The General Data Protection Regulation (GDPR) is a European Union (EU) regulation for data protection. It applies to the processing of personal data of people in the EU by businesses that operate in the EU. It’s important to note that GDPR applies not only to firms based in the EU, but any organization providing a product or service to residents of the EU. The regulation pertains to the full data life cycle, including the gathering, storage, usage, and retention of data. It also creates the potential for headline-grabbing penalties in the event of data breaches.
GDPR supersedes Directive 95/36/EC, which is the existing EU regulation on data protection. This directive will be repealed on the same day that GDPR comes into force. Consequently, some firms will have to make big changes in how they gather, store, and use personal data. That’s not to say that the regulation is too broad and too hard to meet. Rather, much of what is required could be described as common sense and giving individuals an appropriate level of protection.
The regulation will take effect May 25, 2018. This is the date by which organizations must be compliant.
GDPR introduces some new terms. Organizations should familiarize themselves with these terms to prevent confusion.
Personal data. In relation to GDPR, personal data includes any data relating to a subject that is tied to a specific person or could be used to identify a person, directly or indirectly. Examples of personal data include names, physical addresses, email addresses, and IP addresses that can be tied to an individual.
Genetic data. This includes data relating to a person’s genetic characteristics. Such data could be used to find out information pertaining to an individual’s health, physical condition, gender, and/or ethnicity.
Biometric data. Data captured from physical, physiological, or behavioral characteristics of a person. Examples of biometric data include facial images and fingerprints.
Data concerning health. This type of data relates to physical or mental health, including treatment or health care services received by an individual.
The regulation applies to all businesses (both within and outside of the EU) conducting automated or partially automated processing of personal data for people within the EU as it relates to offering goods or services or monitoring behavior.
Certain activities related to data controllers do not apply to organizations employing fewer than 250 people if they do not process sensitive data. GDPR does not apply to the actions of individual consumers.
Yes. GDPR applies to businesses that process data of people in the EU, whether the businesses have a physical presence in the EU or not. However, GDPR applies only to businesses intentionally offering goods or services to people in the EU.
Under GDPR, any data that could be used to identify an individual must be protected. As with Directive 95/36/EC, pseudonymized data (i.e., data without direct reference to a named individual) is still in scope, though GDPR recognizes that the risks to individuals are reduced when data is pseudonymized.
Organizations defined as data processors, even if they are processing data on behalf of a data controller, are accountable for protecting that data. These firms must report breaches and can be penalized if found to be noncompliant.
It is critical for organizations to demonstrate that they have the consent of a data subject to process the subject’s data. Subjects must give their consent freely, and any written declarations must use plain language that can be understood easily. The subject can withdraw this consent at any time, and the company must be able to remove the subject’s data from all its systems. This rule is often referred to as the “right to be forgotten.” For children, data can be processed only with the consent of a parent or legal guardian. Data subjects are also entitled to make subject access requests to organizations that hold their data, for free.
The largest fines will be imposed on organizations that haven’t even attempted to comply with GDPR. The maximum fine is either €20 million (approx. $24 million) or 4% of the organization’s worldwide annual turnover, whichever is higher.
To avoid GDPR fines, organizations need to communicate the following: