The European Union General Data Protection Regulation (GDPR) is a data protection ruling that took effect in 2018. It creates one set of guidance and authority to protect the personal data of all EU citizens. The GDPR applies to any organization—not just those based in the EU—that manages data of EU residents and anyone within the European Economic Area (EEA) free-trade zone.
The GDPR establishes three primary classes of data parties: data subjects, controllers, and processors. (Article 28A).
A “data subject” is a person whose data is collected. A “controller” is an organization that determines the conditions, purpose, and means of the processing of the data subject’s personal data. And a “processor” is an organization that processes personal data on behalf of the controller.
Under the GDPR, controllers, and processors may be based anywhere in the world—including the United States. That’s a big change from older EU rules.
The fines of not complying has changed and is also much higher than the old rules. For example, the data protection supervisory authority may impose fines and penalties of up to 4% of annual turnover or EUR 20 million, whichever is higher.
The primary driver for the GDPR is the EU’s goal of building a digital single market. The following principles drive your GDPR requirements.
All data subjects have the right to be informed about personal data processing and purpose. And they must give explicit consent. (Articles 7, 10, 11 and 12). GDPR marks a huge shift for most businesses. You must change your data-processing mindset from opt-out to opt-in.
The GDPR defines specific conditions under which processing personal data is allowed (Article 6). You may process personal data if doing so is necessary to:
- Provide the product or service the subject has requested
- Comply with a legal obligation
- Protect the vital interests of the data subject or anyone else
- Perform a task in the public interest or under an official authority vested in you
- Pursue other legitimate interests—except when they conflict with the interests or basic rights and freedoms of the data subject, especially children
With GDPR, the level of any personal data processing must be proportional to the purpose for collecting it. That means collecting as little data as possible and keeping it no longer than necessary to serve the customer.
You must keep the data accurate and up to date. And you must protect its confidentiality and integrity.
Policy Requirements Explained
At the heart of the GDPR are stronger privacy requirements and enforcement powers, including:
- The right to be erased (first called the “right to be forgotten”). When you have no valid reasons to retain the data and data subjects want some or all of their data erased, you must do so. (Articles 17). Compliance with this rule may be tough for cloud and email service providers. Providers often split data across availability zones, backups and archives.
- Personal data is more than just data used to identify a “natural person.” Under the GDPR, it includes metadata. This includes IP addresses, SIM card IDs, mobile numbers, biometric data, and even stored website cookies. And the GDPR is retroactive. It applies to data collected before GDPR.
- Data portability (Articles 20). People have the right to move their data from one service to another—and keep that data intact, protected and private.
- Upon request, data controllers must inform data subjects if their data is subject to processing (Article 15).
- Increased governance for protected data. These include conditions of consent, records of processing, and stronger breach notification specifics (Articles 7, 30, 33-34).
- Anyone processing or storing EU citizen personal data may need a data protection officer (DPO) (Articles 35-37) The GDPR is explicit about the role of the DPO and its specifics. Further, data controllers and data processors based outside the EU presence must install a representative in an EU-member state where data subjects reside.
- You must be able to meet the stringent breach detection and notification requirements (within 72 hours of becoming aware of it).
Data Protection by Design, Default, and Security of Processing
Three driving directives of the GDPR are data protection by design, by default, and security of processing.
Data protection by design refers to the means and safeguards data controllers must take to meet the GDPR. These include technical and organizational means.
Similarly, data protection by default says you must collect, process, and store only the personal data necessary to provide an agreed service. (Articles 25 and 32).
Security of processing dictates the use of the right technical and organizational measures to ensure a level of security proportional to the risk of disclosure. Not following these mandates may result in steep GDPR penalties.
Not Just Customer Data
The three drivers of transparency, legitimate purpose, and proportionality apply beyond customer data. They also apply to employee data.
Many organizations collect and process employee internet use data for information security means: stopping malware, blocking the transfer of intellectual property, protecting other worker’s rights, and so on. Proportionality is the guide here. You must weigh employees’ rights to data protection against your own security needs.
Know Your Data
Under GDPR rules, you must know what kind of data you are collecting, processing, and storing. For example, the GDPR is explicit about avoiding processing personal data to determine a range of traits, including race, ethnic origin, political opinions, religious or philosophical beliefs, unless specific exclusions apply (Articles 9).
The only way to ensure you have a valid reason for collecting the data is to fully understand the data itself.
The GDPR will affect many organizations around the world—no matter where they’re based. And complying with the new rules will be no small feat.
Here’s a short checklist for addressing GDPR:
- Know your data-protection directives. This includes data of both customers and employees.
- Run a data protection impact assessment (DPIA) (Article 35). The DPIA looks at all touchpoints for an EU citizen’s protected data. This is independent of where data processing or storage occurs. The DPIA output should be a detailed risk assessment.
- Address the right to erasure, data portability, as well as breach detection and notification. This requires strong enterprise technical and organizational controls, procedures, and governance.
- If you have more than 250 employees may have to have a DPO, even if you’re based in the United States.