What is GDPR and how does it impact the way your business collects and uses data? In this guide, we’re going to explain what GDPR is, the penalty for violation, where it applies, and how businesses can remain GDPR compliant.
Important note: This article is intended for general informational purposes and does not represent legal advice as to any particular set of facts. Please consult the appropriate professional advisor as necessary.
Key Terms To Understand GDPR
To better understand GDPR, here are some definitions for key terms…
- GDPR – General Data Protection Regulation, a legal framework regulating the collection, use, storage and transfer of personal data relating to residents of the European Union
- Personal data – any piece of information that can identify an individual such as: name, email address, phone number, geolocation data, IP address, online identifier, etc.
- Sensitive data – personal information with heightened levels of protection, including: racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health/sex life/sexual orientation, and genetic/biometric data
- Processing – the operations performed pertaining to personal data, which could include: collection, storage, use, transfer, or disclosure (a Processor is a person or company engaged in processing; for example, a cloud-based storage provider would be considered a processor. Processors do not make decisions about how the personal data received is used, but rather follow the instructions provided by the controller.)
- Data subject – The individual person whose personal data is processed
- Controller – The entity that collects the personal data and/or decides how it is processed or used
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (“GDPR”) was enacted in 2018, for the purpose of protecting the privacy of European Union (EU) residents’ personal data. GDPR requirements apply to any company offering goods or services to EU residents, or processing EU resident personal data, regardless of where the company is located.
How to Remain GDPR Compliant
There are seven core principles that the GDPR requires organizations to uphold:
- Lawfulness, fairness, and transparency – organizations must have a lawful basis specifically permitted by the GDPR (i.e. consent, contract, legal obligation, legitimate interest, etc.) for processing personal data. Organizations should take into account how processing affects the individual and ensure that personal data is processed in a fair and transparent manner.
- Purpose limitation – organizations must clearly identify, and document, the purposes for which personal data is processed. Personal data must not be used for any new or different purpose without first obtaining consent from the data subject.
- Data minimization – organizations must ensure that the personal data collected and processed is adequate to fulfill its processing purposes, relevant to the purpose of processing, and limited to what is necessary to fulfill the purpose(s) for which it is processing the personal data.
- Accuracy – organizations should ensure that any personal data collected is kept accurate and up to date; any inaccurate data should be corrected.
- Storage limitation – Organizations should only keep data for as long as necessary to process it for the purpose in which it was collected, taking into consideration other laws and regulations that may require data retention.
- Integrity and confidentiality – Appropriate security and organizational measures must be in place to protect the personal data from unauthorized access or disclosure.
- Accountability – organizations should document data privacy compliance measures, and identify who is responsible for overseeing the privacy compliance program.
Companies relying on consent as a lawful basis for personal data processing must ensure that consent is (1) freely given, specific, and informed, (2) unbundled from other terms or conditions, and (3) demonstrated by a clear affirmative action by the data subject.
In addition to the above obligations imposed on organizations, the GDPR grants each EU resident the following specific rights pertaining to their personal data:
- Informed – When personal data is being collected, data subjects should be informed of the purposes for which it is being collected, how long it will be retained, who it will be shared with, and other details. For personal data that is collected online, this information can be provided in a website privacy statement.
- Access – Data subjects have the right to access, and receive a copy of, the personal data an organization holds about them.
- Rectification – Data subjects have the right to correct personal data that is inaccurate.
- Erasure – Data subjects have “the right to be forgotten”, or the right to request that their personal data be deleted within a reasonable amount of time.
- Restrict processing – In certain circumstances, data subjects have the right to restrict, or suppress, the processing of their personal data.
- Data portability – Data subjects have the right to obtain, and reuse, their personal data for their own purposes across different platforms or services.
- Object – Data subjects have the right to object to the processing of their personal data. Exceptions may apply.
- Automated decision making and profiling – Data subjects have rights pertaining to decisions being made about them automatically, and special care must be taken when organizations are doing so.
The GDPR also requires that organizations have a plan in place to address data breaches. This should include notification to the applicable data protection authorities within 72 hours of discovery. Other requirements, such as notification to the affected individuals, may apply as well. Finally, companies transferring personal data out of the EU are subject to GDPR data transfer rules, which may require a data transfer agreement including certain EU-approved data protection clauses.
What’s The Penalty For Violating GDPR?
Organizations doing business with EU, UK and Swiss residents can suffer severe penalties for failing to comply with GDPR requirements. While penalties vary, the GDPR allows for fines of up to 4% of an organization’s total global turnover, or €20M — whichever is greater.
The GDPR can be enforced by a number of different entities, including: EU member states and independent supervisory authorities (such as the Information Commissioner’s Office in the UK). In some countries the GDPR may allow for a private right of action, meaning individuals may be able to bring claims against organizations directly.
Where Does GDPR Apply?
GDPR requirements apply to personal data for residents of the EU member countries, as well as Iceland, Norway, and Liechtenstein. Although the United Kingdom left the EU in January 2020, the UK has enacted GDPR requirements into local law. Switzerland has also adopted a privacy law equivalent to the GDPR.
Other Regulations To Be Aware Of
While the GDPR is arguably the broadest and most restrictive data protection regulation in the world, it is not the only one. US companies should be aware of California’s Consumer Privacy Act (CCPA), which offers data protections to California residents while also placing obligations on businesses that collect the personal data of California residents.
US businesses should also be aware of the fact that other countries have significant data privacy laws in place governing personal data processing, including but not limited to Brazil, Canada, Japan, New Zealand, and China.
Have More Questions About GDPR?
For more information, visit the following resources…