Information Technology and Ethics/GDPR Compliance

General Data Protection Regulation (GDPR)

Introduction

GDPR is a comprehensive privacy and security law in the world. It was drafted and implemented by the European Union on May 25, 2018. It aims to protect the data of EU citizens by imposing obligation and organization anywhere in the world collecting the data of EU citizens. Violating the terms of GDPR regulations can lead to fines of up to 20 million euro. According to the nytimes, google was fined 50 million euros for not properly disclosing to users how data is collected across its services like its own search engine like google and its services like maps and YouTube. This penalty is considered as one of the largest under the EU privacy law i.e., GDPR

There are some GDPR compliance checklists that the United States organization dealing with European citizens' data must followed.

GDPR Compliance Checklist for US Companies

● Should conduct information audit for EU personal data.

● Inform the customers about the reason behind the processing of their data.

● Assess the data processing activities and improve protection

● Data controllers should make sure that they have a data processing agreement with the vendors.

● A designated data protection officer should be appointed especially by the larger organization.

● Non-EU organizations are required to appoint a representative based in one of the EU member states.

● Duties should be known during the event of data breach.

● Organizations should comply with cross-border transfer laws.

GDPR Principles

1. lawfulness

2. fairness and transparency

3. purpose limitation

4. data minimization

5. accuracy

6. storage limitation

7. integrity and confidentiality and accountability

Top GDPR fines till date

1. Meta

It was fined a total of 405 million euros in the year 2022 for violating children privacy through the publication of email addresses and phone numbers.

2. Clearview AI Inc.

In 2022, a fine of 20 million euro was imposed on an AI company in America for collecting selfies and utilizing them to expand its database of approximately 10 billion faces. The company used to then sold its identity verification services to various industries, including law enforcement.

3. Google

After discovery of the search engine giant was giving the Lumen Project access to the personal information of EU individuals who were requesting their data be erased, AEDP, Spain's data protection body, penalized Google 10 million euros. The AEDP discovered that Google's form for material removal, which individuals used to exercise their right to be forgotten, was unclear.

4. Rewe

Rewe, a supermarket chain was imposed a fine a 8 million euro for breaching the GDPR in the year 2022.

References