What is the General Data Protection Regulation (GDPR)?
By now, you've likely heard of the European Union’s crucial data privacy regulation, but may not fully understand the general requirements of GDPR — especially if your company operates outside of the EU.
Considered the most significant privacy regulation in 20 years, this set of regulations — established in 2018 — is a substantial step up from the EU's previous data protection directive.
The new initiative transforms how organizations in every sector handle personal data and, for the first time, gives people a say over who collects their data, when it's collected, and how it's used.
With this regulation, companies can't just clean up the mess and say "sorry" after a personal data breach. They also can't collect and use consumer data without oversight or plainly worded disclosures. Stiff penalties now exist for data breaches and data privacy violations.
To prove GDPR compliance, organizations must take steps to protect a data subject’s privacy from the get-go. Transparency is the name of the game — a new notion to many organizations that have traditionally put data privacy on the backburner.
GDPR compliance can seem overwhelming, but in the long-term, we expect to see better user/customer experiences, fewer data breaches, and greater trust between consumers and organizations regarding personal data.
The 12 need-to-knows when it comes to GDPR compliance
Since its advent in 2018, many have celebrated the General Data Protection Regulation: In terms of protecting people’s privacy, it’s a game-changer (and a big one). But for the countless companies attempting to navigate all of its nuances and layers, the GDPR can cause confusion and, for many, frustration.
To help you understand it better, we’ve compiled a list of essential facts about GDPR compliance. Use these as your guide to improving your organization's data security, protecting your data subjects' personal information, and avoiding non-compliance issues:
1. While the GDPR is mandated by the EU, it affects every country.
The European Parliament approved the General Data Protection Regulation in 2016 to replace a data protection initiative from 1995, but changes weren't enforced until 2018. For U.S. companies that believe they’re exempt from GDPR because they don’t do business with folks across the pond, think again.
The GDPR changes apply as much to other countries as they do to the EU. If any organization, EU or otherwise, offers goods or services to EU data subjects, they're on the hook. This helpful checklist, provided by GDPR, prepares U.S. companies for the associated regulations and requirements.
2. GDPR requirements apply to most kinds of personal data.
TGDPR requirements govern almost every data point an organization collects, across every conceivable online platform, especially if it's used to uniquely identify a person. It also includes data routinely requested by websites, like IP addresses, email addresses, and physical device information. Types of personal data protected under GDPR includes:
- Basic identity information
- Web data (like location, IP address, cookie data, and RFID tags)
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
- Any information that relates to an identified or identifiable living individual
As you can imagine, "basic identity information" is a broad category. It includes user-generated data, like social media posts, personal images uploaded to websites, medical records, and other uniquely personal information commonly transmitted online. Yes, that means organizations must protect your tweets and Facebook statuses.
3. GDPR posits that users have 8 basic rights regarding personal data and data privacy.
The General Data Protection Regulation establishes eight rights that apply to all users. To achieve GDPR compliance, your organization must respect the following rights or face severe penalties:
- The right to access: Individuals may request access to their personal data. They may also ask about how their data is used, processed, stored, or transferred to other organizations. You must provide an electronic copy of the personal data, free of charge, upon request.
- The right to be informed: Individuals must be informed and give free consent (not implied) before gathering and processing their data.
- The right to data portability: Individuals may transfer their data from one service provider to another at any time. The transfer must happen in a commonly used and machine-readable format.
- The right to be forgotten: If users are no longer customers or withdraw their consent to use their personal data, they’re entitled to data deletion.
- The right to object: If a user objects to your use or processing of their data, they can request that you stop; there are no exceptions to this rule. All processing must stop as soon as the user makes this request.
- The right to restrict processing: Individuals can ask you to stop processing their data or stop a certain kind of processing. Their data can remain in place if they choose.
- The right to be notified: Individuals have the right to be notified in the event of a personal data breach that compromises their personal data. This must happen within 72 hours of breach discovery by your organization.
- The right to rectification: Users can request that you update, complete, or correct their personal data.
These rights give individuals considerable power over their data. They now have myriad tools to limit and prohibit organizations from using their personal information.
4. To avoid non-compliance, designate a representative physically located in the European Union.
If your U.S. company processes EU residents’ personal data but doesn’t have a European presence, it’s time to get one. Selling products or services online to customers in the EU — or simply having EU-based visitors to your site — means you must comply. A physical representative in the European Union exists to contact EU supervisory authorities and data subjects, plus maintain processing records.
If you don't already have a subsidiary, corporate affiliate, or external data protection officer in EU territory, you can name an unaffiliated person or entity. Consider a "GDPR Representative as a Service," where you pay a U.S. company a flat fee to name one of their EU representatives to act as yours. Then, you list them as your EU contact to satisfy the GDPR. It's a fast and easy way to ensure GDPR compliance.
5. Ignoring or evading GDPR compliance can cause hefty penalties.
The General Data Protection Regulation is a complete shift in thinking, and it's safe to say many U.S.-based organizations are still scratching their heads. In the GDPR’s first few years, companies were granted a grace period to get up to speed.
These days, companies must at least prove to officials that they’re actively working toward accountability and compliance. Penalties for non-compliance are tiered and can be as high as 2% of annual global turnover of the preceding fiscal year.
6. When collecting personal data, your company must switch from “opt out” mode to “opt in” mode.
GDPR compliance means adopting the principle of affirmative consent. This requires a switch from an "opt-out" approach to an “opt in” approach concerning data collection and processing.
Instead of assuming user consent (by opting them in automatically and providing an opt-out method), you now must obtain explicit permission before you collect, store, and process their personal data. This new approach applies to everything, even if you're just adding a customer's email address to your newsletter list.
Additionally, users don't just have the right to decide whether you collect and use their data; they can also determine how you use it. They have the legal right to question and appeal on how their personal information is presented to themselves and others.
For instance, a user might object to Google's use of their data to refine their algorithm and show content to other users. Or a user might choose to opt out entirely at any point due to their right to be forgotten — in which case, it's your responsibility to scrub their data from your systems.
7. You can’t dodge GDPR requirements by hiding behind legalese.
It’s possible people aren’t reading privacy policies because, too often, they can be tangled webs of legal jargon. For that reason, the GDPR prohibits organizations from hiding behind illegible terms and conditions that are difficult to understand.
Instead, GDPR compliance requires companies to clearly define their data privacy policies and make them easily accessible. They must explain how they engage in personal data processing and what they do with it. Further, they can't write privacy policies that absolve them from responding to a personal data breach.
There's another caveat: Your organization must also know and monitor your vendors (and their privacy policies) to ensure GDPR compliance when using your EU subject data. Under the GDPR, you could be held accountable for their compliance (or lack thereof).
8. Under GDPR, time limits are set for breach notifications.
When a personal data breach occurs and threatens consumer data privacy rights, companies must report the incident within 72 hours of becoming aware of the breach. Data processors (typically the data protection officer) must notify their customers immediately.
This may be one of the most significant changes in practice for U.S. companies. Especially after a few large-scale breaches occurred, like one involving Equifax in 2017. It took the credit monitoring firm six weeks to report the breach, affecting upward of 143 million Americans.
According to GDPR, companies that fail to comply can pay hefty fines for such behavior. The new requirements force companies to take data breaches more seriously and implement security measures to protect its data subjects.
9. Under GDPR, your organization is obligated to respond to a data subject’s request about their personal data.
GDPR requirements give consumers (i.e., data subjects) the right to ask companies for information held about them. Within a month’s time, companies must be able to fulfill the request.
Data subject access requests force organizations to know where collected data is at all times, what information is being collected, how it's being used by whom, and when it's being accessed.
If the consumer finds an error, the organization must correct it (called "rectification"). If the customer opts to invoke their "right to be forgotten," the company must erase their data (called "erasure"). If the consumer doesn't like how their personal data is being collected and used, they can object.
As you can imagine, this is one of the most significant portions of the data protection law: It enforces transparency surrounding personal data and information that organizations store and process.
Bottom line? Organizations can no longer hide what they know.
Most U.S.-based organizations are behind when it comes to having this data at their fingertips. Big data is big, and it isn't always in the same place. Customer data can be in core operational systems, cloud applications, online file-sharing services, removable media, physical storage cabinets, temporary files, sandbox systems, backup systems, and employee devices (just to name a few).
Ultimately, gaining control over this data benefits both the organization and the consumer. A 2018 Forbes article listed five of these benefits, but one in particular continues to win the day: a hefty boost in ROI.
In fact, according to a 2021 Forrester Total Economic Impact report, companies that invested in data privacy/security saw a whopping 152% return on investment, including recovered investment costs in just six months.
10. Consider hiring a data protection officer to manage GDPR requirements.
As a data controller, the General Data Protection Regulation creates a legal obligation to hire a data protection officer, or DPO.
This enterprise security leadership role is responsible for: overseeing a company's data protection strategy; monitoring data storage and data transfer operations; educating and training employees on regulatory compliance; implementing policies to ensure GDPR compliance; responding to data subject access requests; and serving as a point of contact between the organization and GDPR supervisory authorities.
You must hire one if...
- Your organization is a public authority (i.e., it controls or maintains public infrastructure or has the authority to regulate public property)
- Your organization is engaged in large-scale systematic monitoring of user data
- Your organization processes large volumes of personal user data
The size of your organization is irrelevant here. What matters is the size of your data processing operation. But as you're probably thinking, "large-scale" and "large volumes" are nebulous terms. Unfortunately, the GDPR doesn't offer clear definitions, so we must make our best guess for now (or until the regulation is amended or clarified in the courts).
11. Cloud-based storage is not exempt from GDPR.
Like many organizations, you may use a cloud-based storage provider to house your data (like Microsoft Azure, Google Cloud, or Amazon Web Services). This practice does not off-load your data processing responsibilities to the cloud storage provider. Many organizations make the mistake of assuming their cloud storage providers are compliant, but that’s not always the case.
To ensure GDPR compliance, both the cloud provider and the systems used to integrate it must abide — yet another reason it's helpful to hire a data protection officer.
12. Under GDPR, human rights are prioritized over user experience.
Remember, the purpose behind GDPR is to protect consumers on data privacy issues. It's an ambitious, far-reaching piece of legislation designed to safeguard the public’s privacy and provide agency over their data.
There's no doubt that GDPR compliance creates challenges for all organizations, especially those that rely heavily on robust data processing. Compliance requires one-time and recurring costs, new policies and procedures, education and training, and even extra staffing.
Framers of the GDPR are aware of those challenges. Still, while they understand your frustration, they feel — and we agree — that user rights are paramount, even at the expense of user experience. At a time when nearly every conceivable data point of our lives is stored online, we are remarkably vulnerable to theft and exploitation. Thus, we require concrete safeguards for better protection.
You don’t have to manage GDPR requirements on your own
No matter the size of your organization, EU supervisory authorities will penalize your business for non-compliance. Yes, even small businesses fall across the GDPR radar.
Still, while it’s critical that you comply, the regulation is massive and complex. With Osano, you gain GDPR compliance instantly.
We serve as your GDPR representative, monitor your vendors, help you respond to access requests, and alert you about new or changing privacy laws with advice on how to prepare. Let Osano make it simple.