At the forefront of the current data privacy boom is the EU’s General Data Protection Regulation (GDPR) — a European data protection law designed to give individuals more control over their personal information, and the opportunity to interact safely with online platforms.
You’ve heard that the GDPR empowers users, reins in the tech giants, and provides a safe-but-strict framework for conducting business online.
But how exactly does it achieve those things?
Whether you’re a user exploring your rights or a business owner planning your compliance strategy, our What is GDPR? guide explains the key points and answers the most important questions about the GDPR.
1. General Data Protection Regulation (GDPR) Overview
How to Define GDPR
What does GDPR stand for?
GDPR stands for General Data Protection Regulation.
It’s a regulation designed to unify data protection laws across all member states of the European Union (EU), and give users more rights and control over how their data is processed.
The GDPR replaces the EU’s Data Protection Directive (DPD) from 1995, and better reflects modern data collection practices.
GDPR Personal Data Definition
Personal data under the GDPR is any information that could be pieced together to identify an individual.
Now that smartphones and social media are ubiquitous, this information includes location and biometric data (Google Maps and retina scans), IP addresses, plus everything you share online — from your salary to your political opinions.
This broader definition of personal data is one of the major differences between the GDPR and DPD.
The meaning of personally identifiable information is evolving alongside new technology. Read our guide to stay up to date.
Who Does GDPR Apply to?
The GDPR applies to businesses that target EU data subjects.
This means that the new privacy law is applicable not only to organizations operating within the EU, but also to those worldwide that target individuals in the EU.
Therefore, most of the world’s largest companies are subject to this law, as well as many small businesses in the US that have European customers.
When Does GDPR Take Effect?
The GDPR implementation date was May 25, 2018 — meaning companies should already be in compliance.
Even though over a year has passed since the GDPR start date, many organizations remain unclear about what is required and whether the GDPR applies to them. This puts them at risk of hefty fines for noncompliance.
What are the Consequences of Violating the GDPR Regulation?
Companies that violate the EU General Data Protection Regulation face a maximum fine of €20 million ($23 million) or 4% of their annual global turnover (whichever is higher).
The largest penalty so far was issued in January 2019, when Google received a GDPR fine of €50 million for not fully informing users how their data would be used when they set up its Android operating system.
Privacy watchdogs believe that the number of fines issued will soar in 2019 and beyond, as regulators catch up on the current backlog of data breaches.
2. Essential GDPR Requirements for Businesses
Companies of all sizes that target customers in the EU must evaluate and adjust their data collection practices to meet the stringent requirements of the GDPR.
These efforts include taking the initial steps to achieve compliance, as well as integrating the key principles of the GDPR into every part of their operations.
What is GDPR Compliance?
Complying with this European regulation on data protection means ensuring data is collected legally, informing users of how it is treated, and keeping data secure (i.e., protected from breaches).
Unfortunately, there’s no such thing as a quick guide to GDPR compliance — but any company can start its compliance journey today.
Complying with the GDPR is different for every company. Read our GDPR compliance guide to find out where exactly you should start.
Seven Core GDPR Guidelines
There are seven key principles to the GDPR that dictate how businesses should handle data in order to conform to new EU data protection standards.
- Lawfulness, fairness, and transparency — Data processing must be legal and the information collected and used fairly. Users must not be mislead about how their data is used
- Purpose limitation — The purpose of processing must be clear from the start, recorded, and changed only if there is user consent
- Data minimization — Only data required for the stated processing purpose should be collected
- Accuracy — Reasonable steps must be taken to ensure the collected data is accurate and up to date
- Storage limitation — Data shouldn’t be kept longer than necessary
- Integrity and confidentiality — Appropriate security measures must be put in place to protect personal data being stored
- Accountability — Organizations are accountable for how they handle data and comply with the GDPR
Additional GDPR Basics and Concepts
To ensure companies abide by its seven core guidelines, the GDPR details several additional features that are integral to successful compliance. These concepts reshape how businesses interact with their customers.
Privacy by Design
Privacy by Design (PbD) means that data protection should be built into the very core of your business. Article 25 states:
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
This practice should ultimately minimize data collection. Privacy by Design is not a new concept in the data protection sphere, but only now is it a legal requirement in the EU.
To implement PbD, data integrity should be secured in the design stages of a product, and then proactively kept in mind throughout development.
If your business has ever treated data security as an afterthought, our full guide to Privacy by Design best practices will help improve your privacy integrations.
Under the regulations of the GDPR, companies must ask users’ permission to process their data. This is called consent.
Consent can be withdrawn at any time — and it should be as easy to withdraw it as it was to give it.
According to Article 4, valid consent is defined as:
any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Information must be accessible and written in language the average person would understand. Users should know exactly what they’re agreeing to, and use of their data should not go beyond what was specified.
In addition, users must confirm their consent through an explicit action, such as checking a box on a webpage or choosing their settings in an app. Pre-selected options and assumption of consent through inactivity or silence do not constitute the freely given and affirmative action that the GDPR requires.
To describe consent under the GDPR in a nutshell: endless pages of legalese and pre-checked boxes simply don’t cut it anymore.
Our comprehensive guide to GDPR consent explains this contentious issue in more detail.
3. How Do GDPR Rules Affect Users?
The GDPR affects users by giving them more rights and control over how their data is used.
In addition to increased consent measures affecting the online experience, there are considerable changes behind the scenes that many users aren’t aware of.
Summary of New GDPR Data Subject Rights
One of the ways that the GDPR has empowered users is by giving them an array of new rights regarding their personal data.
These are as follows:
- The Right to be Informed: The GDPR emphasizes transparency in data collection practices, meaning individuals have the right to be fully informed about the collection and use of their personal data.
- The Right of Access (Article 15): Individuals can request to view any personal data that has been collected from them. This information must be provided within one month and be free of charge.
- The Right to Rectify Information (Article 16): If data collected about an individual is inaccurate, the individual has the right to request a correction. The organization processing the data must respond within one month.
- The Right to Erasure / Right to be Forgotten (Article 17): After information has been collected about them, individuals can request it be permanently deleted, either because the information is no longer relevant, or because the user chooses to withdraw their consent.
- The Right to Restrict Data Processing (Article 18): An individual can request to limit how their data is processed when certain conditions apply, such as if the processing is unlawful or if the individual has objected to it.
- The Right to Data Portability (Article 20): When users request to view their data, it must be given to them in a clear format so it can be easily transferred to another organization.
- The Right to Object (Article 21): Individuals can object to the processing of their data in certain situations, such as direct marketing.
Summary of GDPR Data Breach Notifications
Under the GDPR, users must be notified if their data is compromised — for example through a breach or technical error.
According to Article 33 of the European Union General Data Protection Regulation, a business must inform its supervisory authority of a data breach within 72 hours of when the problem is first discovered. Users must then be notified “without undue delay.”
Data breach notifications are one of the most important changes introduced by the GDPR and are designed to keep companies accountable while giving users peace of mind.
4. GDPR Laws Worldwide
Over 100 countries have now implemented new data protection laws to regulate the flow of personal data, and there is more legislation to come.
One of the first will be the California Consumer Privacy Act (CCPA), which comes into effect on January 1, 2020. This law is already controversial and will force many US companies to rethink their data collection strategies.
By providing a template for how data privacy legislation should consider territorial boundaries in a digital world, the GDPR has changed the privacy landscape forever.
Use our privacy laws around the world infographic to learn the scope of other new legislation that may affect you.
How are US Companies Affected by the EU GDPR?
US companies had varying responses to the GDPR. Many took a tentative approach to targeting advertisements at European users, whereas others chose to cut off their EU customer base entirely.
Since the GDPR legislation came into effect, over 1000 major US publications have blocked users in the EU, rather than risk noncompliance.
However, those that have made the effort to comply will be in a much stronger position when the CCPA arrives in 2020. Many of its privacy measures are inspired by the GDPR, giving companies who define their compliance efforts early a definite advantage.
With the CCPA on the horizon and companies like Microsoft supporting an American version of the GDPR, now is the ideal time for businesses in the US to become more familiar with EU privacy laws and implement a global data security strategy.
5. What Does GDPR Mean for the Future?
According to a recent survey of US consumer attitudes, 64% of people do not feel organizations are completely transparent about how they used customers’ personal data. After years of data privacy scandals, it’s evident that customers are demanding more thorough protection of their personal information.
In fact, data may now be the world’s most important resource. Cyber law experts say it’s a commodity more valuable than oil.
With the GDPR leading the charge to regulate the flow of data, the future of privacy will be shaped by those who make data protection a priority today.