At the forefront of the current data privacy boom is the EU’s General Data Protection Regulation (GDPR) — a European data protection law designed to give individuals more control over their personal information, and the opportunity to interact safely with online platforms.
You’ve heard that the GDPR empowers users, reins in the tech giants, and provides a safe-but-strict framework for conducting business online.
But how exactly does it achieve those things?
Whether you’re a user exploring your rights or a business owner planning your compliance strategy, our What is GDPR? guide explains the key points and answers the most important questions about the GDPR.
1. What is GDPR? An Overview of the General Data Protection Regulation
How to Define GDPR
What does GDPR stand for?
GDPR stands for General Data Protection Regulation.
It’s a regulation designed to unify data protection laws across all member states of the European Union (EU), plus Ireland, Lichtenstein, Norway, and Switzerland, and gives protected users and EU residents more rights and control over how their data is processed.
The GDPR replaces the EU’s Data Protection Directive (DPD) from 1995, and better reflects modern data collection practices.
GDPR Personal Data Definition
Personal data under the GDPR is any information that could be pieced together to identify an individual, such as name, email address, and credit card number.
Now that smartphones and social media are ubiquitous, this information includes location and biometric data (Google Maps and retina scans), IP addresses, plus everything you share online — from your salary to your political opinions.
This broader definition of personal data is one of the major differences between the GDPR and DPD.
Who Does GDPR Apply to?
The GDPR applies to businesses that target EU data subjects.
This means that the new privacy law is applicable not only to organizations operating within the EU, but also to those worldwide that target individuals in the EU.
Any European citizen that has their data collected by a company is a data subject under the GDPR, and the company that processes their data is known as the data controller. If a third-party is employed to handle data processing (such as a payroll company), they are the data processor.
Most of the world’s largest companies are subject to the GDPR, including many small businesses in the United States (US) that have European customers.
When Does GDPR Take Effect?
The GDPR implementation date was May 25, 2018 — meaning companies should already be in compliance.
Even though companies have had since 2016 to prepare (when the GDPR was first approved by the European Parliament), many organizations remain unclear about what is required and whether the GDPR applies to them. This puts them at risk of hefty fines for noncompliance.
What are the Consequences of Violating the GDPR Regulation?
Companies that violate the EU General Data Protection Regulation face a maximum fine of €20 million ($23 million) or 4% of their annual global turnover (whichever is higher).
The first significant penalty was issued in January 2019, when Google received a GDPR fine of €50 million (read about the details in our Google GDPR fine summary) for not fully informing users how their data would be used when they set up its Android operating system.
The trend continued later in the year when the UK Information Commissioner’s Office (ICO) issued groundbreaking penalties against British Airways and Marriott ($230 million and $123 million, respectively) for allowing user data to be compromised in data breaches.
Privacy watchdogs believe that the number of fines issued will soar in 2020 and beyond, as regulators catch up on the current backlog of data breaches.
2. GDPR Requirements for Businesses
Companies of all sizes that target customers in the EU must evaluate and adjust their data collection practices to meet the stringent requirements of the GDPR.
These efforts include taking the initial steps to achieve compliance, as well as integrating the key principles of the GDPR into every part of their operations.
What is GDPR Compliance?
Complying with this European regulation on data protection means ensuring data is collected legally, informing users of how it is treated, and keeping data secure (i.e., protected from breaches).
To become GDPR compliant, public authorities and companies that process data on a large scale need to employ a Data Protection Officer (DPO) to oversee their processing activities.
In addition, any company that engages in high-risk data activities, such as processing special categories of personal data (like biometric or genetic data), must complete a Data Protection Impact Assessment (DPIA).
Unfortunately, there’s no such thing as a quick guide to GDPR compliance — but any company can start its compliance journey today.
Seven Core GDPR Guidelines
There are seven key principles to the GDPR that dictate how businesses should process data in order to conform to new EU data protection standards.
1. Lawfulness, fairness, and transparency
Data processing must be legal and the information collected and used fairly. Users must not be mislead about how their data is used
2. Purpose limitation
The purpose of processing must be clear from the start, recorded, and changed only if there is user consent
3. Data minimization
Only data required for the stated processing purpose should be collected
Reasonable steps must be taken to ensure the collected data is accurate and up to date
5. Storage limitation
Data shouldn’t be kept longer than necessary
6. Integrity and confidentiality
Appropriate cybersecurity measures must be put in place to protect personal data being stored
Organizations are accountable for how they handle data and comply with the GDPR
Additional GDPR Basics and Concepts
To ensure companies abide by its seven core guidelines, the GDPR details several additional features that are integral to successful compliance. These concepts reshape how businesses interact with their customers.
Privacy by Design
Privacy by Design (PbD) means that data protection should be built into the very core of your business. Article 25 states:
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
This practice should ultimately minimize data collection. Privacy by Design is not a new concept in the data protection sphere, but only now is it a legal requirement in the EU.
To implement PbD, data integrity should be secured in the design stages of a product, and then proactively kept in mind throughout development.
Under the regulations of the GDPR, companies must ask users’ permission to process their data. This is called consent.
Consent can be withdrawn at any time — and it should be as easy to withdraw it as it was to give it.
According to Article 4, valid consent is defined as:
any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Information must be accessible and written in language the average person would understand. Users should know exactly what they’re agreeing to, and use of their data should not go beyond what was specified.
In addition, users must confirm their consent through an explicit action, such as checking a box on a webpage or choosing their settings in an app. Pre-selected options and assumption of consent through inactivity or silence do not constitute the freely given and affirmative action that the GDPR requires.
To describe consent under the GDPR in a nutshell: endless pages of legalese and pre-checked boxes simply don’t cut it anymore.
3. How Do GDPR Rules Affect Users?
The GDPR’s new rules affect users by giving them more rights and control over how their data is used.
In addition to increased consent measures affecting the online experience, there are considerable changes behind the scenes that many users aren’t aware of.
Summary of New GDPR Data Subject Rights
One of the ways that the GDPR has empowered users is by giving them an array of new rights regarding their personal data.
These are as follows:
- The Right to be Informed: The GDPR emphasizes transparency in data collection practices, meaning individuals have the right to be fully informed about the collection and use of their personal data.
- The Right of Access (Article 15): Individuals can request to view any personal data that has been collected from them. This information must be provided within one month and be free of charge.
- The Right to Rectify Information (Article 16): If data collected about an individual is inaccurate, the individual has the right to request a correction (rectification). The organization processing the data must respond within one month.
- The Right to Erasure / The Right to be Forgotten (Article 17): After information has been collected about them, individuals can request it be permanently deleted, either because the information is no longer relevant, or because the user chooses to withdraw their consent.
- The Right to Restrict Data Processing (Article 18): An individual can request to limit how their data is processed when certain conditions apply, such as if the processing is unlawful or if the individual has objected to it.
- The Right to Data Portability (Article 20): When users request to view their data, it must be given to them in a clear format so it can be easily transferred to another organization.
- The Right to Object (Article 21): Individuals can object to the processing of their data in certain situations, such as direct marketing.
Summary of GDPR Data Breach Notifications
Under the GDPR, users must be notified if their data is compromised — for example through a breach or technical error.
According to Article 33 of the European Union General Data Protection Regulation, a business must inform its supervisory authority of a data breach within 72 hours of when the problem is first discovered. Users must then be notified “without undue delay.”
Data breach notifications are one of the most important changes introduced by the GDPR and are designed to keep companies accountable while giving users peace of mind.
4. GDPR Privacy Laws Worldwide
Over 100 countries have now implemented new data protection laws to regulate the flow of personal data, and there is more legislation to come.
One such law is the California Consumer Privacy Act (CCPA), in effect since January 1, 2020. This law is already controversial and has forced many US companies to rethink their data collection strategies. See our CCPA vs GDPR infographic to understand the differences between these policies.
By providing a template for how data privacy legislation should consider territorial boundaries in a digital world, the GDPR has changed the privacy landscape forever.
How are US Companies Affected by the EU GDPR?
US companies had varying responses to the GDPR. Many took a tentative approach to targeting advertisements at European users, whereas others chose to cut off their customer base in EU member states entirely.
Since the GDPR legislation came into effect, over 1000 major US publications have blocked users who are EU citizens, rather than risk noncompliance.
However, those that made the effort to comply are in a much stronger position now that the CCPA has arrived. Many of its privacy measures are inspired by the GDPR, giving companies who define their compliance efforts early a definite advantage.
With the CCPA in effect and companies like Microsoft supporting an American version of the GDPR, now is the ideal time for businesses in the US to become more familiar with EU privacy laws and implement a global data security strategy.
5. What Does GDPR Mean for the Future?
According to a recent survey of US consumer attitudes, 64% of people do not feel organizations are completely transparent about how they used customer data. After years of data privacy scandals, it’s evident that customers are demanding more thorough protection of their personal information.
In fact, data may now be the world’s most important resource. Cyber law experts say it’s a commodity more valuable than oil.
With the GDPR leading the charge to regulate the flow of data, the future of privacy will be shaped by those who make data protection a priority today.