The General Data Protection Regulation (GDPR) is the privacy and security law passed by the European Parliament and Council. It went into effect on May 25, 2018, and is widely considered one of the strictest data privacy laws.
GDPR's rules apply to any organization, in any country, that offers goods or services to (even in the absence of commercial transactions) or monitors the behavior of users within the territorial reach of the European Union (EU). That includes any individual in the European Union (EU) or the European Economic Area (EEA).
Harsh fines can be imposed on those who violate the privacy and security standards set forth by GDPR, with penalties potentially reaching tens of millions of euros.
According to the lead MEP for the draft regulation, Rapporteur Jan Philipp Albrecht (Greens/EFA, DE):
With the General Data Protection Regulation, the European Union sets a global standard and ensures that fundamental rights, consumer protection, and fair competition are strengthened. For the first time, the same high level of data protection rules apply to everyone in the European Union; the new EU-wide rules replace a patchwork of 28 different national regulations.
Let’s jump in and learn:
After more than four years of negotiations, the European Parliament replaced the 1995 Data Protection Directive with the modernized GDPR. Comprised of 99 articles, the GDPR is designed to give individuals more control over their private information and clarify the data privacy and security rules that organizations must follow.
GDPR aims to uniformly strengthen individuals' rights while reducing burdens for companies and public entities by providing a single set of rules for all EU member states. Previously, all member states had enacted their own data protection legislation. The UK integrated the GDPR into the Data Protection Act of 2018, which replaced its Data Protection Act of 1998.
Eight New Rights Under GDPR
GDPR gives individuals (data subjects) greater control over their personal data in eight new ways.
- The right to erasure (Article 17)
Any data subject has the right to have their personal data erased when they no longer want the data to be processed. This is also known as the right to be forgotten. Organizations that receive a request from a data subject to be forgotten must erase the person's data on their systems and forward that request to any other organizations that have replicated that data.
There are restrictions related to the right to be forgotten—for instance, if the data is needed for historical, statistical, scientific, or public health purposes. In addition, the right to be forgotten does not apply when the retention of personal data is necessary to fulfill a contract or is required by law.
- Conditions for consent (Article 7)
The data subject must give clear and affirmative consent to the processing of their private data. This means that the data subject takes an active step to give consent to data collection and processing. The data subject also has the right to easily withdraw their consent at any time.
- Right to portability (Article 20)
Data subjects have the right to switch their personal data to another service provider (e.g., switch email providers, but keep contacts and messages).
- Transparent information, communication, and modalities for the exercise of the rights of the data subject (Article 12)
Data subjects have the right to be informed in clear and plain language. GDPR Article 12 essentially puts an end to "fine print" and "legalese" for privacy policies. Details about what data will be collected and how it will be used must be presented clearly, in easy-to-understand language.
- Notification and communication of a personal data breach (Articles 33 and 34)
Organizations must notify the Data Protection Authority (DPA) in the relevant EU member state in the event of a personal data breach. Affected EU citizens must also be notified if there is a high risk that the personal data breach will affect their "rights and freedoms."
- Right to object (Article 21)
Data subjects have the right to object, at any time, to the processing of personal data, including profiling. Under GDPR, profiling would only be allowed with the consent of the data subject. In addition, profiling should not lead to discrimination, be based solely on sensitive data, based solely on automated processing, or done in lieu of human assessment.
- Conditions applicable to child's consent (Article 8)
The GDPR includes provisions to protect the personal data of children. Personal data can only be processed for people at least 16 years old.
Consent to process data for someone under the age of 16 requires consent by a parent or someone responsible for the child. EU member states can institute laws for a lower age for processing personal data, but the person must be at least 13 years old.
- Privacy by design and default (Article 25)
GDPR includes privacy by design and privacy by default to support its data privacy objectives:
- Privacy by design, Article 25 (1), holds that organizations need to consider privacy at the initial design stages and throughout the complete development process of new products, processes, or services that involve processing of personal data.
- Privacy by default, Article 25 (2), directs default settings to be the most privacy-centric for systems or services that give data subjects choices about how much personal data will be shared with others.
Why Does GDPR Exist?
The need for legislation to protect individuals' privacy is not new. The 1950 European Convention on Human Rights stated, "Everyone has the right to respect for his private and family life, his home and his correspondence."
The GDPR was created as a response to the increasing collection and processing of personal data. Advances in digital technology and artificial intelligence have significantly increased the collection and processing of data. And most online activities require the sharing of personal data.
With GDPR, individuals in the EU can make their own decisions regarding the use of their data and avoid possible abuses by those who handle their data. The GDPR is also intended to set a high standard for data protection as well as protect domestic and cross-border transfers of data, which was not the case with previous legislation.
According to the European Parliament:
Protection of personal data and respect for private life are important fundamental rights. The European Parliament has always insisted on the need to strike a balance between enhancing security and safeguarding human rights, including data protection and privacy. New EU data protection rules strengthening citizens' rights and simplifying rules for companies in the digital age took effect in May 2018.
Types of Data Protected by the GDPR
GDPR regulates the processing of personal data relating to natural persons in the EU by an individual, a company, or an organization. It does not apply to the processing of personal data of a deceased person or of a legal person (e.g., a business that’s a sole proprietorship).
GDPR’s rules also exclude data processed by an individual for purely personal reasons or for activities carried out in one's home, provided there is no connection to a professional or commercial activity. According to the GDPR, if an individual uses personal data outside the personal sphere, for sociocultural or financial activities, the data privacy rules apply.
What the GDPR Considers Personal Data
According to the GDPR, personal data is any information that relates to an identified or identifiable living individual.
Examples of personal data:
- Name and surname
- Home address
- Personal email address
- Identification card number
- Location data
- Internet Protocol (IP) address
- Cookie ID
- RFID tag
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Examples of data not considered personal:
- Company registration number
- Email address through an organization
- Anonymized data
- Encrypted data
GDPR’s Reach Outside of the EU
Also known as the extra-territorial effect, Article 3 of the GDPR specifies the territorial scope of the law. It makes clear that the GDPR rules apply to all organizations operating in the EU—even if they are based outside of the EU.
GDPR Article 3: Territorial Scope Specifications
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behavior as far as their behavior takes place within the Union.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
To be compliant with GDPR's provisions, any personal data exported outside the EU must be protected and regulated. Compliance is required if any personal data belonging to an EU citizen or person present in the EU is touched, regardless of the location of the organization that handled the data. For example, if a Japanese company is selling services to someone in Germany, they are required to comply with GDPR because data from an individual in the EU is involved.
Companies Affected by GDPR
Any company, regardless of size, that stores or processes personal information about EU citizens or persons present in the EU must comply with the GDPR, even if they do not have a business presence within the EU.
Criteria for Companies to Be Subject to GDPR Compliance Requirements
- The business has a presence in an EU country.
- Even if there is no presence in the EU, the company processes personal data of European Union residents.
- There are more than 250 employees.
- Even if there are fewer than 250 employees, the data processing impacts the rights and freedoms of data subjects.
Roles Responsible for GDPR Compliance
Three roles are called out in the GDPR as being responsible for adhering to compliance requirements.
- Data controllers are responsible for defining how personal information is processed and why it is being processed. Compliance of third parties (e.g., vendors, partners) is also the data controller's responsibility.
- Data processors are either internal or third parties that maintain and process personal data records. In the event of a data breach, data processors are held liable by the GDPR if the incident was related to non-compliance.
Note that there are also sub-processers. Fourth parties, as they are known, are not officially recognized under GDPR, but are commonly used to perform processing activities on behalf of a third-party processor.
- Data protection officers (DPO) oversee data privacy and data security as related to GDPR compliance. The GDPR requires that organizations appoint a DPO if:
- Their scope or their purposes require regular and systematic monitoring of data subjects on a large scale.
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to GDPR Article 9, or personal data relating to criminal convictions and offenses referred to in Article 10.
Tasks Assigned to the DPO
According to GDPR Article 39, the data protection officer shall have at least the following tasks:
- To inform and advise the controller or the processor and the employees who carry out the processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- To provide advice where requested, with regard to the data protection impact assessment, and monitor its performance pursuant to Article 35;
- To cooperate with the supervisory authority;
- To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
Third-Party GDPR Compliance
The GDPR defines "third party" as a natural or legal person, public authority, agency, or body— other than the data subject, controller, or processor—authorized to process personal data on behalf of an organization. It is important to understand that the GDPR holds organizations responsible for the actions of all third parties (and fourth parties) if there are compliance failures.
GDPR Article 28 requires organizations to have a legal agreement in place when outsourcing data processing activities. It should detail data protection obligations as well as specify the data processor's responsibilities with regards to:
- Data processing criteria
- Return or erasure of data at the end of its lifecycle
- Data security
- Data breach notifications
- Impact assessments
- Compliance audit support
- Engagement of sub-processors
People acting under the direct responsibility of third-party data controllers, processors, and related service providers should be subject to internal policies and procedures.
GDPR Breach Notifications
The GDPR has detailed directions related to data breach notifications that must be followed to avoid fines. Time is of the essence; within 72 hours of becoming aware of the data breach, the organization must report it to one of the EU Data Protection Authorities (DPA).
DPA to Contact after a Data Breach
The DPA to be contacted depends on where the organization has data processing:
- If the organization only operates in one EU member state or the data is collected, processed, and used in one country, notify the local DPA in that country.
- If the data is transmitted between EU member states, and the organization has operations in one or more European countries, the DPA for the country in which decisions around the data are made should be notified, as per the role of Leading Supervisory Authority (LSA).
- If the organization does not have operations in the EU, the breach must be reported to the DPA in each European country where there was data processed.
Most DPA reports can be completed online. The European Data Protection Board has a list of DPAs with contact information and links to their websites.
Information Required for a GDPR Data Breach Notification to DPA Per Article 33
- Describe the nature of the personal data breach, including, where possible, the categories and the approximate number of data subjects concerned, and the categories and the approximate number of personal data records concerned.
- Communicate the name and contact details of the data protection officer or other contact points where more information can be obtained.
- Describe the likely consequences of the personal data breach.
- Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Data Breach Notification for Data Subjects
If the personal data breach results in risks to individuals, they must be notified directly about the incident. According to GDPR Article 34, the data controller must share the following with data subjects:
- A description of the nature of the breach
- The name and contact details of the data protection officer or another contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects
In the event of a personal data breach, the GDPR prefers that data subjects be contacted directly (e.g., text, email, mail) rather than via mass media. If indirect, mass communication is the most practical way to share the message; prominent banners on websites, blog posts, or press releases are acceptable means of communicating with individuals.
Penalties for Non-Compliance with GDPR
Under GDPR, DPAs have extensive enforcement powers, including the ability to impose fines. The fines imposed by the GDPR are divided into two tiers and are based on the following.
10 Considerations for Imposing GDPR Compliance Violation Fines
- Nature, gravity, and duration
The nature, gravity, and duration of the infringement, taking into account the nature, scope, or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage suffered by them
- Intent and negligence
The intentional or negligent character of the infringement
- Mitigation actions
Any action taken by the controller or processor to mitigate the damage suffered by data subjects
- Precautionary measures
The degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them pursuant to GDPR Articles 25 and 32
- Compliance record
Any relevant, previous infringements by the controller or processor
- Cooperation with authorities
The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects
- Types of personal data affected
The categories of personal data affected by the infringement
- Notification quality
The manner in which the infringement became known to the supervisory authority, in particular, whether, and if so to what extent, the controller or processor notified the infringement
- Adherence to codes of conduct
Adherence to approved codes of conduct pursuant to GDPR Article 40 or approved certification mechanisms pursuant to GDPR Article 42
- Aggravating or mitigating factors
Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained or losses avoided, directly or indirectly, from the infringement
Standard Maximum Fine under GDPR Article 83 (4)
Less severe GDPR compliance violations could result in fines up to 10 million euros, or 2% of the firm's worldwide annual revenue from the preceding financial year, whichever amount is higher.
Higher Maximum Fine under GDPR Article 83 (5)
More serious infringements that violate the GDPR principles of the right to privacy and the right to be forgotten could result in fines of up to 20 million euros, or 4% of the firm's worldwide annual revenue from the preceding financial year, whichever amount is higher.
Fines for Multiple GDPR Violations
If regulators find that an organization has multiple GDPR violations, it will only be penalized for the most severe one, provided all the infringements are part of the same processing operation.
Steps to GDPR Compliance
Understanding the law and its meaning for an organization is a critical part of successfully meeting GDPR compliance criteria. Then, GDPR compliance planning is much like other data protection efforts.
Five Key Steps to GDPR Compliance
All data sources must be accessible to enable the development of a complete inventory of personal data. The GDPR requires that organizations know where their personal data resides and who can access it.
Once accessed, data sources must be inspected to identify what personal data is stored on which devices.
Data privacy and data protection rules must be documented and followed to comply with GDPR. A data governance program helps organizations follow and enforce these rules.
For GDPR compliance, three methods can be enlisted to protect data—encryption, pseudonymization, and anonymization. Processes and tools must be implemented to protect personal data.
GDPR compliance requires that organizations be able to produce reports that prove their ability to do the following:
- Properly manage the process for getting consent from data subjects.
- Explain how personal data is collected, who uses it, and for what purpose it is used.
- Have the appropriate processes in place to manage personal data processes related to data subjects, such as the right to be forgotten, updates to personal information, personal information portability, and data breach notifications.
Other GDPR Compliance Considerations
- Establishing data protection by design and by default
- Designation of a data protection officer
- Confirmation of legality of data collection
- Process for keeping records
- Impact assessment
- Documenting policies for employees, partners, vendors, and data subjects
- Employee training
- Due diligence on third-party partners and vendors
- Risk assessments
- Data breach response plan
Stay on Top of GDPR
GDPR compliance is dreaded by many organizations. However, there is a silver lining. The effort that goes into addressing the requirements for GDPR compliance also improves overall business operations.
The five steps for GDPR data compliance noted above are best practices that every organization should follow regardless of the drivers. GDPR is a far-reaching and hard-hitting law that cannot be ignored. Stay on top of GDPR and see how it will positively impact your organization.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 17,000 customers with millions of customers worldwide.