The General Data Protection Regulation (GDPR) is legislation that updated and unified data privacy laws across the European Union (EU). The GDPR was approved by the European Parliament on April 14, 2016, and went into effect on May 25, 2018.
It replaces the EU Data Protection Directive of 1995. The new directive focuses on keeping businesses more transparent and expanding the privacy rights of data subjects. When an organization detects a serious data breach, it's required by the GDPR to notify all affected people and the supervising authority within 72 hours. Mandates in the GDPR apply to all data produced by EU citizens, regardless of whether the company collecting the data in question is located within the EU, as well as all people whose data is stored within the EU, regardless of whether they're EU citizens. The GDPR also defines penalties for noncompliance.
The purpose of the GDPR is to protect individuals and the data that describes them and to ensure the organizations that collect that data do so in a responsible manner. The GDPR also mandates that personal data is maintained safely; in part, the regulation says personal data must be protected against "unauthorized or unlawful processing, and against accidental loss, destruction or damage."
Reasons for collecting personal data are also defined in the GDPR; the data that's collected must be for a specific and legitimate purpose and shouldn't be used in any way beyond that intention. The regulation also suggests limits on how much data is collected, saying that data collection should be "limited to what is necessary in relation to the purposes for which they are processed." The GDPR further states that the organization collecting data should ensure it's accurate and updated as necessary.
Under the GDPR, companies can't legally process any person's personally identifiable information (PII) without meeting at least one of the following six conditions:
In addition, companies that conduct data processing or monitor data subjects on a large scale must appoint a data protection officer (DPO). The DPO is the figurehead responsible for data governance and ensuring the company complies with GDRP. If a company doesn't comply with the GDPR, legal consequences can include fines of up to 20 million euros ($21.77 million USD) or 4% of annual global turnover. In addition, the person in this role is responsible for ensuring appropriate data protection principles are applied to the maintenance of personal data.
The roots of the EU's GDPR can be traced back to the 1950 EU Convention on Human Rights, which laid out basic human rights that member states must respect.
As computers became more ubiquitous in the business and governmental spheres, additional regulations were put in place, such as the 1981 Data Protection Convention, which declared privacy a legal right.
The European Data Protection Directive that was enacted in 1995 is most closely related to the GDPR and is seen as that regulation's forerunner.
Users must give consent to any company or organization that wishes to collect and use personal data. As defined by the GDPR, personal data is information that relates to "an identified or identifiable natural person" -- referred to as a data subject.
Personal data includes the following types of information:
The GDPR lays out the following seven basic principles on which it bases its regulations and rules of compliance related to personal data:
The seven principles of the GDPR underlie specific data subject rights, including the following:
All organizations that collect personal data of any citizen of an EU member state must comply with the GDPR. That includes organizations that reside outside the EU -- they still must comply with the GDPR if they're collecting a member state citizen's personal data.
The regulations apply regardless of the method used to collect personal data; this includes data collected by methods other than websites and other internet tools. The GDPR defines the three roles related to personal data as follows:
In the event of a security breach that affects stored personal data, the data controller must notify the supervisory authority within 72 hours of the breach. The supervisory authority is defined as the public authority that has been designated by the EU member country to oversee GDPR compliance.
Additional requirements relevant to breach notifications include the following:
Penalties for noncompliance or data breaches can be severe. Several criteria are assessed to determine appropriate penalties, including the severity of the breach, the breach's duration, the number of data subjects affected by the breach and the degree of damage that the breach incurred.
Other factors that might influence penalties include the following:
Although the GDPR has been in effect for only a few years, some significant fines have been levied to date by data protection authorities in Europe, in particular, such as the following:
There are several regulations regarding personal data obtained from parties other than the data subjects and related to sharing of personal data outside the EU.
Some critics expressed concern about the United Kingdom's withdrawal from the EU regarding the effect on the country's compliance with the GDPR. The U.K. has updated its Data Protection Act 1998 with a new law called the Data Protection Act 2018. The new law hews closely to the rules defined in the GDPR, but U.K. companies that do business with customers or other organizations in EU member states are expected to comply with the GDPR.
The GDPR describes the expected results of good and responsible data management, but it doesn't define any specific technical measures for data collectors must use to meet that goal.
Some best practices to help ensure compliance with the GDPR include the following:
Responsible data management also extends to protecting your credit card information. Learn how cybercriminals steal credit card information and how you can protect yourself from being exploited.
27 Mar 2024