General Data Protection Regulation (GDPR)

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation for data protection. It applies to the processing of personal data of people in the EU by businesses that operate in the EU. It’s important to note that GDPR applies not only to firms based in the EU, but any organization providing a product or service to residents of the EU. The regulation pertains to the full data life cycle, including the gathering, storage, usage, and retention of data. It also creates the potential for headline-grabbing penalties in the event of data breaches.

GDPR supersedes Directive 95/36/EC, which is the existing EU regulation on data protection. This directive will be repealed on the same day that GDPR comes into force. Consequently, some firms will have to make big changes in how they gather, store, and use personal data. That’s not to say that the regulation is too broad and too hard to meet. Rather, much of what is required could be described as common sense and giving individuals an appropriate level of protection.

The regulation will take effect May 25, 2018. This is the date by which organizations must be compliant.

GDPR terminology

GDPR introduces some new terms. Organizations should familiarize themselves with these terms to prevent confusion.

  • Data subject: a human that can be identified (directly or indirectly) from some data
  • Controller: a person or organization that decides how and why personal data will be processed
  • Processor: a person or organization processing personal data on behalf of a controller
  • Data protection officer: a designated specialist appointed by a controller and/or processor who must be involved in all matters related to protecting personal data
  • Supervisory authority: an independent public authority designated by each member state to monitor the application of GDPR—for example, in the U.K., the Information Commissioner’s Office

What types of data are protected by GDPR?

Personal data. In relation to GDPR, personal data includes any data relating to a subject that is tied to a specific person or could be used to identify a person, directly or indirectly. Examples of personal data include names, physical addresses, email addresses, and IP addresses that can be tied to an individual.

Genetic data. This includes data relating to a person’s genetic characteristics. Such data could be used to find out information pertaining to an individual’s health, physical condition, gender, and/or ethnicity.

Biometric data. Data captured from physical, physiological, or behavioral characteristics of a person. Examples of biometric data include facial images and fingerprints.

Data concerning health. This type of data relates to physical or mental health, including treatment or health care services received by an individual.

Which businesses are affected by GDPR?

The regulation applies to all  businesses (both within and outside of the EU) conducting automated or partially automated processing of personal data for people within the EU as it relates to offering goods or services or monitoring behavior.

Certain activities related to data controllers do not apply to organizations employing fewer than 250 people if they do not process sensitive data. GDPR does not apply to the actions of individual consumers.

Does GDPR apply to international businesses?

Yes. GDPR applies to businesses that process data of people in the EU, whether the businesses have a physical presence in the EU or not. However, GDPR applies only to businesses intentionally offering goods or services to people in the EU.

What obligations must an organization meet to maintain GDPR compliance?

Under GDPR, any data that could be used to identify an individual must be protected. As with Directive 95/36/EC, pseudonymized data (i.e., data without direct reference to a named individual) is still in scope, though GDPR recognizes that the risks to individuals are reduced when data is pseudonymized.

Organizations defined as data processors, even if they are processing data on behalf of a data controller, are accountable for protecting that data. These firms must report breaches and can be penalized if found to be noncompliant.

It is critical for organizations to demonstrate that they have the consent of a data subject to process the subject’s data. Subjects must give their consent freely, and any written declarations must use plain language that can be understood easily. The subject can withdraw this consent at any time, and the company must be able to remove the subject’s data from all its systems. This rule is often referred to as the “right to be forgotten.” For children, data can be processed only with the consent of a parent or legal guardian. Data subjects are also entitled to make subject access requests to organizations that hold their data, for free.

What are the penalties under GDPR?

The largest fines will be imposed on organizations that haven’t even attempted to comply with GDPR. The maximum fine is either €20 million (approx. $24 million) or 4% of the organization’s worldwide annual turnover, whichever is higher.

To avoid GDPR fines, organizations need to communicate the following:

  • This is what we are doing to comply with GDPR.
  • This is what we are doing not to run afoul of compliance.
  • This is what we’re doing to have a reasonable story to tell even when something bad does happen.