The General Data Protection Regulation (GDPR) is legislation that updated and unified data privacy laws across the European Union (EU). GDPR was approved by the European Parliament on April 14, 2016 and went into effect on May 25, 2018.
GDPR replaces the EU Data Protection Directive of 1995. The new directive focuses on keeping businesses more transparent and expanding the privacy rights of data subjects. When a serious data breach has been detected, the company is required by the GDPR to notify all affected people and the supervising authority within 72 hours. Mandates in the GDPR apply to all data produced by EU citizens, whether or not the company collecting the data in question is located within the EU, as well as all people whose data is stored within the EU, whether or not they are actually EU citizens. The GDPR also defines penalties for noncompliance.
What is the purpose of GDPR?
The purpose of the GDPR is to protect individuals and the data that describes them and to ensure the organizations that collect that data do so in responsible manner. The GDPR also mandates that personal data is maintained safely; in part, the regulation says personal data must be protected against "unauthorized or unlawful processing, and against accidental loss, destruction or damage."
Reasons for collecting personal data are also defined in the GDPR; the data that's collected must be for a specific and legitimate purpose and shouldn't be used in any way beyond that intention. The regulation also suggests limits on how much data is collected, saying that data collection should be "limited to what is necessary in relation to the purposes for which they are processed."
The GDPR further states that the organization collecting data should ensure it's accurate and updated as necessary.
Under GDPR, companies can't legally process any person's personally identifiable information (PII) without meeting at least one of the following six conditions.
- Express consent of the data subject.
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter a contract.
- Processing is necessary for compliance with a legal obligation.
- Processing is necessary to protect the vital interests of a data subject or another person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
In addition, companies that conduct data processing or monitor data subjects on a large scale must appoint a data protection officer (DPO). The DPO is the figurehead responsible for data governance and ensuring the company complies with GDRP. If a company doesn't comply with the GDPR, legal consequences can include fines of up to 20 million euros ($24.26 million) or 4% of annual global turnover. In addition, the person in this role is responsible for ensuring appropriate data protection principles are applied to the maintenance of personal data.
History of GDPR
The roots of the EU's GDPR can be traced all the way back to the 1950 EU Convention on Human Rights, which laid out basic human rights that member states must respect.
As computers became more ubiquitous in the business and governmental spheres, additional regulations were put in place, such as the 1981 Data Protection Convention, which declared privacy was a legal right.
1995's European Data Protection Directive is the most closely related to the GDPR and is seen as that regulation's forerunner.
What data does GDPR protect?
Users must give consent to any company or organization that wishes to collect and use personal data. As defined by the GDPR, personal data is information that relates to "an identified or identifiable natural person" -- referred to as a "data subject."
Personal data can include these types of information:
- Identification number
- Location data
- Any information that is specific to "the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"
- Biometric data that is acquired through some form of technical process, such as facial imaging or fingerprinting
- Information related to a person's health or healthcare
- Racial or ethnic information of an individual
- Political opinions or religious beliefs
- Union membership
7 principles of GDPR
The GDPR lays out seven basic principles on which it bases its regulations and rules of compliance related to personal data:
- Lawfulness, fairness and transparency. Data subject must be clearly informed about how their data will be used.
- Purpose limitation. Data can be collected only for specific purposes.
- Data minimization. The amount of data collected is limited to what is necessary for specific processing.
- Organizations collecting data must ensure its accuracy and update it as necessary. Data must be deleted or changed when a data subject makes such a request.
- Storage limitation. Collected data won't be retained longer than needed.
- Integrity and confidentiality. Appropriate protection measures must be applied to personal data to ensure it's secure and protected against theft or unauthorized use.
- Data collectors are responsible for ensuring compliance with the GDPR.
The seven principles of the GDPR underlie specific data subject rights, including:
- Right to be forgotten. Data subjects can request PII to be erased from a company's storage. The company has the right to refuse requests if it can successfully demonstrate a legal basis for their refusal.
- Right of access. Data subjects can review the data an organization has stored about them.
- Right to object. Data subjects can refuse permission for a company to use or process the subject's personal data. The company can ignore the refusal if it can satisfy one of the legal conditions for processing the subject's personal data but must notify the subject and explain the reasoning behind doing so.
- Right to rectification. Data subjects can expect inaccurate personal information to be corrected.
- Right of portability. Data subjects can access the personal data a company has about them and transfer it.
Who is subject to GDPR compliance?
All organizations that collect personal data of any citizen of a EU member state must comply with the GDPR. That includes organizations that reside outside the Union -- they still must comply with the GDPR if they're collecting a member state citizen's personal data.
The regulations apply regardless of the method used to collect personal data; this includes data collected by methods other than websites and other internet tools. The GDPR defines three different roles related to personal data:
- Data subject. Owner of personal data.
- Data controller. The individual or organization determining what personal data to collect and how it will be used.
- Data processors. The individual or organization processing personal data for the controller.
In the event of a security breach that affects stored personal data, the data controller must notify the supervisory authority within 72 hours of the breach. The supervisory authority is defined as the public authority that has been designated by the EU member country to oversee GDPR compliance.
Some additional requirements relevant to breach notifications include:
- If notification isn't made within the allocated 72 hours, the data controller must provide the reason for the delay.
- Breach notifications must include, at minimum, the nature of the breach, the number and types of data subjects' personal data that could be compromised and the number of data records that could be involved.
- The data controlling organization must also describe any possible consequences resulting from the breach and describe what measures will be taken to mitigate the effects.
- Notification of the data breach must be delivered directly to the victims not in the form of a general announcement.
- The data controller must document the breach and the remedies it has applied, as well as provide the documentation to the supervisory authority for verification.
Fines and penalties for noncompliance
Penalties for noncompliance or for data breaches can be severe. Several criteria are assessed to determine appropriate penalties, including the severity of the breach, the breach's duration, the number of data subjects affected by the breach and the degree of damage that the breach incurred.
Other factors that might influence penalties include:
- If a data was breach caused by negligence or intention
- Failure to keep adequate records of personal data collection and processing; fines can be as much as 10 million euros or 2% of annual revenues
- Not complying with any orders handed down by supervisory authorities; these fines can be up to 20 million euros or up to 4 % of the total revenues
Although the GDPR has been in effect for only a few years, some significant fines have been levied to date, such as:
- British Airways. More than 200 million euros
- Marriot Hotels. More than 100 million euros
- Google Inc. 50 million euros
GDPR and third-party data
There are several regulations regarding personal data obtained from parties other than the data subjects and related to sharing of personal data outside the EU.
- A data controller must obtain permission to transfer data to another country or international organization.
- If personal data is collected from other sources than the data subject, the data controller must provide a description of the data and its origin to the data subject.
Some critics expressed concern about the United Kingdom's withdrawal from the EU regarding the effect on the country's compliance with the GDPR. The U.K. has updated its Data Protection Act 1998 with a new law called the Data Protection Act 2018. The new law hews closely to the rules defined in the GDPR, but U.K. companies that do business with customers or other organizations in EU member states are expected to comply with the GDPR.
6 steps to ensure GDPR compliance
The GDPR describes the expected results of good and responsible data management, but it doesn't define any specific technical measures for data collectors must use to meet that goal.
Some best practices to help ensure compliance with the GDPR include:
- Always ask before collecting personal data; data subjects must be willing participants.
- Only collect what you really need; organizations will be responsible for all the data they collect, whether or not they use it.
- Don't share data with other entities, unless users have agreed, and supervisory authorities have approved the transaction.
- Encrypt all personal data -- both at rest and in flight.
- Ensure at least two up-to-date and secure backup copies of all personal data is maintained at two separate off-site locations.
- Have the tools to easily edit or delete specific items of personal data and to verify and document the actions.