The European Union has become a leader in consumer protection with its data privacy law: the General Data Protection Regulation (also called the GDPR). This groundbreaking policy establishes hundreds of pages of responsibilities and requirements for organizations all over the world.
To learn more and to get answers to some of the most frequently asked questions about this law, check out our Ultimate Guide to the GDPR.
If the GDPR sounds complicated, don't worry. In this overview, we're going to help you understand everything you need to know about the regulation, how to stay compliant, and how to protect your users, customers, and subscribers in the new age of data privacy.
The General Data Protection Regulation is, undoubtedly, the most substantial data privacy law in the world. It codifies privacy laws for all individual citizens and businesses of the European Union (EU) and the European Economic Area (EEA). It provides flexibility for certain aspects of the regulation to be adjusted by individual member countries.
What's interesting about the GDPR is that even though it was drafted and passed by the European Union, it addresses the transfer of personal data outside the EU countries. The law extends its jurisdiction to any company doing business with or processing the personal data of an EU citizen, regardless of the company's location. This jurisdiction imposes obligations on organizations outside of the EU if they collect or process data on EU residents. Organizations anywhere can be penalized if they fail to meet security standards or violate an EU citizen's privacy. Fines are harsh, sometimes reaching tens of millions of euros.
When more people are entrusting their personal information to cloud services than ever before and data breaches have never been more prevalent, the European Union draws a hard line in the sand with the GDPR. But even though the regulation is far-reaching, it's light on specifics. Unclear guidance makes GDPR compliance a challenge for organizations like yours.
Europe's history of data protection laws dates back 70 years. The GDPR was inspired by the 1950 European Convention on Human Rights, which establishes a right to privacy for Europeans. It says, “Everyone has the right to respect for his private and family life, his home and his correspondence.” It was on this basis that the European Union sought to enshrine privacy rights through law.
As technology advanced and people began to live and work on the Internet, the EU recognized the need for digital protections. In 1995, the EU passed the Data Protection Directive 95/46/EC. This directive established minimum data privacy and security standards, but it was up to EU member states to pass privacy laws that comply with the Directive.
But by 2012, the European Parliament realized that the Data Protection Directive wasn't enough. Organizations of all types had begun to collect and process data at unfathomable rates. The existing hodgepodge of privacy laws across the then-28 member states was confusing and insufficient. They started the process of drafting a regulation - the strongest form of legal enforcement in the EU.
After years of debate, the GDPR was adopted on April 14, 2016. It became enforceable on May 25, 2018, replacing its weaker predecessor, the Data Protection Directive.
Before we get into the meat of the GDPR, it helps to understand its essential legal terms. You'll see these terms throughout this article and other documents relating to the regulation and GDPR requirements.
The GDPR mandates organizations to abide by Privacy by Design principles. You must implement the appropriate technical and organizational measures to protect the rights of data subjects. Technical measures might include using encryption services where personal data is stored or working with your vendors to ensure they're using end-to-end encryption. Organizational measures might consist of limiting access to personal data to only the employees who need it, staff training on data privacy and GDPR requirements, or hiring a Data Protection Officer.
Organizations are expected to comply with these principles through all of their data processing endeavors. These aren't hard rules, but they should guide your data collection and processing policies.
Another critical security measure outlined in the GDPR is pseudonymization, a process required when data is stored to transform it so that the resulting data cannot be attributed to a specific data subject without the use of additional information. Common examples of these tools are encryption and tokenization.
The GDPR awards a list of privacy rights to data subjects. These rights aim to give people more awareness and control over their data and how its used. As an organization, it's essential to understand the nature and scope of these rights so you can stay compliant with the GDPR.
Article 6 of the GDPR explains when it's legal to process personal data. Don’t collect, store, process, or sell data unless you can justify it with one of the following lawful bases:
Once you've determined the justification for processing data, you must document the basis lawful basis and notify the data subject. If you change the lawful basis at a later point, you must inform the subject of this change.
Prior to processing and notifying data subjects, businesses should go through a Data Protection Impact Assessment. This process helps identify and minimize data protection risks of a project.
Under the GDPR, before processing any personal data, a business must ask for explicit permission from the data subject using precise language. Examples of consent requests are cookie banners you've surely seen on every website over the last couple of years.
When it comes to asking for consent, the GDPR establishes several strict rules:
The GDPR requires companies to notify all data subjects of a security breach within 72 hours of discovering the breach. This notification method will include as many forms as deemed necessary to disseminate the information in a timely manner, including email, telephone message, and public announcement.
However, an important distinction is that the notice to data subjects is not required if the data controller has implemented appropriate technical and organizational protection measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption (Article 34).
The GDPR requires some organizations to designate a Data Protection Officer (DPO) to oversee the application of the GDPR and to protect personal data from misuse, unauthorized access, and other security breaches. You must appoint a DPO if:
That said, it's smart to appoint a DPO even if you aren't required to. It's good to have someone on staff who understands the GDPR and how it applies to your organization, can advise people in your organization about their responsibilities, monitor GDPR compliance, and work with supervisory authorities in the event of a data breach or other issue.
If you're an organization based outside the EU, you must also appoint an EU-based person as a representative and point of contact for their GDPR obligations (Article 27).
The penalties laid out for violations of GDPR are significant. Under the law, organizations found to be in violation can be fined up to 4% of annual global revenue, or 20 Million Euros, whichever is greater.
The most notable recent enforcement actions include Google’s January 2019 fine of 50 million euros assessed by the French Data Regulator (CNIL). The CNIL found that Google was in violation of Article 21 of GDPR because it had not sufficiently informed users about how they were collecting personal data to use this in line with personalized advertising.
Other significant enforcement actions include the UK’s ICO levying fines of €110,390,200 on Marriott International, Inc. and €204,600,000 on British Airways in July of 2019. Both companies were found to violate GDPR Article 32, for having insufficient technical and organizational measures to ensure information security after a breach.
The initial years of GDPR implementation have brought progress and difficulty. Companies are still struggling to achieve compliance, but the new mandate has increased efforts to improve data security and avoid human error. It has also brought greater public awareness, with European Internet users exercising their rights under the GDPR and demanding more data security and transparency from companies.
As an organization, you'll want to consider data protection principles to design any new product, activity, or offer. Whenever you collect or process the information on a data subject, ask yourself if you have or will violate their privacy rights.
If you're ready to take your GDPR compliance seriously, sign up with Osano. Osano is an easy-to-use data privacy platform that instantly helps your website become compliant with the GDPR and other privacy laws, such as the CCPA and New York's Shield Act. Osano, is "compliance in a box," instantly helping your website comply with data privacy laws.