What is the General Data Protection Regulation (GDPR)? Everything You Need to Know
Learn about the General Data Protection Regulation (GDPR) and the requirements for compliance in Data Protection 101, our series on the fundamentals of information security.
A Definition of GDPR (General Data Protection Regulation)
The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec in Spring 2018 as the primary law regulating how companies protect EU citizens' personal data. Companies that are already in compliance with the Directive must ensure that they are also compliant with the new requirements of the GDPR before it becomes effective on May 25, 2018. Companies that fail to achieve GDPR compliance before the deadline will be subject to stiff penalties and fines.
GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations. Some of the key privacy and data protection requirements of the GDPR include:
- Requiring the consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.
Who is Subject to GDPR Compliance?
The purpose of the GDPR is to impose a uniform data security law on all EU members, so that each member state no longer needs to write its own data protection laws and laws are consistent across the entire EU. In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally.
Requirements of General Data Protection Regulation
The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential impact on security operations:
- Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
- Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
- Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify Supervising Authorities (SA)s of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
- Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
- Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with SAs. Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.
- Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
- Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
- Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.
GDPR Enforcement and Penalties for Non-Compliance
In comparison to the former Data Protection Directive, the GDPR has increased penalties for non-compliance. SAs have more authority than in the previous legislation because the GDPR sets a standard across the EU for all companies that handle EU citizens’ personal data. SAs hold investigative and corrective powers and may issue warnings for non-compliance, perform audits to ensure compliance, require companies to make specified improvements by prescribed deadlines, order data to be erased, and block companies from transferring data to other countries. Data controllers and processors are subject to the SAs’ powers and penalties.
The GDPR also allows SAs to issue larger fines than the Data Protection Directive; fines are determined based on the circumstances of each case and the SA may choose whether to impose their corrective powers with or without fines. For companies that fail to comply with certain GDPR requirements, fines may be up to 2% or 4% of total global annual turnover or €10m or €20m, whichever is greater.
GDPR Applies to All Who Reach European Citizens
In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. By complying with GDPR requirements, businesses will avoid paying costly penalties while improving customer data protection and trust.
Now that this privacy regulation is active, websites that do not comply will be inaccessible in European states. Most notable among the list of sites temporarily blocked were the Chicago Tribune and LA Times. If your organization’s site collects any of the regulated data from European users — it is liable to comply to GDPR.
Will the United States Embrace Data Privacy Laws?
Increased public and political scrutiny have thrown American data privacy into the spotlight. At the moment, there is no federal data privacy legislation. However, there have been increasing discussions on the topic. The conversation took a high profile turn with the congressional hearings of Facebook founder Mark Zuckerberg. Many states have instituted laws of their own, the most notable to date being the California Consumer Privacy Act.
According to an Ovum report, about two-thirds of companies in the United States may be rethinking their strategy in Europe as a result of GDPR. However, as companies anticipate an increase in data privacy regulations in the United States, some are realizing that it may be time to implement more stringent data protection measures across the board.
Best Practices for GDPR
An Important EU Data Protection Law
All organizations, from small businesses to large enterprises, must be aware of all GDPR requirements and be prepared to comply with them going forward. For many of these companies, the first step in complying with GDPR is to designate a data protection officer that will build a data protection program to meet GDPR requirements. Once compliant, it is important to stay informed of changes to the law and enforcement methods. The BBC has a GDPR topic page covering current news stories around enforcement and other subjects.
Steps to Ensure GDPR Compliance
Physically Read the GDPR
While there are sections which are difficult to decipher and feature more legal language, every person in a position to be affected by GDPR should attempt to read and understand this landmark legislation.
- Look to Other Organizations
Businesses all over the world are affected by GDPR, not just those in the European Union. If you, or those in your organization, still lack understanding about the needed steps to reach compliance — reach out to those who are compliant. Many businesses will likely share the steps taken to reach compliance.
- Pay Close Attention to Your Website
Cookies, opt-ins, data storage and more are things that can be easily setup on a website. Their compliance with GDPR is another matter entirely. While many tools used to collect and store contact data have allowed for compliance, it’s up to you to make sure you’re compliant.
- Pay Closer Attention to Your Data
All data in your organization must comply with GDPR if you have a presence (either digitally or physically) in the E.U. Properly map out how data enters, is stored and/or transferred and deleted. Knowing every route personal information can take is vital to preventing breaches and ensuring proper reporting in the event of data loss.
Additional Resources on GDPR Compliance
- GDPR Survival Kit
- Bloor Analyst Report: Overcoming GDPR Compliance Challenges
- EU GDPR Portal
- The European Commission’s Official Page for GDPR
- Top Considerations When Choosing a DPO (Data Protection Officer)
- The United Kingdom Information Commissioner’s Office’s Guide to the General Data Protection Regulation
- What Does GDPR Mean for Global Data Protection? (Infographic)
- Digital Guardian for GDPR
- Hubspot’s GDPR Checklist
- How to Comply with GDPR