WhatIs.com

General Data Protection Regulation (GDPR)

By Scott Robinson

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is legislation that updated and unified data privacy laws across the European Union (EU). The GDPR was approved by the European Parliament on April 14, 2016, and went into effect on May 25, 2018.

It replaces the EU Data Protection Directive of 1995. The new directive focuses on keeping businesses more transparent and expanding the privacy rights of data subjects. When an organization detects a serious data breach, it's required by the GDPR to notify all affected people and the supervising authority within 72 hours. Mandates in the GDPR apply to all data produced by EU citizens, regardless of whether the company collecting the data in question is located within the EU, as well as all people whose data is stored within the EU, regardless of whether they're EU citizens. The GDPR also defines penalties for noncompliance.

What is the purpose of GDPR?

The purpose of the GDPR is to protect individuals and the data that describes them and to ensure the organizations that collect that data do so in a responsible manner. The GDPR also mandates that personal data is maintained safely; in part, the regulation says personal data must be protected against "unauthorized or unlawful processing, and against accidental loss, destruction or damage."

Reasons for collecting personal data are also defined in the GDPR; the data that's collected must be for a specific and legitimate purpose and shouldn't be used in any way beyond that intention. The regulation also suggests limits on how much data is collected, saying that data collection should be "limited to what is necessary in relation to the purposes for which they are processed." The GDPR further states that the organization collecting data should ensure it's accurate and updated as necessary.

Under the GDPR, companies can't legally process any person's personally identifiable information (PII) without meeting at least one of the following six conditions:

  1. Express consent of the data subject.
  2. Processing is necessary for the performance of a contract with the data subject or to take steps to enter a contract.
  3. Processing is necessary for compliance with a legal obligation.
  4. Processing is necessary to protect the vital interests of a data subject or another person.
  5. Processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller.
  6. Processing is necessary for legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

In addition, companies that conduct data processing or monitor data subjects on a large scale must appoint a data protection officer (DPO). The DPO is the figurehead responsible for data governance and ensuring the company complies with GDRP. If a company doesn't comply with the GDPR, legal consequences can include fines of up to 20 million euros ($21.77 million USD) or 4% of annual global turnover. In addition, the person in this role is responsible for ensuring appropriate data protection principles are applied to the maintenance of personal data.

History of GDPR

The roots of the EU's GDPR can be traced back to the 1950 EU Convention on Human Rights, which laid out basic human rights that member states must respect.

As computers became more ubiquitous in the business and governmental spheres, additional regulations were put in place, such as the 1981 Data Protection Convention, which declared privacy a legal right.

The European Data Protection Directive that was enacted in 1995 is most closely related to the GDPR and is seen as that regulation's forerunner.

What data does GDPR protect?

Users must give consent to any company or organization that wishes to collect and use personal data. As defined by the GDPR, personal data is information that relates to "an identified or identifiable natural person" -- referred to as a data subject.

Personal data includes the following types of information:

What are the 7 principles of GDPR?

The GDPR lays out the following seven basic principles on which it bases its regulations and rules of compliance related to personal data:

  1. Lawfulness, fairness and transparency. The data subject must be clearly informed about how their data will be used.
  2. Purpose limitation. Data can be collected only for specific purposes.
  3. Data minimization. The amount of data collected is limited to what is necessary for specific processing.
  4. Accuracy. Organizations collecting data must ensure its accuracy and update it as necessary. Data must be deleted or changed when a data subject makes such a request.
  5. Storage limitation. Collected data won't be retained longer than needed.
  6. Integrity and confidentiality. Appropriate protection measures must be applied to personal data to ensure it's secure and protected against theft or unauthorized use.
  7. Accountability. Data collectors are responsible for ensuring compliance with the GDPR.

The seven principles of the GDPR underlie specific data subject rights, including the following:

Who is subject to GDPR compliance?

All organizations that collect personal data of any citizen of an EU member state must comply with the GDPR. That includes organizations that reside outside the EU -- they still must comply with the GDPR if they're collecting a member state citizen's personal data.

The regulations apply regardless of the method used to collect personal data; this includes data collected by methods other than websites and other internet tools. The GDPR defines the three roles related to personal data as follows:

  1. Data subject. Owner of personal data.
  2. Data controller. The individual or organization determining what personal data to collect and how it will be used.
  3. Data processors. The individual or organization processing personal data for the controller.

Breach notifications

In the event of a security breach that affects stored personal data, the data controller must notify the supervisory authority within 72 hours of the breach. The supervisory authority is defined as the public authority that has been designated by the EU member country to oversee GDPR compliance.

Additional requirements relevant to breach notifications include the following:

Fines and penalties for noncompliance

Penalties for noncompliance or data breaches can be severe. Several criteria are assessed to determine appropriate penalties, including the severity of the breach, the breach's duration, the number of data subjects affected by the breach and the degree of damage that the breach incurred.

Other factors that might influence penalties include the following:

Although the GDPR has been in effect for only a few years, some significant fines have been levied to date by data protection authorities in Europe, in particular, such as the following:

GDPR and third-party data

There are several regulations regarding personal data obtained from parties other than the data subjects and related to sharing of personal data outside the EU.

Some critics expressed concern about the United Kingdom's withdrawal from the EU regarding the effect on the country's compliance with the GDPR. The U.K. has updated its Data Protection Act 1998 with a new law called the Data Protection Act 2018. The new law hews closely to the rules defined in the GDPR, but U.K. companies that do business with customers or other organizations in EU member states are expected to comply with the GDPR.

6 steps to ensure GDPR compliance

The GDPR describes the expected results of good and responsible data management, but it doesn't define any specific technical measures for data collectors must use to meet that goal.

Some best practices to help ensure compliance with the GDPR include the following:

  1. Always ask before collecting personal data; data subjects must be willing participants.
  2. Only collect what you really need; organizations will be responsible for all the data they collect, regardless of whether they use it.
  3. Don't share data with other entities, unless users have agreed, and supervisory authorities have approved the transaction.
  4. Encrypt all personal data -- both at rest and in flight.
  5. Ensure at least two up-to-date and secure backup copies of all personal data are maintained at two separate off-site locations.
  6. Have the tools to easily edit or delete specific items of personal data and to verify and document the actions.

Responsible data management also extends to protecting your credit card information. Learn how cybercriminals steal credit card information and how you can protect yourself from being exploited.

27 Mar 2024

All Rights Reserved, Copyright 1999 - 2024, TechTarget | Read our Privacy Statement