The General Data Protection Regulation (GDPR) is a comprehensive data protection law passed by the European Union (EU).
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, is a comprehensive data privacy law establishing a framework for collecting, processing, storing, and transferring personal data. It requires that all personal data be processed securely, including fines and penalties for businesses not complying with these requirements. It also provides individuals with several rights regarding their data.
Data privacy has been spotlighted as technology advances and data collection grows more prevalent. At its passage, the GDPR was the most comprehensive data privacy regulation. It harmonized separate data protection regulations across the European Union (EU). It also extended those regulations’ reach to non-EU organizations if they process personal data collected in the EU.
The GDPR applies to any company or organization regardless of geographical location if it offers goods and services to people in the EU or monitors their behavior within the EU.
How does the GDPR define ‘personal data’?
The GDPR broadened the scope of personal data to include any information related to a naturally identifiable person. This includes personal details, such as someone’s name and address, and any other information that could be used to identify someone, including their IP address and specific cookie identifiers associated with a web browsing session.
What are the GDPR requirements for data controllers and data processors?
The GDPR defines data controllers as entities that make decisions about the means and purposes for which personal data is collected and processed, and it defines data processors as entities that process personal data, typically on behalf of a data controller.
The GDPR also lays out seven fundamental principles for how data controllers and processors should handle personal data:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
In addition to describing these principles in detail, the GDPR requires several specific actions that data controllers and processors must take. Some of these include:
- Record keeping: Data processors must keep records of their processing activities.
- Security measures: Data controllers and processors must regularly use and test appropriate security measures to protect the data they collect and process.
- Data breach notification: Data controllers that suffer a personal data breach must notify appropriate authorities within 72 hours, with some exceptions. Usually, they also have to notify the individuals whose personal data was affected by the breach.
- Data Protection Officer (DPO): Companies that process data may need to hire a Data Protection Officer (DPO). The DPO leads and oversees all GDPR compliance efforts.
The complete requirements for data controllers and processors are described in the GDPR.
What rights do data subjects have under the GDPR?
The GDPR defines a data subject as “an identified or identifiable natural person.” Data subjects have the following rights:
- Right to be informed: Data subjects must be given easy-to-understand information about how their personal data is collected and processed
- Right to data portability: Data subjects can transfer their data from one data controller to another
- Right of access: Data subjects have the right to obtain a copy of collected personal data
- Right to rectification: Data subjects can correct inaccurate data about themselves
- Right to erasure: Data subjects can request that their data be deleted (also called the right to be forgotten)
- Right to restrict processing: Under certain circumstances, data subjects can limit the way their personal data is being processed
- Right to object: Data subjects have the right to object to the processing of their personal data, and under certain circumstances, the data controller or data processor will be obligated to comply with the data subject’s objection
- Right to object to automated processing: Data subjects can object to a decision that legally affects them that is based solely on automated data processing
What are the penalties for violating the GDPR?
The GDPR describes the fines that are to be imposed on businesses that violate its policies.
There are two tiers of fines under the GDPR, with each tier corresponding to a different category of violation:
- First tier: A violation results in a maximum fine of either €10 million or 2% of the business’s worldwide annual revenue, whichever is higher.
- Second tier: A violation results in a maximum fine of €20 million or 4% of the business’s worldwide annual revenue, whichever is higher.
In addition to these fines, data subjects can seek compensation for damages when a business violates the GDPR.
