The GDPR, or General Data Protection Regulation, was put into effect in May 2018. It is one of the strictest privacy and security laws in the world. It is designed to protect the privacy of EU (European Union) citizens and customer data.
Any business that collects data on EU citizens is required to comply with the GDPR even if they do not have a presence in the EU directly.
Companies are required to be compliant under the GDPR to avoid hefty fines. The GDPR is one of the most comprehensive data protection laws that is designed to give private individuals more control over their personal data and to foster a higher level of trust between businesses and the public when it comes to data security and privacy.
What is the GDPR?
In April 2016, the European Parliament adopted the GDPR to replace the 1995 outdated data protection directive. Companies were required to be GDPR compliant by May 25, 2018.
The GDPR gives consumers more control over who sees their data and how it is collected. Any data collected on an EU citizen within any of the 28 member states of the EU is to be protected and secured. All transactions that occur within the EU fall under the GDPR.
The GDPR states that companies must provide a “reasonable” level of protection over personal data and takes a broad view of what makes up personal identification information. This sets a very high standard regarding personal data protection and consumer rights; however, it also requires companies to work harder putting processes and systems in place to remain compliant.
Why was GDPR created?
The GDPR is an answer to the public’s concern over data privacy and control over how companies store this information and how safe it is from potential bad actors. More than half of Europeans are worried about cybercriminals accessing their personal data, while just under half do not want to share personal data with private companies.
The GDPR is meant to create a higher level of trust between the public and companies storing personal data. The stricter regulations and rules about how this data is stored and used are meant to protect consumers.
The internet is a vastly different place now than it was in 1995 when the initial data protection directives were written. People are increasingly putting more and more of their personal lives and data online, and expect companies to work hard to keep it and them safe.
Consumers will often blame the company if a data breach occurs. This was created to help protect digital assets of consumers while holding companies to higher standards and practices.
Who is affected by the GDPR?
Any company that processes personal data of EU citizens within an EU member state, offers goods or services to citizens within the EU, or monitors behaviors of individuals within the EU is subject to GDPR compliance. The GDPR even applies to companies who do not have a physical presence within the EU but offer services or goods to members within the EU (paid or free) and those storing personal information on EU citizens.
The GDPR applies to:
- Any company with a presence or physical branch within an EU member country.
- Companies that provide services to individuals within the EU and those that process personal data of residents in EU member countries.
- Companies that have more than 250 employees.
- Small companies with fewer than 250 employees that process personal data.
These are some of the biggest industries impacted by the GDPR:
- Social media
- Online retailers
- Medical and health care
- Financial services and online banking
- Remote services and cloud computing
Who manages GDPR compliance?
To remain compliant with the GDPR, companies must have a data controller, data processor, and a data protection officer (DPO). The data controller determines how personal data is processed and for what purpose, and ensures the compliance of outside contractors.
Data processors process and maintain personal data, either as an internal group or outsourcing firm. They are the entities that will be held responsible in the event of a data breach or GDPR non-compliance. The data controller and data processor must also designate a DPO to oversee GDPR compliance.
The DPO will be responsible for overseeing the data protection strategy of the company, implementing policies to ensure GDPR compliance, training and educating employees on compliance, monitoring data transfer operations and data storage, and serving as the point of contact with GDPR supervisory authorities. Companies can hire a DPO from an outside source or at a different organization to maintain GDPR compliance.
A company must hire a DPO to ensure GDPR compliance in the following cases:
- Organization is a public authority
- Company is involved in large-scale and systematic monitoring of personal user data
- Organization processes large amounts of personal user data
How does the GDPR affect contracts with customers and third parties?
There is a form of “downstream compliance” required by the GDPR. What this means is that third party companies used to process data must also be compliant with GDPR policies. Even if a company is collecting data in the correct way as defined by the GDPR, but the company used to process this data is outsourced and noncompliant, the originating organization will still be held liable.
Data processors and data controllers at a company are responsible for ensuring that all third-party companies, outsourcing services, contractors, and service providers remain GDPR compliant, or they can be considered in violation and slapped with massive fines. All contracts and third-party interactions must also follow the GDPR regulations.
Contracts with customers and third parties must be clearly defined, and companies will need to know exactly how vendors process and store information.
The flow of data must be protected and fully understood by all parties involved. This involves knowledge of exactly what type of data is being collected, how it is processed, and its movement. Contracts may need to be renegotiated to adhere to GDPR regulations and requirements.
Data privacy requirements
GDPR regulations give more control to consumers over the collection and storage of personal data. This includes the following:
- Consumers have a right to consent to data collection and what data is being collected.
- Individuals have the right to request companies stop processing their data, restrict usage, or object to the way it is being used.
- Users have the right to delete or erase all of their data.
- Users have a right to access their data.
- Users must be able to transfer data from one service provider to another.
- Privacy policies must be clearly outlined using plain language.
- Users are to be informed of a data breach within 72 hours of its occurrence.
- Users have the right to request updating, correction, or completion of personal data.
User consent can no longer be implied. This means that a user must give explicit consent for companies to collect, store, and process their data, using an “opt-in” instead of an “opt-out” format. Users have a legal right to question and appeal how companies are using their data.
The GDPR protects “personal data” of consumers, which includes the following:
- Name, address, ID numbers, email address, and basic identity information
- Biometric data
- Web data, such as IP address, RFID tags, cookie data, and location
- Sexual orientation
- Racial and/or ethnic data
- Genetic and health data
- Political opinions
- Any type of information relating to an identifiable or identified living person
The “basic identity” category of personal data is broad and can apply to any type of user-generated data. This involves social media posts, anything personal uploaded to websites, and any form of personal information transmitted online.
GDPR compliance requires that all service providers and third parties remain in compliance with the regulations. The EU provides a list of GDPR-compliant services for businesses that are already following these regulations, which can be used to avoid regulatory penalties.
U.S. companies that have any kind of operation or presence in the European Union are required to be GDPR compliant. This typically falls on the shoulders of data controllers and processors. A GDPR checklist for data controllers can help ensure that the organization is checking all of the correct and necessary boxes to remain compliant.
There are also a number of vendors and organizations that offer GDPR compliance audits. They can provide services, ensuring that the organization in question is GDPR compliant. While these services involve a fee, they can save the company money in hefty fines for noncompliance.
What Is GDPR, the EU’s New Data Protection Law? (2022). Proton Technologies AG.
How Concerned Are Europeans About Their Personal Data Online? (June 2020). European Union Agency for Fundamental Rights.
Who Does the Data Protection Law Apply To? European Commission.
How GDPR Is Impacted Business and What to Expect in 2020. (February 2020). Business News Daily.
GDPR-Compliant Services for Businesses. (2022). Proton Technologies AG.
GDPR Checklist for Data Controllers. (2022). Proton Technologies AG.