What Is the GDPR?
The General Data Protection Regulation (GDPR) is a major law established in 2018 by the European Union (EU) to protect personal data. The law in the European Economic Area (EEA)—that’s the EU plus Iceland, Liechtenstein, and Norway—recognizes data protection as a fundamental right. The GDPR is the most comprehensive data protection law in the world, and it applies to every company that is based in the EEA and/or offers its goods or services to or monitors the behavior of individuals in the EEA.
GDPR: Key Principles
The GDPR has seven key principles that govern the use of personal data. They are:
- Lawfulness, fairness, and transparency—for example, tell people what you do with their data
- Purpose limitation—only use data for a specific purpose
- Data minimization—only collect the data you need
- Accuracy—make sure the data is accurate and, where necessary, kept up to date
- Storage limitation—don’t store data longer than you need
- Integrity and confidentiality—keep data secure
- Accountability—be able to demonstrate you did all of the above
GDPR: Key Terms
The GDPR protects the rights of data subjects in the EEA. A data subject is any person whose personal data is being processed. Data subjects include individual customers and visitors to websites.
If you process data—and that includes collecting, storing, using, and virtually any other action involving data you can think of—you need to know about data subjects and other key terms.
Any information relating to an identified or identifiable living individual. An “identifiable individual” is one who can be identified directly or indirectly. It’s a broad definition and includes data such as IP addresses and assigned IDs.
Special Category Data
Personal data that has even stricter protections because it is considered sensitive. This includes information about a person’s race, ethnicity, religion, health, and more.
The person, company, or other entity that decides why personal data will be collected and how it will be processed.
The person, company, or other entity that acts on the direction of the data controller to process data.
Transmitting personal data to a non-EEA country from an EEA country or accessing personal data stored in an EEA country while in a non-EEA country.
Why We Need to Comply
When it comes to the GDPR, the downsides of getting it wrong are serious.
The penalties for noncompliance include huge fines of up to 4% of global turnover or €20 million, whichever is greater.
Companies that violate the GDPR get bad press, damaging the company’s reputation when a case goes public.
Heightened public awareness about data subjects' rights leads to increased activism and complaints, leading to greater regulatory scrutiny.
The Good News?
Those compliant with the GDPR have a head start when it comes to privacy laws across the globe and can use it as a selling tool to differentiate themselves from competitors.
Respecting Data Subjects' Rights
Under the GDPR, data subjects have the right to request all the data that a company holds on them, although this is not an absolute right. That means we need to handle these requests carefully. When responding to a request from a data subject, remember:
- Make sure you are confident the individual is who they say they are
- Do not request unnecessary additional information
- Agree to provide all of the information requested that you are required to (there are some exceptions, under local laws, like legal privilege)
- Act quickly—our company is obligated to respond within 30 days, except in cases of very complex requests, which may take an additional 60 days, if justified
International Data Transfers
Special rules apply to data transfers between companies in countries inside and outside the EEA. Unless the outside country is recognised by the European Commission as a country that the EEA considers to offer adequate standards of data protection, a data transfer mechanism generally will be required. These rules apply even if the transfer is internal within an international company.
Be aware that data transfers outside the EEA, to and from cloud storage providers, and remote access by workers in non-EEA countries are also subject to the cross-border transfer rules.