What is GDPR? Defined, Explained, and Trends
Data protection and privacy have been global buzzwords for several years now. In the United States, most states are working on several laws that will restrict what private information companies and other organizations can collect and use.
One piece of legislation that has changed the data protection landscape is the European Union’s General Data Protection Regulation (GDPR). Put simply, GDPR is the world’s most rigid privacy and security law. Despite the law originating in Europe, it has far-reaching implications for organizations worldwide.
We’ve teamed up with Vaibhav Mehrotra, Co-Founder, and CEO of Secuvy Inc, to get a closer look at the law itself and its implications for U.S. data protection and privacy. Secuvy offers a Contextual Intelligence Platform for Data Privacy, Security & Governance. The company’s Data Oriented approach automates Data Discovery, Classification & Assessments for Fortune 1000. Unique Contextual-AI Privacy Workflows to understand individual identity and correlate to its personal data is a key use case in global privacy laws.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation came into effect in May 2018. Its primary purpose is to give individuals more control over their personal data and how corporations or other organizations are using this sensitive data. EU legislators were also hoping to modernize and streamline existing data protection laws across its member states.
When the GDPR was passed, it sent a signal worldwide, clarifying the EU’s position on data protection. Since the advent of the internet and digital technology, consumers have entrusted a growing amount of sensitive personal data to businesses and others. As cloud services are expanding worldwide, the need to process data and protect it continues to grow.
As more institutions gather and process larger amounts of data, breaches have become more common. Some of them have caused headlines, others have gone largely unnoticed. The GDPR aims to limit those breaches by imposing harsh fines on companies that do not comply. Some of those fines can reach tens of millions of Euros.
Compliance has brought challenges for those affected because of the law’s broad reach and few specifics. Smaller and medium-sized companies have found it especially difficult to understand what is required from them and which procedures they need to change. As the law continues to be interpreted, best practices for data handling and processing continue to evolve.
What is the history of GDPR?
The GDPR is not the European Union’s first attempt at legislating privacy and data protection. In fact, the right to privacy was included in the European Convention on Human Rights of 1950. The convention protected the private and family life of individuals and their homes and correspondence.
Those protections may have been sufficient over 70 years ago. Since then, the data protection and privacy landscape have changed almost beyond recognition, thanks to the advent of technology. The rise and the widespread use of home computers are part of this transformation. But it was really the creation of the internet that proved most influential and resulted in a growing need for stricter protections.
In 1995, the European Union passed the European Data Protection Directive. This law created the foundation on which EU member states built their own data privacy laws. But the minimal data security and privacy standards set by the directive struggled to keep up with the internet’s fast spread.
As banner ads started appearing and banks invented online banking, more people trusted the internet with more of their data. Another major transformation was set in motion in 2006 when Facebook opened its virtual doors and started the meteoric rise of social media.
Legislators recognized that citizens' privacy across Europe and beyond needed stricter protection. The body’s data protection directive required updating. The GDPR is the result of this update. It passed through the European Parliament in 2016, giving organizations until May 2018 to comply.
What are GDPR's key definitions?
The GDPR is an extensive law that defines many legal terms at length. From most organizations’ point of view, five key definitions are most relevant.
Five key definitions from the GDPR
#1. Personal Data
Data becomes personal when the individual it refers to can be directly or indirectly identified. Names, email addresses, and phone numbers are clear examples of personal data. But this definition also includes biometric data, location information, web cookies, gender, and political opinions, to name a few.
The GDPR’s rules also extend to pseudonyms when it is relatively easy to identify the individual behind the name. The more sensitive the personal data is, the stronger the protections afforded under this law.
#2. Data Subject
A company’s existing customers and prospects are both examples of data subjects. Those are the people whose information an organization is handling.
#3. Data Processing
Data processing refers to anything a company or organization does with the data subject’s information. This definition involves storing, collecting, organizing, or erasing data. The GDPR’s definition of data processing is extremely broad.
#4. Data Controller
A small business owner collecting prospective customers' email addresses is often the company’s data controller. By definition, the data controller is the person who decides what an organization does with the data it has collected.
#5. Data Processor
Under the GDPR, a data processor is a third party working with data on behalf of the data controller. This could be an individual or a company hired for any of the data processing activities above. But cloud service platforms and email providers like Gmail can also become data processors.
What are the seven key principles of GDPR?
The GDPR law is based on seven main principles:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Under each principle, the law defines limits that any organization covered in its scope needs to adhere to. Perhaps the widest-reaching consequence of GDPR is that anything organizations do needs to consider data protection. With this stipulation, the law has the power to change companies to their core.
When it comes to accountability, for example, data controllers need to demonstrate that they are compliant. Data storage needs to be secure, with limited access even within the organization in question. Should a data breach occur, it needs to be reported within 72 hours.
In addition, GDPR stipulates that data can only be used if the data subject – a customer, for example – has given their unambiguous consent. Some companies also need to appoint a data protection officer.
Does GDPR apply to your business?
The GDPR applies to any company processing the personal data of EU citizens or residents, including those that offer their services or products to those people. Despite having been passed by the European Union, it also applies to organizations outside that area.
If a U.S.-based business sells to customers inside the EU, that business has to comply with GDPR. Non-compliant companies could face high fines for violating the stipulations of the law. Moreover, data subjects could seek compensation for damages caused by data leaks or non-compliance.
The EU’s GDPR is not the only data privacy and security law. Globally, 128 countries currently have data privacy laws. The United States is no exception. Here, data protection and privacy laws differ from state to state. Their number is set to increase over the next 12 months.
Colorado and Virginia have passed data privacy laws that will take effect on January 1, 2023. Utah and Oklahoma recently passed their own privacy laws. California’s Consumer Privacy Act (CCPA) became effective at the beginning of 2020, and the state is getting ready to enforce its Privacy Rights Act (CPRA) from January 1, 2023. The second law ensures that privacy requirements cover employee data.
Most states have multiple privacy acts, making compliance more complex. One such example is Illinois, where businesses currently need to adhere to three different regulations:
- Biometric Information Protection Act (BIPA)
- Student Online Personal Protection Act (SOPPA)
- Illinois Personal Information Protection Act (PIPA)
On their own, none of those laws may be as far-reaching as the GDPR, but all contribute to a complex regulatory environment.
What does GDPR mean for those outside of the EU?
Legal experts refer to the law’s broad reach as an “extra-territorial effect.” To be very clear, GDPR can cover your US-based business even if that business has little connection to Europe at first glance.
Here is an example: a jewelry business based in North Dakota sells its products online. Websites don’t have borders as countries do, so an EU citizen can browse the jewelry advertised. At this point, any data collection, including cookies, could become subject to the GDPR.
The deciding factor for regulators is whether the company set out to target EU citizens. An occasional website visitor is not enough for a business to fall under GDPR rules. But a business specifically catering to EU customers should strive to be compliant, no matter where it is physically based.
What are the business impacts of GDPR?
Because of the broad scope of the GDPR, most major corporations need a GDPR compliance strategy to avoid paying high fines.
That means companies will need to review their current data privacy and protection procedures and adapt them as needed. Businesses need to ensure that they collect only necessary information and keep records safely. Some will also need to appoint dedicated data protection officers.
At this point, the law is still very new. How strictly it will be interpreted and enforced remains to be seen. While many U.S. businesses may fall outside its scope, being aware of data protection regulations is essential for two reasons:
1. Non-compliance carries high penalties.
2. U.S. states are tightening up data privacy regulations, too. That means any business needs to stay informed about impending changes to comply with local laws. In some cases, these laws are likely to cover similar subjects.
What are the Penalties for violating GDPR rules?
Failing to protect the personal data of users, customers, or website visitors can result in severe fines under the GDPR. This is one of the most significant differences between the new law and its predecessors.
For example, in the United Kingdom, these penalties are decided by the Information Commissioners Office (ICO). Under the GDPR rules, more minor offenses can be penalized with fees up to €10 million ($11 million) or 2% of the firm’s global turnover. Some of the biggest breaches may incur double those penalties. Previously legislation limited the ICO to fines of up to £500,000 ($651,000).
Are there exceptions to GDPR regulations?
Businesses with fewer than 250 employees are exempt from some of the GDPR’s record-keeping requirements but not all its regulations.
The second exception concerns personal activity. Collecting email addresses from friends and relatives for private events falls firmly outside the regulation’s scope.
What are the GDPR impacts on the tech industry?
When the GDPR first came into effect, the tech industry expressed concern about its broad reach. Some companies, including social media giant Meta (previously Facebook), lost one million active users in Europe during the first two months of GDPR taking effect. However, even at that early stage, experts felt that much of this potential hesitancy could be resolved through additional information and clarification.
Several years later, the regulation has brought challenges and opportunities for the industry. The new law created a demand for products and services that make it easy for companies to comply with the GDPR. Almost every business needed to add plugins to its web presence that allowed visitors to opt-in or out of cookies.
Countless businesses introduced two-factor authentication to safeguard the data they were collecting better. Others needed to ask newsletter subscribers for explicit consent to receiving information. Most of these purposes require dedicated software.
GDPR also affected the development of new software. Any newly released software now needs to have data privacy at its heart. Rather than being an afterthought, privacy by design has become one of the tech industry’s guiding principles.
Companies handling the data of EU customers have had to upgrade or add firewalls, backup data, or offer encryption. Arguably, GDPR has forced businesses within the tech sector and beyond to take data privacy and protection more seriously.
Since coming into effect, the General Data Protection Regulation has changed the world’s perception of data privacy and security. Its broad scope affects companies within Europe and those looking to do business with or sell to EU citizens. As a data privacy law, the GDPR does not stand alone. Worldwide, more countries are passing their own data protection laws to protect private information.
In the United States, businesses need to be aware of GDPR compliance and state legislation, which often involves more than one law. Compliance is made more accessible by software solutions becoming more comprehensive and accessible every day.