In the few years that the EU’s General Data Protection Regulation (GDPR) has been in force, it has had wide-reaching effects. It served as a model for privacy protection laws in other jurisdictions, and recent high-profile cases have shown that authorities are willing to enforce the GDPR to protect the data rights of European citizens.
The GDPR is a European data protection law that gives individuals more control over their personal information in the most basic interpretation. It’s forced companies to reframe how they think about data privacy, making “privacy by design” paramount.
If you run any business that collects personal data, it is important to understand the GDPR and how it’s being used. Our “What is GDPR?” guide answers your key questions and offers insight into effective privacy strategies.
1. What is GDPR? An Overview of the General Data Protection Regulation
How to Define GDPR
The acronym GDPR stands for General Data Protection Regulation, and its implementation signaled a turning point for privacy protection in the new era of big data. The GDPR created a consolidated data protection legal framework across all European Union member states (EU), plus Iceland, Lichtenstein, Norway, and Switzerland — which are part of the European Economic Area (EEA) single market.
The individual rights of data subjects — people whose information gets collected by corporations — are prioritized above all else.
The GDPR replaces the EU’s Data Protection Directive (DPD) from 1995. The data environment was significantly different when the DPD came into force — years before smartphones and digital marketing were commonplace. It had been implemented separately by EU and EEA states, and it was possible to vary between jurisdictions.
The GDPR, by contrast, had a direct effect on EU member states. It was drafted in April 2016 and enforced beginning in May 2018, and its language also better reflects modern data collection practices.
GDPR Personal Data Definition
This regulation applies to data about “natural” persons who are living, so it, in turn, applies to legal entities like corporations. Personal data under the GDPR is information like a name, email address, and credit card number that can lead to the identification of a person. The drafters of this law rightly understood that technology evolves — and so do elements that can lead to individual identification.
Now that most people have smartphones and social media accounts, personal information under the GDPR may include
- Location and biometric data (Google Maps and retina scans)
- IP addresses
- Anything else that you might put online — like how much you make or for whom you voted
Though the scope of personal data may seem more significant now, there’s a difference between what we commonly think of as personal data and what qualifies under the GDPR. For example, a business may hold a database of first names that don’t identify a specific person independently. This is not considered personal data — yet.
Businesses cross into personal data when a third party can take information from said business, put it with other data, and figure out individual identities. For example, say your company knows that Alice pays property tax of $1,000 in Capital City. Suppose a third party can access a public piece of data and finds that only one Alice resides in Capital City. In that case, that information is personal data — because Alice can indirectly become identified.
This broader definition of personal data is one of the significant differences between the GDPR and DPD.
To Whom Does GDPR Apply?
The GDPR applies to businesses that target EU data subjects in the following instances: 1) offering goods or services or 2) monitoring online behavior. So, if you are based in the US, sell goods to customers in the EU and other areas where the GDPR applies (Ireland, Lichtenstein, Norway, and Switzerland), and collect the personal data of those customers, then the GDPR applies to you.
It also applies to monitoring the online behavior of GDPR data subjects. An example might be tracking your website visitors from these jurisdictions and collecting that personal data.
So, if you operate your business from outside Europe, don’t presume you are exempt from the EU. The GDPR applies to organizations operating within the EU and those worldwide that target — directly or indirectly — individuals in the EU.
Any European citizen who has their data collected by a company is a data subject under the GDPR. The company that processes that EU citizens’ data is known as the data controller. If a third party is employed to handle data processing (such as a payroll company), they are the data processor.
Most of the world’s largest companies are subject to the GDPR, including many small businesses in the United States with European customers.
When Did the GDPR Take Effect?
The GDPR implementation date was May 25, 2018. A full two years after its 2016 approval, giving businesses — in theory — lots of time to prepare. However, many organizations remained unclear about GDPR requirements and whether they were even subject to the legislation. This uncertainty — and lack of preparation — put them at risk of hefty fines for noncompliance.
What are the Consequences of Violating the GDPR Regulation?
There are two tiers of fines for violating the GDPR. Companies that breach the regulation face a maximum penalty of €24 million ($23 million) or 4% of their annual global turnover (whichever is higher). Less severe infractions top out at €10 million ($12 million) or 2% annual global turnover.
Enforcement doesn’t have to come in the form of a fine. Authorities can also issue a public reprimand or place restrictions on activity, like banning a company from processing the data of GDPR subjects.
The first significant penalty was issued in January 2019, when Google received a GDPR fine of €50 million for not fully informing users how their data will be used when they set up its Android operating system. Google appealed the fine, but it was upheld by a French court in 2020.
The trend continued later in the year when the UK Information Commissioner’s Office (ICO) issued groundbreaking penalties against British Airways and Marriott ($230 million and $123 million, respectively) for allowing user data to be compromised in data breaches. The British Airways fine was reduced to $27 million, and the following year Marriott was brought down to $25 million.
In a startling example that the GDPR does not just apply to e-commerce, H&M was slapped with a $45 million fine in October 2020 for undertaking extensive employee surveillance at its service center in Nuremberg, Germany. That included “informal talks” with employees, gathering data about religion and family issues, and later using that information in employment and workplace decisions.
It’s important to note that, although these large international companies make news, smaller companies also have to follow the GDPR.
2. GDPR Requirements for Businesses
Companies of all sizes that target customers in the EU must evaluate and adjust their data collection practices to meet the stringent requirements of the GDPR.
These efforts include taking the initial steps to achieve compliance and integrating the fundamental principles of the GDPR into every part of their operations.
What is GDPR Compliance?
Complying with this European regulation on data protection means ensuring data is collected, used, and stored legally. This includes gathering consent from data subjects, disclosing why information is collected and how it is used, and keeping the data secure (i.e., protected from breaches). That is just the starting point — as we’ll see, the GDPR ensures that data subjects always retain control over their data, even after they authorize its use by a corporation.
To become compliant, public authorities and companies that process data on a large scale need to employ a Data Protection Officer (DPO) to oversee their processing activities.
In addition, any company that engages in high-risk data activities, such as processing special categories of personal data (like biometric or genetic data), must complete a Data Protection Impact Assessment (DPIA).
Unfortunately, there’s no such thing as a quick guide — and GDPR compliance is different for every company. Our GDPR compliance and legal requirements guide will help you to figure out where to start.
Seven Core GDPR Guidelines
There are seven key principles to the GDPR that dictate how businesses process data to conform to new EU data protection standards.
1. Lawfulness, fairness, and transparency
Data processing must be legal, and the information collected used fairly. It must also not mislead users about how their data is used.
2. Purpose limitation
The purpose of processing must be clear from the start, recorded, and only changed if there is user consent.
3. Data minimization
Only data required for the stated processing purpose should be collected.
Reasonable steps must be taken to ensure the collected data is accurate and up to date.
5. Storage limitation
Data shouldn’t be kept longer than necessary.
6. Integrity and confidentiality
Appropriate cybersecurity measures must be put in place to protect the personal data being stored.
Organizations are accountable for how they handle data and comply with the GDPR.
Additional GDPR Basics and Concepts
To ensure companies abide by its seven core guidelines, the GDPR details several integral features to successful compliance. These concepts reshape how businesses interact with their customers.
Privacy by Design
Privacy by Design (PbD) means that data protection should be built into the very core of your business. Article 25 states:
“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”
This practice should ultimately minimize data collection. Think of it this way: plan to limit your collection scope instead of casting a wide net when deciding what data to gather. This will help you better comply with the GDPR and other privacy regulations and develop the business case for your data before it ends up in your databases.
Privacy by Design is not a new concept in the data protection sphere, but only now is it a legal requirement in the EU.
To implement PbD, data integrity should be secured in the product design stages and then proactively kept in mind throughout development.
If your business treats data security as an afterthought, our guide to Privacy by Design principles and best practices will help improve your privacy integrations.
Under the regulations of the GDPR, companies must ask users’ permission to process their data — this is called consent. Consent can be withdrawn at any time — and it should be as easy to remove it as it was to give it.
According to Article 4, valid consent is defined as:
“[A]ny freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Information must be accessible and written in a language the average person would understand. Users should know what they agree to exactly, and the use of their data must not go beyond what was specified.
Users must confirm their consent through an explicit action, such as checking a box on a webpage or choosing their settings in an app. Pre-selected options and assumption of consent through inactivity or silence do not constitute the freely given and affirmative action that the GDPR requires.
In other words, consent for personal data collection cannot be the default option. Individuals must actively consent or “opt-in” to data collection.
To describe consent under the GDPR in a nutshell: endless pages of legalese and pre-checked boxes don’t cut it anymore.
Our comprehensive guide to GDPR consent explains this contentious issue in more detail.
3. How Do GDPR Rules Affect Users?
The GDPR’s new rules affect users by giving them more rights and control over how their data is used.
After the GDPR’s effective date, the first change that many users noticed was more website banners asking them to consent to cookies — the use of these increased across Europe by 16%.
In addition to increased consent measures affecting the online experience, there are considerable changes that many users aren’t aware of behind the scenes.
Summary of New GDPR Data Subject Rights
One of the ways that the GDPR has empowered users is by giving them an array of new rights regarding their personal data.
These are as follows:
The Right of Access (Article 15): Individuals can request to view any personal data that has been collected from them. They must also be told why the information was collected and to whom it has been disclosed. This information must be provided within one month and be free of charge.
The Right to Rectify Information (Article 16): If data collected about an individual is inaccurate, the individual has the right to request a correction (rectification). The organization processing the data must respond within one month, and they must correct the information. A data subject can also request the completion of incomplete information.
The Right to Erasure / The Right to be Forgotten (Article 17): After information has been collected about them, individuals can request it be permanently deleted, either because the data is no longer relevant or because the user chooses to withdraw their consent.
The Right to Restrict Data Processing (Article 18): An individual can request to limit how their data is processed when certain conditions apply, such as if the processing is unlawful or if the individual has objected to it.
The Right to Data Portability (Article 20): When users request to view their data, they must receive it in a clear format. The controller who provides this information cannot prevent or impede the data subject’s ability to give the data to another controller. In essence, personal data must easily transfer to another organization.
The Right to Object (Article 21): Individuals can object to the processing of their data in certain situations, such as direct marketing.
Automated Individual Decision-Making (Article 22): Individuals have the right not to be subject to an automated decision-making process that has significant personal effects, like profiling.
Summary of GDPR Data Breach Notifications
Under the GDPR, users must be notified if their data is compromised — for example, through a breach or technical error.
According to Article 33 of the European Union General Data Protection Regulation, a business must inform its supervisory authority of a data breach within 72 hours of when the problem is first discovered. Users must then be notified “without undue delay.” Notification must include the nature of the breach, the probable consequences, and the measures the controller plans to take to mitigate the harmful effects.
Data breach notifications are one of the most important changes introduced by the GDPR and are designed to keep companies accountable while giving users peace of mind.
4. GDPR Privacy Laws Worldwide
Over 100 countries have now implemented new data protection laws to regulate the flow of personal data, and there is more legislation to come.
One such law is the California Consumer Privacy Act (CCPA), in effect since January 1, 2020. This law is already controversial and has forced many US companies to rethink their data collection strategies. See our CCPA vs. GDPR infographic to understand the differences between these policies better.
By providing a template for how data privacy legislation should consider territorial boundaries in a digital world, the GDPR has changed the privacy landscape forever.
How are US Companies Affected by the EU GDPR?
US companies had varying responses to the GDPR. Many took a tentative approach to target advertisements at European users, whereas others chose to cut off their customer base in EU member states entirely.
Those that made an effort to comply are in a much stronger position now that the CCPA has arrived. Many of its privacy measures are inspired by the GDPR, giving companies who define their compliance efforts early a definite advantage. Companies that abide by the GDPR are better equipped to handle similar privacy legislation in other jurisdictions, including the US.
Although some commentators argue that GDPR-style privacy legislation will never cover all US jurisdictions, now is the ideal time for businesses in the US to become more familiar with EU privacy laws and implement a global data security strategy. This can make them more globally agile because they can access a broader range of customers.
5. What Does GDPR Mean for the future?
An April 2020 study by McKinsey found that consumers trust companies that don’t ask for too much personal data and react quickly to data breaches. After years of data privacy scandals, it’s evident that customers are demanding more thorough protection of their personal information.
With the GDPR leading the charge to regulate the flow of data, the future of privacy will be shaped by those who make data protection a priority today. Data has immense value to businesses, but companies are increasingly called upon to safeguard the source of that data and make sure their privacy is taken seriously — or face the consequences.