What is GDPR (General Data Protection Regulation)?

Data Security Knowledge Base

What is GDPR (General Data Protection Regulation)?

The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec in Spring 2018 as the primary law regulating how companies protect EU citizens' personal data. Companies that are already in compliance with the Directive must ensure that they are also compliant with the new requirements of the GDPR before it becomes effective on May 25, 2018. Companies that fail to achieve GDPR compliance before the deadline will be subject to stiff penalties and fines.

GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations. Some of the key privacy and data protection requirements of the GDPR include:

Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.

Who is Subject to GDPR Compliance?

The purpose of the GDPR is to impose a uniform data security law on all EU members, so that each member state no longer needs to write its own data protection laws and laws are consistent across the entire EU. In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally.

Requirements of General Data Protection Regulation 2018

The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential impact on security operations:

Articles 17 & 18

Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).

Articles 23 & 30

Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.

Articles 31 & 32

Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify Supervising Authorities (SA)s of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.

Articles 33 & 33a

Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.

Article 35

Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with SAs. Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.

Articles 36 & 37

Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.

Article 45

Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.

Article 79

Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.

GDPR Enforcement and Penalties for Non-Compliance

In comparison to the former Data Protection Directive, the GDPR has increased penalties for non-compliance. SAs have more authority than in the previous legislation because the GDPR sets a standard across the EU for all companies that handle EU citizens’ personal data. SAs hold investigative and corrective powers and may issue warnings for non-compliance, perform audits to ensure compliance, require companies to make specified improvements by prescribed deadlines, order data to be erased, and block companies from transferring data to other countries. Data controllers and processors are subject to the SAs’ powers and penalties.

The GDPR also allows SAs to issue larger fines than the Data Protection Directive; fines are determined based on the circumstances of each case and the SA may choose whether to impose their corrective powers with or without fines. For companies that fail to comply with certain GDPR requirements, fines may be up to 2% or 4% of total global annual turnover or €10m or €20m, whichever is greater.

Will the United States Embrace Data Privacy Laws?

Increased public and political scrutiny have thrown American data privacy into the spotlight. At the moment, there is no federal data privacy legislation. However, there have been increasing discussions on the topic. The conversation took a high profile turn with the congressional hearings of Facebook founder Mark Zuckerberg. Many states have instituted laws of their own, the most notable to date being the California Consumer Privacy Act.

According to an Ovum report, about two-thirds of companies in the United States may be rethinking their strategy in Europe as a result of GDPR. However, as companies anticipate an increase in data privacy regulations in the United States, some are realizing that it may be time to implement more stringent data protection measures across the board.

Best Practices for GDPR: An Important EU Data Protection Law

All organizations, from small businesses to large enterprises, must be aware of all GDPR requirements and be prepared to comply with them going forward. For many of these companies, the first step in complying with GDPR is to designate a data protection officer that will build a data protection program to meet GDPR requirements. Once compliant, it is important to stay informed of changes to the law and enforcement methods. The BBC has an GDPR topic page covering current news stories around enforcement and other subjects.

Additional Resources on GDPR Compliance

Knowledge Base