What is the General Data Protection Regulation (Also Known as the GDPR)?
By now, you've likely heard of the General Data Protection Regulation (the GDPR). Still, you may not understand all of its implications, especially if your company operates outside of the EU.
The GDPR is often referred to as the biggest and most significant data privacy regulation in 20 years, a substantial step up from the EU's previous data protection directive. This new regulation aims to transform how organizations in every sector handle personal data, putting consumers in the driver's seat to control their own data processing. For the first time, people have a say over who collects their personal data, when it's collected, and how it's used.
With this regulation, companies can't just clean up the mess and say "sorry" after a personal data breach. They can't collect and use consumer data without oversight or plainly-worded disclosures. There are now stiff penalties for data breaches and data privacy violations. Organizations have to prove they are following GDPR compliant and taking steps to protect that data on day one. Transparency is the name of the game, a new notion to many organizations that have traditionally put data privacy on the back burner, much less tell consumers how they handle their data.
GDPR compliance may seem overwhelming right now, but in the long term, we expect to see better user/customer experiences, fewer data breaches, and greater trust between consumers and organizations regarding personal data.
12 Facts about GDPR (Including Non-Compliance Pitfalls and Overall GDPR Requirements)
Plenty is riding on GDPR compliance. At least one global survey found that 85 percent of U.S. companies believe that GDPR compliance regulations put them at a disadvantage with their European competitors. Yet, the same survey discovered the U.S. is the least trusted country for respecting data privacy rights. Even more, 67 percent of U.S. consumers agree that the U.S. should do more to protect their data privacy. GDPR compliance could do much to improve these negative perceptions.
To help you understand the rumors swirling about the GDPR, we put together this list of essential facts that you need to know. These critical items are your first steps toward improving your organization's data security, protecting your data subjects' personal information, and avoiding non-compliance issues.
1. The GDPR May Be An EU Mandate, But It Impacts Every Country
The European Union Parliament approved the General Data Protection Regulation in 2016 to replace a data protection initiative from 1995, but the changes weren't enforced until May 25, 2018. There's a misconception across the pond that U.S. companies that don't do business with EU citizens or European companies are exempt. Not so fast.
The GDPR changes apply as much to organizations in other countries as they do to those within the EU. If any organization, EU or otherwise, offers goods or services to or monitors EU data subjects' behavior, they're on the hook.
2. GDPR Requirements Applies to Virtually All Kinds of Personal Data
The GDPR requirements govern almost every data point an organization would collect, across every conceivable online platform, especially if it's used to uniquely identify a person. It also includes data routinely requested by websites, such as IP addresses, email addresses, and physical device information. Here's a list of the types of personal data protected under the GDPR.
- Basic identity information (including name, address, email address, etc.)
- Web data such as location, IP address, cookie data, and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
- Any information that relates to an identified or identifiable living individual
As you can imagine, "basic identity information" is a broad category. It includes user-generated data, such as social media posts, personal images uploaded to websites, medical records, and other uniquely personal information commonly transmitted online. Yes, that means organizations must protect your tweets and Facebook statuses.
3. GDPR Compliance Requires You to Respect Users Have 8 Basic Rights Regarding Personal Data and Data Privacy
The General Data Protection Regulation establishes eight rights that apply to all users. Your organization is obligated to respect these rights or face the severe penalties we discussed above.
- The right to access. Individuals may request access to their personal data. They may also ask about how their data is used, processed, stored, or transferred to other organizations. You must provide an electronic copy of the personal data, free of charge if requested.
- The right to be informed. Individuals must be informed and give free consent (not implied) before gathering and processing their data.
- The right to data portability. Individuals may transfer their data from one service provider to another at any time. The transfer must happen in a commonly used and machine-readable format.
- The right to be forgotten. If users are no longer customers or withdraw their consent to use their personal data, they have the right to have their data deleted.
- The right to object. If a user objects to your use or processing of their data, they can request that you stop. There are no exceptions to this rule. All processing must stop as soon as the user makes their request.
- The right to restrict processing. Individuals can ask you to stop processing their data or stop a certain kind of processing. Their data can remain in place if they choose.
- The right to be notified. Individuals have the right to be notified in the event of a personal data breach that compromises their personal data. This must happen within 72 hours of your first learning of the breach.
- The right to rectification. Users can request that you update, complete, or correct their personal data.
As you can see, these rights give individuals considerable power over their data. They now have a number of tools to limit and prohibit you from using their personal information.
4. To Avoid Non-Compliance, You’ll Have to Designate a Representative in the EU
Most companies outside of the EU must designate a representative in the EU if they process EU residents' personal data, but don't have a European presence. If your U.S. company sells products online to customers in the EU or just has visitors to your website from the EU, you have to comply. The designated representative is there to contact EU supervisory authorities and data subjects and maintain processing records.
If you don't already have a subsidiary in one of the EU countries, corporate affiliate, or external data protection officer, you can name an unaffiliated person or entity. Consider a "GDPR Representative as a Service," where you pay a U.S. company a flat fee to name one of their EU representatives to act as yours, listing them as your EU contact to satisfy the GDPR. It's a fast and easy way to ensure you are covered.
5. There Are Hefty Penalties for Non-Compliance with the GDPR
The General Data Protection Regulation is a complete shift in thinking, and it's safe to say many U.S.-based organizations are still scratching their heads. While there will be some grace period as companies learn their responsibilities and come up to speed, patience won't last long. Companies must at least prove to officials that they are actively working towards accountability and compliance. Penalties for non-compliance are tiered and can be as high as 4 percent of global turnover, or $24.4 million, whichever is greater.
6. You Have to Switch from “Opt-Out” to “Opt-In” Mode of Collecting Personal Data
Compliance with the General Data Protection Regulation means adopting the principle of affirmative consent. This requires you to switch from an "opt-out" approach of data collection and data processing to an "opt-in" approach. Instead of assuming user consent (by opting them in automatically and providing an opt-out method), you now must obtain explicit permission before you collect, store, and process their personal data. This new approach applies to everything, even if you're just adding a customer's email address to your newsletter list.
Furthermore, users don't just have the right to decide whether they collect and use their data. They can also determine how you use it. They have the legal right to question and appeal on how their personal information is presented to themselves and others. For instance, a user might object to Google's use of their data to refine their algorithm and show content to other users. Or a user might choose to opt-out entirely at any point due to their right to be forgotten, in which case it's your responsibility to scrub their data from your systems.
7. GDPR Compliance Doesn't Let You Hide Behind Legalese and Dodge GDPR Requirements
Does anyone read the fine print or the pages of data privacy policies? Likely not. Pew Research reported that half of online Americans don't even know what a privacy notice is. General Data Protection Regulation requirements prohibit companies from hiding behind illegible terms and conditions that are difficult to understand.
Instead, GDPR compliance requires companies to clearly define their data privacy policies and make them easily accessible. They must explain how they engage in data processing of personal data and what they do with it. Furthermore, they can't write privacy policies that absolve them from responding to a personal data breach.
There's another caveat: You also have to know and monitor your vendors and their vendors' privacy policies to be sure they are GDPR compliant when they use your EU users' data. You could be held accountable for their compliance under the General Data Protection Regulation.
8. GDPR Requirements Set Time Limits for Breach Notifications
When a personal data breach happens and threatens consumer data privacy rights, companies are on the clock to report the incident within 72 hours of becoming aware of the breach. Data processors (typically the data protection officer) must notify their customers right away. This may be one of the most significant changes in practice for U.S. companies. More than half have no incident response procedures in place, and nearly 60 percent do not even share information about their data breaches. Equifax took six weeks to report a breach that impacted up to 143 million Americans.
Consumer patience is running thin. With the GDPR changes, companies who must comply will have to pay penalty fees for such behavior. These requirements force companies to take data breaches seriously and implement security measures to protect its data subjects.
9. The GDPR Obligates You to Answer to Data Subject's Requests in Regards to Their Personal Data
The GDPR requirements give consumers (a.k.a. data subjects) the right to ask companies for the information they hold on them. Companies must be able to provide them with what they want within a month.
These "data subject access requests" force organizations to know where their collected data is at all times, what information is being collected, how it's being used by whom, and when it's being accessed. If the consumer finds an error, the organization must correct the error (called "rectification"). If the customer opts to invoke their "right to be forgotten," the company must erase their data (called "erasure"). If the consumer doesn't like how their personal data is being collected and used, they can object.
As you can imagine, this is one of the most significant portions of the data protection law because it forces organizations to be transparent with their processing activities and personal information they store and process. Organizations can no longer hide what they know.
Most U.S.-based organizations are behind when it comes to having this data at their fingertips. Big data is big, and it isn't always in the same place. Customer data can be in core operational systems, cloud applications, online file-sharing services, removable media, physical storage cabinets, third-party providers, temporary files, sandbox systems, backup systems, and employee devices, just to name a few.
Ultimately, gaining control over this data benefits both the organization and the consumer. Forbes believes GDPR compliance has five benefits: enhanced cybersecurity, improved data management, increased marketing ROI, boosted audience loyalty and trust, and the opportunity to become the first to establish a new business culture. If that's not enough, consider the alternative penalty fines for non-compliance. GDPR compliance, therefore, won't happen overnight, and it may be a painful process. But, even as you improve your transparency game, you'll gain visibility into your vendors' data compliance practices at the same time, forcing all companies to do better or get left behind.
10. You May Need to Hire a Data Protection Officer to Manage GDPR Requirements
As a data controller, the General Data Protection Regulation creates a legal obligation to hire a Data Protection Officer (DPO). This person is an enterprise security leadership role that's responsible for overseeing a company's data protection strategy, monitoring data storage and data transfer operations, educating and training employees on regulatory compliance, implementing policies to ensure compliance with the GDPR, responding to data subject access requests, and serving as the point of contact between the organization and GDPR Supervisory Authorities. You must hire one if...
- Your organization is a public authority (i.e., controls or maintains public infrastructure or has the authority to regulate public property).
- Your organization is engaged in large-scale systematic monitoring of user data.
- Your organization processes large volumes of personal user data.
The size of your organization is irrelevant here. What matters is the size of your data processing operation. But as you're probably thinking, "large-scale" and "large volumes" are nebulous terms. The regulation doesn't offer clear definitions. We have to make our best guess for now until the regulation is amended or clarified in the courts.
11. Cloud-Based Storage is Not Exempt from the General Data Protection Regulation
Like many organizations, you may use a cloud-based storage provider to house your data, such as Microsoft Azure, Google Cloud, of Amazon Web Services. This practice does not offload your data processing responsibilities to the cloud storage provider. Many organizations make the mistake of assuming their cloud storage providers are compliant, but that isn't always the case.
To ensure GDPR compliance, you must ensure that your cloud service provider and the systems you use to integrate with that provider abide by GDPR requirements. This is another reason it's helpful to hire a data protection officer.
12. The General Data Protection Regulation Prioritizes Human Rights Over the User Experience
It's essential to keep in mind that the purpose of the GDPR is to protect consumers on data privacy issues. It's an ambitious, far-reaching piece of legislation designed to safeguard our privacy and give us agency over our data. There's no doubt that GDPR compliance creates challenges for all organizations, especially those whose models rely heavily on robust data processing. Compliance requires one-time and recurring costs, new policies and procedures, education and training, and even new employees.
The framers of the GDPR are aware of those challenges. Still, while they understand your frustration, they feel - and we at Osano agree - that users' rights are paramount, even at the expense of the user experience. At a time when nearly every conceivable data point of our lives is stored online, we are remarkably vulnerable to theft and exploitation, and so require concrete safeguards to protect ourselves.
You Don’t Have to Manage the General Data Protection Regulation on Your Own
EU supervisory authorities will penalize your business for non-compliance with the General Data Protection Regulation, no matter your size. Yes, even small businesses fall across their radar. It's critical that you comply, but the regulation is massive and complex.
With Osano, you gain GDPR compliance instantly. We serve as your GDPR representative, monitor your vendors, help you respond to subject access requests, and alert you about new or changing privacy laws with advice on how to prepare. Let Osano make it simple.