What is GDPR?
The European Union General Data Protection Regulation (GDPR) is a data protection ruling that took effect in 2018. It creates one set of guidance and authority to protect the personal data of all EU citizens. The GDPR applies to any organization—not just those based in the EU—that manages data of EU residents and anyone within the European Economic Area (EEA) free-trade zone.
Summary of GDPR
GDPR defines several objects that handle, process, and secure data. Understanding these definitions will help you get started with GDPR and its policies.
The GDPR establishes three primary classes of data parties: data subjects, controllers, and processors. (Article 28A).
A “data subject” is a person whose data is collected. A “controller” is an organization that determines the conditions, purpose, and means of processing the data subject’s personal data. And a “processor” is an organization that processes personal data on behalf of the controller.
Under the GDPR, controllers and processors may be based anywhere in the world—including the United States. That’s a significant change from older EU rules.
Another important GDPR term to understand is what's considered personal data. Not all data is protected by GDPR, only data that can be used to identify an individual. For example, age alone cannot be used to identify someone and would not be covered by GDPR, but age and name data would identify an individual and would be covered.
The fines of not complying have not only changed, but they're also much higher than before. For example, the data protection supervisory authority may impose fines and penalties of up to 4% of annual turnover or EUR 20 million, whichever is higher.
Key Principles of GDPR
The primary driver for the GDPR is the EU’s goal of building a single digital market. The following principles drive your GDPR requirements.
All data subjects have the right to be informed about personal data processing and purpose. They also must give explicit consent. (Articles 7, 10, 11, and 12). GDPR marks a massive shift for most businesses. You must change your data-processing mindset from opt-out to opt-in.
Even if consent is given, data subjects can still withdraw previous opt-in permissions and opt-out in the future. In addition to consent agreements, organizations must keep a paper trail proving consent was given.
Organizations must have a legitimate purpose for collecting data. Efforts should be made to minimize the amount of personal data required to perform business functions. For example, a gaming application does not require healthcare information, so it should not needlessly require data with no business purpose.
The GDPR defines specific conditions under which processing personal data is allowed (Article 6). You may process personal data if doing so is necessary to:
- Provide the product or service the subject has requested
- Comply with a legal obligation (e.g., you receive a court order requesting data)
- Protect the vital interests of the data subject or anyone else
- Perform a task in the public interest or under an official authority vested in you
- Pursue other legitimate interests—except when they conflict with the interests or basic rights and freedoms of the data subject, especially children
- Save the data subject’s life
With GDPR, the level of any personal data processing must be proportional to the purpose of collecting it. That means collecting as little data as possible and keeping it no longer than necessary to serve the customer.
You must keep the data accurate and up to date. And you must protect its confidentiality and integrity. GDPR policies require organizations to bake data protection into their infrastructure design by default and establish a proactive approach to safeguard consumer information.
GDPR Requirements Explained
At the heart of the GDPR are stronger data privacy requirements and enforcement powers, including:
- The right to be erased (first called the “right to be forgotten”). When you have no valid reasons to retain the data and data subjects want some or all of their data erased, you must do so. (Articles 17). Compliance with this rule may be challenging for cloud and email service providers. Providers often split data across availability zones, backups, and archives.
- Personal data is more than just data used to identify a “natural person.” Under the GDPR, it includes metadata. This includes IP addresses, SIM card IDs, mobile numbers, biometric data, and even stored website cookies. And the GDPR is retroactive. It applies to data collected before GDPR.
- Data portability (Articles 20). People have the right to move their data from one service to another—and keep that data intact, protected, and private. This rule also links with consent required for an organization to transfer or disclose an individual’s information.
- Upon request, data controllers must inform data subjects if their data is subject to processing (Article 15).
- Increased governance for protected data. These include conditions of consent, records of processing, and stronger breach notification specifics (Articles 7, 30, 33-34).
- Anyone processing or storing EU citizen personal data may need a data protection officer (DPO) (Articles 35-37). The GDPR is explicit about the role of the DPO and its specifics. Further, data controllers and data processors based outside the EU presence must install a representative in an EU-member state where data subjects reside.
- You must be able to meet the stringent breach detection and notification requirements (within 72 hours of becoming aware of it).
Data Protection by Design, Default, and Security of Processing
Three driving directives of the GDPR are data protection by design, by default, and security of processing.
Data protection by design refers to the means and safeguards data controllers must take to meet the GDPR. These include technical and organizational processes.
Similarly, data protection by default says you must collect, process, and store only the personal data necessary to provide an agreed service. (Articles 25 and 32).
Security of processing dictates the use of proper technical and organizational measures to ensure a level of security proportional to the risk of disclosure. Not following these mandates may result in steep GDPR penalties.
These three GDPR principles require the organization controller to implement appropriate technical measures to protect data and provide control over that data to the owner. Requiring data protection by default forces the organization to get consent from the data owner before disclosing it to a third party, and it enforces protection where necessary.
Not Just Customer Data
The three drivers of transparency, legitimate purpose, and proportionality apply beyond customer data. They also apply to employee data.
Many organizations collect and process employee internet data for information security means: stopping malware, blocking the transfer of intellectual property, protecting other worker’s rights, and so on. Proportionality is the guide here. You must weigh employees’ rights to data protection against your own security needs.
Know Your Data
Under GDPR rules, you must know what kind of data you are collecting, processing, and storing. For example, the GDPR is explicit about avoiding processing personal data to determine a range of traits, including race, ethnic origin, political opinions, religious or philosophical beliefs, unless specific exclusions apply (Articles 9).
The only way to ensure you have a valid reason for collecting the data is to fully understand the data itself. You also must understand the need for that data. GDPR requires that you have a legitimate need to collect personal data, which means you cannot needlessly ask for data that is not necessary for business purposes (e.g., to make a sale and ship a product).
GDPR Compliance Checklist
The GDPR will affect many organizations around the world—no matter where they’re based. And complying with the new rules will be no small feat.
Here’s a short GDPR checklist for addressing GDPR compliance:
- Know your data-protection directives and what data must be protected to stay compliant. This includes data of both customers and employees.
- Run a data protection impact assessment (DPIA) (Article 35). The DPIA looks at all touchpoints for an EU citizen’s protected data. This is independent of where data processing or storage occurs. The DPIA output should be a detailed risk assessment.
- Address the right to erasure, data portability, as well as breach detection and notification. This requires strong enterprise and organizational technical controls, procedures, and governance.
- If you have more than 250 employees, you may need a DPO (Data Privacy Officer), even if you’re based in the United States.
- Review all aspects of your data collection process including mailing lists and all channels where data is collected.
- Communicate the importance of compliance and GDPR across the organization including marketing.
- Add consent forms on your website pages including a cookie notice that explains the ways cookies collect data and send data to third parties, if applicable.
- Create a verification process for users under 16. GDPR requires parent consent to collect and use data for children under 16.
- Validate country of residence so that you know if GDPR rules apply to specific users. Note that GDPR also considers IP address as personal data in some cases when it identifies an individual.
- Be prepared to notify regulators of a data breach within 72 hours after the organization realizes a compromise.