What Is GDPR? | Data Protection & Privacy
GDPR may be an EU regulation, but it has affected countries worldwide. Understanding and adapting to this law can save your company from receiving any penalties.
What is GDPR in simple terms? The General Data Protection Regulation (GDPR) is a law passed in the EU to protect citizens’ privacy and data. This regulation affects all organizations that do business in the EU, regardless of an organization’s location.
What Is GDPR and How Does It Protect Consumers?
The General Data Protection Regulation is a comprehensive privacy and cybersecurity law passed by the European Union with the express purpose of protecting digital consumers from fraud and harassment while providing them with more control over their personal information. Implemented in 2016 and enforced as a comprehensive law in 2018, GDPR combines strict data control, privacy, and security regulations with relatively harsh penalties for any organization doing business in the EU, including nonprofits and public organizations handling digital information for marketing.
What Does GDPR Do?
GDPR essentially codifies the rights of consumers and businesses, the scope of operations organizations have in managing and using consumer information, and how consumers can exercise ownership of their personal information. The law accomplishes this through several different areas of jurisdiction, known as the “Rights of Data Subjects.”
Under regulations, a “data subject” is any individual whose information may be used in marketing, business processing, or other enterprise operations. Data subjects are, under GDPR, the complete and final owner of their information, and as such, have much more expansive powers over their information than in other jurisdictions like the United States.
Some of these rights include the following:
- Right to Erasure: A subject may request the deletion of any information held by an organization at any point and for any reason. This action must occur within 30 days.
- Right to Access Personal Data: At any point, for any reason, the consumer may request and receive access to any information an organization has collected on them. This information must be turned over within 45 days.
- Right to Rectification: At any point, for any reason, the consumer may request an organization change or correct any errors in their information.
- Right to Restrict Data Processing: Data subjects can request the cessation of certain kinds of processing using their digital information.
- Right to Object: This right allows the subject to object to organizations denying their right to restrict processing.
- Right to Data Portability: The subject may request that their personal data be sent to a third party.
- Right to Be Notified: Data subjects must receive notification about the uses of their personal information and how they may take steps to address issues surrounding this information and how it is used. This includes notification of erasures or changes made outside of their personal requests.
- Right to Reject Automated Individual Decision-making: Data subjects may refuse automated processing of personal information for the purposes of automatic marketing or decision-making if those decisions negatively impact the subject.
Additionally, GDPR requires the subject’s consent and opt-in. Unlike other countries, a business in the EU cannot arbitrarily send unsolicited materials, request consumer information, or use consumer information. Instead, consent must come first—that is, consumers must opt-in to any marketing or communications.
Furthermore, this kind of consent must include the precise reason for the request along with a description of what the information will be used for. It must be “freely given, specific, informed and unambiguous.”
What Is Considered Personal Data Under GDPR?
Personal data under the EU GDPR is defined as any information relating to an identified or identifiable natural person. This includes things like name, address, ID numbers, photographs, location data, and online identifiers such as IP addresses and cookies. Even biometric data and genetic data are considered personal data. Other personal data includes but is not limited to:
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
- Religious beliefs
- Trade union membership
Companies should take great care when collecting and managing personal data in order to protect it from misuse and unauthorized access.
Who Must Comply With GDPR?
All companies, organizations, and individuals that process the data of EU citizens must comply with the General Data Protection Regulation (GDPR). This includes any company, organization, or individual that collects, stores, or uses the data of EU citizens, regardless of where the data is processed or stored.
What Are My GDPR Rights?
Under the General Data Protection Regulation (GDPR), EU citizens have a number of rights when it comes to how their personal data is collected and processed. These rights include:
- The right to be informed about data collection and processing
- The right of access to your personal data
- The right to rectification of any inaccurate or incomplete data
- The right to erasure or “right to be forgotten”
- The right to restrict or object to processing of personal data
- The right to data portability
- The right to object to automated decision-making and profiling
- The right to complain to a supervisory authority
What Are the GDPR Consent Requirements?
GDPR consent requirements provide individuals with the right to know how their data is being used and provide a practical framework for businesses to properly protect the personal data of their customers. Consent must be freely given, specific, informed, and unambiguous. This means that consent must be in clear and plain language, and cannot be inferred from silence or inactivity.
Consent must also be given in a separate statement from any other terms and conditions and must be presented in an easily accessible format. Individuals must also be able to withdraw consent at any time, and the process for withdrawing consent must be as easy as it was for giving the initial consent.
What Are the Important Articles in GDPR?
These rights are ensconced in the articles of GDPR regulations. Because different requirements apply to different practices (security, marketing, etc.), then it stands to reason that businesses will spend more time understanding some articles over others.
Some of the more important and wide-ranging articles include the following:
- Article 6 – Lawfulness of Processing: This article outlines regulations around processing and the rights data subjects have in that process. This includes when and how consumers can give consent for collection; how organizations must document consent; and the steps organizations must take to ensure that processing is secure, maintains the privacy of that information, and only operates within the clearly defined boundaries of provided consent and reasonable business use.
- Article 15 – Right of Access by the Data Subject: This article states that subjects have the right to obtain any and all of their data from an organization, including additional information on how their data is used or how organizations may use it in the future.
- Article 16 – Right to Rectification: Data subjects have the right to change or update any information they deem incorrect, either through an automatic system or through contact with the organization.
- Article 17 – Right to Erasure: This article details how organizations must comply with requests for erasure, including the contexts or circumstances for erasure (withdrawn consent, objection to processing, unlawful processing, legal requirements, or lack of continuing business needs).
- Article 18 – Right to Restriction of Processing: This article defines how a subject may manage and object to the processing of their information by an organization. These reasons include incorrect information that needs correction, lack of further need for the business to process said data within the boundaries of provided consent, or potentially unlawful processing operations.
- Article 20 – Right to Data Portability: This article highlights the rights of subjects to have their information transmitted to third parties by organizations, so long as it is feasible.
- Article 21 – Right to Object: Defines the ability of data subjects to object to the use or processing of their information by any organization (outside of contexts like those that benefit the public interest).
- Article 28 – Processor: This article details the specific legal and technical requirements that any organization processing user information must follow. These include gathering and documenting consent, only using data for explicitly stated purposes, and refraining from selling consumer information to third parties without consent of the user.
There are other smaller subsections that outline specific things an organization must implement. These include appointing and maintaining the position of Data Protection Officer (DPO) pursuant to regulations, providing meaningful disclaimers for consent forms, and the obligations to report breaches to governing authorities as soon as they are noticed.
What Are the Technical Requirements of the GDPR
- Processors of personal data must ensure appropriate security of personal data, including encryption of personal data, where appropriate.
- Organizations must ensure that personal data is only processed when and to the extent necessary, and in accordance with the data subject’s right to access, rectification, and erasure.
- Organizations must provide data subjects with clear and concise information regarding the processing of their personal data.
- Organizations must maintain records of all personal data processing activities conducted by them.
- Organizations must obtain prior consent from data subjects for any processing of their personal data.
- Organizations must appoint a Data Protection Officer (DPO) to monitor the implementation and compliance with GDPR regulations.
- Organizations must conduct regular data protection impact assessments (DPIAs) to identify and mitigate any potential data protection risks.
- Organizations must provide data subjects with the right to object to processing, the right to data portability, and the right to be forgotten.
- Organizations must notify relevant authorities of data breaches within 72 hours.
- Organizations must adhere to the principles of data protection by design and data protection by default.
How Does GDPR Impact U.S. Businesses (Best Practices for GDPR Compliance)?
Typically, a compliance framework for EU countries would not affect businesses in the United States. With more and more business moving to digital, online venues, it’s nearly impossible to avoid doing business in the EU unless you specifically restrict your business as such.
There are a few changes that U.S. businesses may see coming down the pipeline:
- Audit All EU Data: First and foremost, you must understand how much of your information comes from data subjects in the EU, how you process that information for business or marketing, and if that data is related to actual business (goods and services) for those consumers. This will give you an understanding of your obligations.
- Gaining Consent for Any Marketing Efforts: If your website collects emails or other information from global users, then EU users may be caught in that net. That is why many companies are including explicit consent forms for landing pages where user emails may be used for business or marketing operations. These include lengthier disclaimers and clear checkboxes that state the specific uses of the information gathered.
- Consent for Tracking Cookies: You may have noticed an increase in prominent banners for news and retail websites asking, in lengthy passages, for permission to provide cookies. GDPR considers the use of cookies to manage accounts or browsing behavior to be a form of collection, and as such, all companies must comply with GDPR if they collect cookies from EU consumers.
- Review Vendor Relationships: If third-party service providers manage an organization’s information, it is partially your responsibility to control how information from the EU is used as part of your operations.
- Get Ready if a Breach Occurs: Under EU law, organizations must respond quickly to breaches. While the U.S. regulations provide more time for reports, organizations only get 72 hours under EU law.
- Appoint a DPO: If an organization does not have a Data Protection Officer and is doing significant business in the EU, hire one. Not only will this help the organization meet compliance, but it can help direct and guide the organization’s compliance efforts for GDPR regulations.
- Understand International Data Transfer Laws: GDPR includes laws regarding the transfer of consumer information across national lines, and lack of compliance here can cost significant time and money. Understanding these laws will also be crucial if an organization uses technologies like managed file transfer (MFT) or SSH file transfer protocol (SFTP) for EU business. The United States and European Union have a framework, the Privacy Shield Framework, to facilitate these transfers.
What Are Penalties for GDPR Noncompliance?
It may seem like a big task to understand EU regulations, but it is necessary. Recently, international companies like Google, Facebook, and Apple have faced several lawsuits resulting from a lack of compliance with EU law.
The most important aspect of compliance and penalties under GDPR is that penalties are set up to be proportional to the company’s actual earnings. So, rather than providing a flat penalty or penalty range, GDPR uses proportions from company earnings to calculate penalties.
GDPR uses two different tiers for penalties:
- Tier 1 focuses on less severe infringements of GDPR law, including breaches of regulations around certifications and authorizations, maintaining the lawful basis for business processing and, if relevant, providing or receiving monitoring services that are transparent and unbiased. Basically, the organization must remain truthful in compliance, maintain basic processing standards, and use or provide above-board compliance monitoring. At this tier, penalties are fines up to 10 million euros or 2% of all worldwide annual revenue, whichever is higher.
- Tier 2 is for more severe violations, including those pertaining to the unlawful processing of data; failure to gain consent; failure to provide meaningful disclosure to receive consent; failure to uphold consumer rights to erasure, access, or other rights; and illegal transfers to other countries. At this tier, penalties are fines up to 20 million euros or 4% of all worldwide annual revenue, whichever is higher.
The purpose of these penalties is to discourage any company—especially global companies with billions of dollars in assets—from violating the law as they see fit.
Want to Learn More About GDPR Compliance?
GDPR is the present and future of cybersecurity and consumer rights. Even though it is an EU-specific set of regulations, the increasingly global scope of digital commerce makes it hard to ignore. Furthermore, it’s likely that, sooner rather than later, we are going to see the standards outlined in GDPR trickle into other countries. Even now, the California Consumer Privacy Act (CCPA) is incorporating some aspects of GDPR into its language.
Working with GDPR compliance will require strong technical foundations that can unify security, compliance, and logging to meet consent and data privacy laws. To learn more about GDPR compliance when it comes to sensitive content communications, read our articles in the Kiteworks archive.