5 Privacy Trends for 2025: What to Watch For
Heraclitus said that “The only constant in life is change,” but...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: December 20, 2024
Published: July 21, 2022
By now, you've likely heard of the European data protection regulation, but may not fully understand the general requirements of GDPR — especially if your company operates outside of the EU.
Considered the most significant privacy regulation in 20 years, this set of regulations — established in 2018 — is a substantial step up from the EU's previous data protection directive.
The new initiative transforms how organizations in every sector handle personal data and, for the first time, gives people a say over who collects their data, when it's collected, and how it's used.
With this regulation, companies can't just clean up the mess and say "sorry" after a personal data breach. They also can't collect and use consumer data without oversight or plainly worded disclosures. Stiff GDPR fines and penalties now exist for data breaches and data privacy violations.
To prove your organization's compliance with the GDPR, you must take steps to protect a data subject’s privacy from the get-go. Transparency is the name of the game — a new notion to many organizations that have traditionally put data privacy on the back burner.
GDPR compliance can seem overwhelming, but in the long-term, we expect to see better user/customer experiences, fewer data breaches, and greater trust between consumers and organizations regarding personal data.
Since its advent in 2018, many have celebrated the General Data Protection Regulation: In terms of protecting people’s privacy, it’s a game-changer (and a big one). But for the countless companies attempting to navigate all of its nuances and layers, the GDPR can cause confusion and, for many, frustration.
To help you understand it better, we’ve compiled a list of essential facts about GDPR rules and regulations. Use these as your guide to improving your organization's data security, protecting your data subjects' personal information, and avoiding non-compliance issues. We recommend reviewing the need-to-knows below but have also condensed these steps into a helpful GDPR compliance checklist you can access.
The European Parliament approved the General Data Protection Regulation in 2016 to replace a data protection initiative from 1995, but changes weren't enforced until 2018. For U.S. companies that believe they’re exempt from GDPR because they don’t do business with folks across the pond, think again.
The GDPR changes apply as much to countries outside the EU as they do to EU member states. If any organization, EU or otherwise, offers goods or services to EU data subjects, they're on the hook. This helpful checklist, provided by GDPR, prepares U.S. companies for the associated regulations and requirements.
GDPR requirements govern almost every data point an organization collects, across every conceivable online platform, especially if it's used to uniquely identify a person. The GDPR also includes data routinely requested by websites, like IP addresses, email addresses, and physical device information. Types of personal data protected under GDPR includes:
As you can imagine, "basic identity information" is a broad category. It includes user-generated data, like social media posts, personal images uploaded to websites, medical records, and other uniquely personal information commonly transmitted online. Yes, that means organizations must protect your tweets and Facebook statuses.
The GDPR establishes eight rights that apply to all users. To achieve compliance, your organization must respect the following rights or face severe penalties:
The right to access: Individuals may request access to their personal data. They may also ask about how their data is used, processed, stored, or transferred to other organizations. You must provide an electronic copy of the personal data, free of charge, upon request.
The right to be informed: Individuals must be informed and give free consent (not implied) before gathering and processing their data.
The right to data portability: Individuals may transfer their data from one service provider to another at any time. The transfer must happen in a commonly used and machine-readable format.
The right to be forgotten: If users are no longer customers or withdraw their consent to use their personal data, they’re entitled to erasure of personal data.
The right to object: If a user objects to your use or processing of their data, they can request that you stop; there are no exceptions to this rule. All processing must stop as soon as the user makes this request.
The right to restrict processing of personal data: Individuals can ask you to stop processing their data or stop a certain kind of processing. Their data can remain in place if they choose.
The right to be notified: Data subjects have the right to be notified in the event of a personal data breach that compromises their personal data. This must happen within 72 hours of breach discovery by your organization.
The right to rectification: Users can request that you update, complete, or correct their personal data.
These rights give individuals considerable power over their data. They now have myriad tools to limit and prohibit organizations from using their personal information.
If your U.S. company processes personal data of EU residents but doesn’t have a European presence, it’s time to get one. Selling products or services online to customers in the EU — or simply having EU-based visitors to your site — means you must comply. A physical representative in the European Union exists to contact EU supervisory authorities and data subjects, plus maintain processing records.
If you don't already have a subsidiary, corporate affiliate, or external data protection officer in EU territory, you can name an unaffiliated person or entity. Consider a "GDPR Representative as a Service," where you pay a U.S. company a flat fee to name one of their EU representatives to act as yours. Then, you list them as your EU contact to satisfy the GDPR. It's a fast and easy way to achieve GDPR compliance.
The GDPR is a complete shift in thinking, and it's safe to say many U.S.-based organizations are still scratching their heads. In the GDPR’s first few years, companies were granted a grace period to get up to speed.
These days, companies must at least prove to officials that they’re actively working toward accountability and compliance. GDPR penalties for non-compliance are tiered and can be as high as 2% of annual global turnover of the preceding fiscal year.
GDPR compliance means adopting the principle of affirmative consent. This requires a switch from an "opt-out" approach to an “opt in” approach concerning data collection and processing.
Instead of assuming user consent (by opting them in automatically and providing an opt-out method), you now must obtain explicit permission before you collect, store, and process their personal data. This new approach applies to everything, even if you're just adding a customer's email address to your newsletter list.
Additionally, users don't just have the right to decide whether you collect and use their data; they can also determine how you use it. They have the legal right to question and appeal on how their personal information is presented to themselves and others.
For instance, a user might object to Google's use of their data to refine their algorithm and show content to other users. Or a user might choose to opt out entirely at any point due to their right to be forgotten — in which case, it's your responsibility to scrub their data from your systems.
Does anyone read a data privacy policy, let alone its fine print? Not so much, a 2019 Pew study finds. In fact, just 1 in 5 adults say they always (9%) or often (13%) read a privacy policy before consenting.
It’s possible people aren’t reading privacy policies because, too often, they can be tangled webs of legal jargon. For that reason, the GDPR prohibits organizations from hiding behind illegible terms and conditions that are difficult to understand.
Instead, the GDPR requires organizations to clearly define their data privacy policies and make them easily accessible. They must explain how they engage in personal data processing and what they do with it. Further, they can't write privacy policies that absolve them from responding to a data breach.
There's another caveat: Your organization must also know and monitor your vendors (and their privacy policies) to ensure compliance when using your EU subject data. Under the GDPR, you could be held accountable for their compliance (or lack thereof).
When a personal data breach occurs and threatens consumer privacy rights, companies must report the incident within 72 hours of becoming aware of the breach. Data processors (typically the data protection officer) must notify their customers immediately.
This may be one of the most significant changes in practice for U.S. companies. Especially after a few large-scale breaches occurred, like one involving Equifax in 2017. It took the credit monitoring firm six weeks to report the breach, affecting upward of 143 million Americans.
According to the GDPR, companies that fail to comply can pay hefty fines for such behavior. The new requirements force companies to take data breaches more seriously and implement security measures to protect its data subjects.
GDPR gives consumers (i.e., data subjects) the right to ask companies for information held about them. Within a month’s time, companies must be able to fulfill the request.
Data subject access requests force organizations to know where the data collected is at all times, what information is being collected, how it's being used by whom, and when it's being accessed.
If the consumer finds an error, the organization must correct it (called "rectification").
If the customer opts to invoke their "right to be forgotten," the company must erase their data (called "erasure"). If the consumer doesn't like how their personal data is collected and used, they can object.
As you can imagine, this is one of the most significant portions of the data protection law: It enforces transparency surrounding personal data and information that organizations store and process.
Bottom line? Organizations can no longer hide what they know.
Most U.S.-based organizations are behind when it comes to having this data at their fingertips. Big data is big, and it isn't always in the same place. Customer data can be in core operational systems, cloud applications, online file-sharing services, removable media, physical storage cabinets, temporary files, sandbox systems, backup systems, and employee devices (just to name a few).
Ultimately, gaining control over this data benefits both the organization and the consumer. A 2018 Forbes article listed five of these benefits, but one in particular continues to win the day: a hefty boost in ROI.
In fact, according to a 2021 Forrester Total Economic Impact report, companies that invested in data privacy/security saw a whopping 152% return on investment, including recovered investment costs in just six months.
As a data controller, the General Data Protection Regulation creates a legal obligation to hire a data protection officer, or DPO.
This enterprise security leadership role is responsible for: overseeing a company's data protection strategy; monitoring data storage and data transfer operations; educating and training employees on regulatory compliance; implementing policies to ensure GDPR compliance; responding to data subject access requests; and serving as a point of contact between the organization and GDPR supervisory authorities.
You must hire one if...
The size of your organization is irrelevant here. What matters is the size of your data processing operation. But as you're probably thinking, "large-scale" and "large volumes" are nebulous terms. Unfortunately, the GDPR doesn't offer clear definitions, so we must make our best guess for now (or until the regulation is amended or clarified in the courts).
Like many organizations, you may use a cloud-based storage provider to house your data (like Microsoft Azure, Google Cloud, or Amazon Web Services). This practice does not off-load your data processing responsibilities to the cloud storage provider. Many organizations make the mistake of assuming their cloud storage providers are GDPR compliant, but that’s not always the case.
To ensure GDPR compliance, both controllers and processors must be compliant. Additionally, both the cloud provider and the systems used to integrate it must abide — yet another reason it's helpful to hire a data protection officer.
Remember, the purpose behind GDPR is to protect consumers on data privacy issues. It's an ambitious, far-reaching piece of legislation designed to safeguard the public’s privacy and provide agency over their data.
There's no doubt that GDPR compliance creates challenges for all organizations, especially those that rely heavily on robust data processing. Compliance requires one-time and recurring costs, new policies and procedures, education and training, and even extra staffing.
Framers of the GDPR are aware of those challenges. Still, while they understand your frustration, they feel — and we agree — that the rights of the data subject are paramount, even at the expense of user experience. At a time when nearly every conceivable data point of our lives is stored online, we are remarkably vulnerable to theft and exploitation. Thus, we require concrete safeguards for better protection.
No matter the size of your organization, EU supervisory authorities will penalize your business for non-compliance. Yes, even small businesses fall across the GDPR radar.
Still, while it’s critical that you comply, the regulation is massive and complex. With Osano, you gain GDPR compliance instantly.
We serve as your GDPR representative, monitor your vendors, help you respond to access requests, and alert you about new or changing privacy laws with advice on how to prepare. Let Osano make it simple.
GDPR compliance can seem pretty intimidating—especially if you’re trying to figure out where to start. Download this checklist to discover 8 steps to build your foundation.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
Simplify GDPR compliance with Osano. Let us show you exactly how easy meeting your GDPR obligations can be.