, data subject access, and privacy rights requests or data transfer rules.

In addition to administrative penalties, civil penalties, including civil liability and damages, may also be imposed.

Persons affected by a breach of the GDPR are entitled to claim compensation for damages suffered as a result of the breach.

Latest GDRP update

The General Data Protection Regulation (GDPR) was adopted in April 2016 and entered effective in May 2018. Additional clarifying guidance has been adopted to improve its implementation.  

Some of these guidelines include: 

1.  On privacy at work which clarifies the application of GDPR to the management of personal data in the work environment

2. On the exercise of data subjects' rights clarifying how data subjects can exercise their rights under the GDPR.

3. On the data protection impact assessment.

4. On the transfer of data outside the EU.

5. On privacy by design and by default.

International dimension of data protection

Personal data protection is a global issue and its international dimension is important to ensure that privacy rights are respected worldwide.

Although the General Data Protection Regulation (GDPR) applies specifically to the European Union (EU), its scope can be much broader and cover organizations that process personal data of EU citizens, regardless of their geographic location.

In addition, many countries outside the EU have adopted or are in the process of adopting similar laws.

How is the General Data Protection Regulation applied in Colombia?

In Colombia, personal data protection is regulated by the Statutory Law 1581 of 2012 and its Regulatory Decree 1377 of 2013. This legislation applies to all companies and organizations that process personal data of Colombian citizens.

Although Colombia is not within the geographic scope of the European Union (EU) General Data Protection Regulation (GDPR), some organizations may be subject to GDPR regulations if they process personal data of EU citizens.

Therefore, companies must comply with both Colombian regulations and GDPR regulations.

It is important that companies understand data protection in Colombia and comply with applicable regulations to ensure adequate protection of the privacy rights of Colombian citizens.

In case of non-compliance, they may be subject to sanctions and fines established by the Superintendence of Industry and Commerce (SIC), the agency in charge of supervising compliance with Statutory Law 1581 of 2012 and its Regulatory Decree 1377 of 2013.

In addition, the SIC provides guidance and advice to companies and organizations on how to comply with personal data protection regulations in Colombia.

What is the Organic Law on Data Protection in Spain (LOPD)

Spain, being a member state of the European Union, is subject to its regulations, including the GDPR.

The LOPD and the GDPR establish similar rules for the protection of personal data in Spain, but the GDPR has a broader scope and is stricter. Therefore, Spanish companies and organizations must comply with both regulations.

The Organic Law on Data Protection (LOPD) establishes principles such as legitimacy, quality, transparency, accessibility, purpose limitation, data minimization, accuracy, limited conservation, integrity and confidentiality.

It also establishes rights such as the right of access, rectification, cancellation and opting out to the use of personal data.

In addition, the LOPD establishes the figure of the Data Protection Officer (DPO) and the Spanish Data Protection Agency (AEPD) as the authority in charge of supervising and enforcing compliance with personal data protection regulations in Spain.

Companies and organizations that fail to comply with the LOPD regulations may be subject to sanctions and fines by the AEPD.

Business guide to data management

Companies must determine what EU data they currently hold, as well as how and where this data is stored. In addition, they must propose legal policies for how this data will be collected, managed, and disposed of.

An organization may possess large amounts of structured and unstructured data, which may be remote on various devices: production servers, cloud applications, on-site and off-site backups, among others.

It is important to define a customized action plan to implement strategies to sort GDPR data. This will also help to approach GDPR as an exercise in risk management. Knowing where the most significant gaps in the security scheme should be your main focus in order to finalize an agreement with GDPR.

A data protection officer (DPO) may also be required to be present in all matters relating to data protection. The appointment of a DPO is a risky situation because it requires a deep level of investigation and security.

Here are some key steps for companies to comply with GDPR regulation:

1.  Identification of data processing

 Identify all personal data processing activities it performs, including the collection, storage, use and transfer of data.

2. Risk assessment

Assess the risks associated with each data processing activity and implement appropriate security measures to protect personal data.

 3. Documentation

Document data processing activities, including policies and procedures to comply with GDPR.

4. Appointing a Data Protection Officer (DPO)

5. Information to the holder of the data

Provide clear and accurate information about the processing of personal data to data subjects, including the purpose and legal basis for processing.

6. Third party evaluation

 Evaluate third parties that process data on behalf of the company and ensure that they comply with the GDPR.

7. Compliance with data subjects' rights

 Including the right of access, rectification, cancellation and opposition.

 8. Data security

Implement appropriate security measures to protect personal data, including encryption and user authentication.

9. Incidences communication

Have an action plan for reporting data security incidents and comply with Incidences reporting requirements.

10. Periodic review and updating

Regularly review and update policies and procedures to ensure they comply with GDPR.

 Aplyca and the implementation of the GDRP

If your organization is interested in implementing projects that comply with data protection regulations with the help of experts, we invite you to contact us.