What is GDPR?
General Data Protection Regulation, or GDPR, unifies data privacy laws across the European Union (EU). The European Parliament approved GDPR on April 14, 2016, and it went into effect on May 25, 2018.
GDPR replaced the former EU Data Protection Directive of 1995. GDPR concentrates on keeping businesses more transparent and expands the privacy rights of data subjects. Whenever a data breach is detected, GDPR requires the company to notify supervising authorities and all affected people within 72 hours.
It's mandatory for all EU citizens and companies that process, store, or manage the data of EU citizens to comply with GDPR. It's also regardless of whether they're EU citizens. The GDPR also imposes penalties for non-compliance. Many organizations use data privacy management software to manage the privacy of data subjects and map sensitive data.
GDPR principles
Anyone who processes data must do so according to the protection and accountability principles outlined in Article 5.1-2. Below are the GDPR’s seven basic principles that guide its rules and regulations.
- Lawfulness, fairness, and transparency. Data subjects must be informed about exactly how their data will be used.
- Purpose limitation. Data can be collected and processed for legitimate purposes. For example, processing a contract where the data subject is involved.
- Data minimization. Only critical data can be collected.
- Data accuracy. Organizations collecting data must ensure its accuracy and timeliness. Data must be deleted or changed as per the request of the data subject.
- Storage limitation. The GDPR advises against retaining collected data longer than required.
- Integrity and confidentiality. Personal data needs to be protected with appropriate measures. It must be secure and protected against theft or unauthorized use.
- Data compliance. Data collectors are responsible for ensuring compliance with GDPR.
Several specific data subject rights per the seven principles of the GDPR are discussed below.
- The right to be forgotten. Data subjects can request personally identifiable information (PII) be deleted from a company's storage. However, if the company can successfully demonstrate a legal basis for keeping data, it has the right to refuse requests.
- The right of access. Stored data is accessible to data subjects for review.
- The right to object. Data subjects can refuse to use or process personal data. If a company satisfies legal conditions for processing personal data, it can ignore the refusal. However, it must notify the subject and explain its reasoning.
- The right to rectification. Corrections of incorrect personal information are possible upon the request of data subjects.
- The right of portability. Accessing and transferring data subjects' personal information is possible at the data subject's discretion.
How to comply with GDPR
The GDPR informs data collectors about the expected results of excellent and responsible data management. However, it doesn't define any specific technical measures. Below are some best practices that help companies comply with GDPR.
- It's important to ask before collecting personal data. Data subjects must be willing participants.
- Organizations must only collect what they need. They're responsible for collection and usage.
- Companies must not share data with others without the consent of users and approval from supervisory authorities.
- It’s essential to encrypt all personal data at rest and in flight.
- It's best to have two secure backup copies of personal data at two offsite locations.
- Companies should be able to easily edit or delete specific items of personal data using necessary tools to verify and document the actions.
GDPR scope
The GDPR scope compliance is relatively broad. Therefore, whether a business is situated inside the EU or has an office outside the EU, it's crucial to understand how they come under the purview of GDPR if they're processing the data of EU citizens.
Below are two ways a business comes under the domain of GDPR:
- Material Scope: Article 2 defines the GDPR Material Scope of personal data processing. As per the Material Scope, even if the processing center (a processor) is not in the EU, they still come under the purview of the GDPR.
- Territorial Scope: Article 3 of the GDPR explains the territorial scope of GDPR and how it is broadly classified into two segments: Article 3(1) and Article 3(2). Territorial scope refers to when businesses inside the EU region process the personal information of data subjects.
GDPR fines for non-compliance
Penalties for non-compliance are severe. Several criteria are assessed to determine appropriate fees, including the breach's duration, the number of data subjects affected, and the severity of the breach.
Whether a data breach is caused by negligence or intention also influences penalties. Maintaining inadequate records of personal data collection and processing can lead to a fine of €10 million euros or 2% of annual revenue, with fines as high as €20 million or up to 4% of annual revenue for complete non-compliance.
GDPR vs. CCPA
GDPR and California Consumer Privacy Act (CCPA) are compliance laws that protect user data from unauthorized access and processing.
CCPA is often called "GDPR lite" in compliance communities. While GDPR protects the data and privacy of the EU, CCPA is the data protection and privacy law for California residents.
GDPR requires businesses to have legal grounds for data processing, such as consent. CCPA has no such requirement but focuses on creating transparency and educating users about their data rights.
Learn more about data privacy management software and how long it takes to implement.
Sagar Joshi
Sagar Joshi is a former content marketing specialist at G2 in India. He is an engineer with a keen interest in data analytics and cybersecurity. He writes about topics related to them. You can find him reading books, learning a new language, or playing pool in his free time.
