Since its effective date on May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) has affected individuals and businesses around the world.
No doubt you’ve noticed your favorite website’s cookie consent pop-ups and privacy choices. Perhaps you’ve been involved with getting your business to GDPR compliance. You might have also heard of companies getting fined for violations, or have even exercised your own “data subject” privacy rights (more info on that below).
Whatever your experience so far with the GDPR, you still might not be clear on what it exactly is, or you have gaps in your GDPR knowledge. Let’s fix that.
In this post, we’ll look at the GDPR in more detail, including a brief history, what it is, and how it affects individuals and businesses alike. We’ll also cover a few basic steps toward compliance.
Here’s a brief history and timeline overview of how the GDPR came to be. Believe it or not, its roots are traceable back to 1950:
• 1950 - The European Convention on Human Rights is drafted, which includes Article 8, “Right to respect for private and family life.” This sets the stage for privacy protection in the EU.
• 1995 - EU passes the European Data Protection Directive to address the need for minimum data privacy and security standards for technology and internet developments.
• 2012 - The European Commission proposes comprehensive reform to the 1995 European Data Protection Directive.
• 2014 - The European Parliament adopts the GDPR.
• 2016 - The GDPR enters into force.
• 2018 - All organizations are required to be compliant as of May 25, 2018.
As you may have gathered by now, the GDPR is a sweeping data privacy law devised to give EU citizens more control over their data. In fact, the GDPR prioritizes an individual’s rights over their data above everything else.
To accomplish this, it codifies various individual data rights, establishes key principles for data protection, and defines requirements for businesses to comply.
The GDPR applies to businesses who offer goods and services to EU citizens (also called data subjects), whether or not the business operates within the EU. When these businesses handle EU citizen data (including monitoring online behavior), they are broken down into two data-handling categories: processors and controllers.
At this point, it will help to go over a few basic definitions under GDPR:
• Data subject - any EU citizen (“an identified or identifiable natural person”) whose data is collected, monitored, processed, etc.
• Data processing - any automated or manual action performed on personal data
• Data controller - any party that handles and decides why and how data subject information is processed
• Data processor - any third party that processes personal data for a data controller
Now that you know the GDPR’s purpose and who it applies to, what are the privacy rights of the individual data subject? Here they are with a summary of each right:
• Right to be informed - Clear information must be provided to data subjects regarding how their personal information is collected and processed.
• Right to access - Collected personal data must be provided to data subjects on request.
• Right to rectification - Data subjects may correct inaccurate personal data.
• Right to erasure/right to be forgotten - Collected personal data must be deleted upon request.
• Right to restrict processing - Data subjects can limit how their personal information is processed under certain conditions.
• Right to data portability - Data subjects may move their data from one controller to another.
• Right to object - Data subjects can object to the processing of their data.
• Right to object to automated processing - Data subjects may object to automated data processing that legally affects them.
Of the 99 articles that currently make up the GDPR, Article 5 covers seven “Principles relating to the processing of personal data” in which tenets are laid out for the protection of personal data. If you collect or process personal data under the GDPR, you must protect data with the following principles in mind:
• Lawfulness, fairness, and transparency: You should process personal data lawfully, fairly, and transparently.
• Purpose limitation: You must collect personal data only for a specific and limited purpose.
• Data minimization: You must minimize the data collected to be adequate, relevant, and limited to what is necessary.
• Accuracy: Keep data accurate and up-to-date, and correct inaccuracies when possible.
• Storage limitation: Do not store personal data for longer than necessary.
• Integrity and confidentiality: You must ensure security measures are in place to maintain data integrity and confidentiality when processing personal data.
• Accountability: The data controller must show compliance with all the above principles.
If your business is looking to become GDPR compliant, there are a few things to keep in mind.
First, be sure you are familiar with GDPR basics by not only reading this post but reading the full text of the regulation.
Next, know and implement the Data Protection Principles of Article 5 and be able to fulfill all the data subjects’ rights and requests.
In addition, be sure your business implements other compliance requirements, such as:
• Compliant record keeping of all processing activities
• Other physical, technical, and administrative security measures and tests
• Data breach notifications (to authorities, individuals, media, etc.)
• A Data Protection Officer (DPO) who oversees and leads all GDPR compliance activities
Remember, if you control or process covered personal data under the GDPR and you are not compliant, your business is at risk of steep fines for violations.
The GDPR is arguably the strongest data privacy law in the world. With its deep history, a full suite of protective individual data rights, security principles, and compliance requirements, it is a framework that many countries and states who care about privacy can model and build upon.
If your company is controlling or processing EU data subjects’ personal information, you must be GDPR compliant.