The General Data Protection Regulation (GDPR) is a landmark legislation that updated and unified data protection and privacy laws across the European Union (EU), introducing new GDPR rules that have far-reaching implications for businesses and individuals alike. It harmonizes the individual data privacy laws of all 28 EU members, providing a consistent set of 99 articles for greater individual rights and protections and reflecting EU consumers’ increasing concern over data privacy.
An RSA Data Privacy & Security report revealed that 41% of consumers submit incorrect personal information to companies due to little faith in data privacy and fear of intrusive marketing. Another 90% of surveyed global consumers expressed concerns over organizations losing, manipulating, and stealing their personal data.
Many industry experts describe the GDPR as a data protection and privacy revolution as opposed to an overhaul of rights, with the new directive focusing on keeping businesses transparent and expanding consumers’ privacy rights. For instance, once a company detects a severe security breach, it must notify the supervising authority and all affected individuals within 72 hours.
Common questions about the GDPR include who it applies to and whether it affects all size companies. The GDPR mandate applies to companies of all sizes that process the personal data of EU residents, regardless of where the organization is based. It also affects anyone whose information is stored in the EU, including non-EU citizens, and it includes steep fines for companies that breach the rules.
Understanding GDPR requirements is critical for businesses to ensure compliance and avoid hefty fines. Basic facts about the regulation include:
GDPR requires companies and organizations that conduct large-scale data processing and data subject monitoring to have a data protection officer (DPO). The DPO becomes a figurehead responsible for the company’s data governance and compliance.
Companies non-compliant with the GDPR rules face legal consequences, including a 20 million euros (or about $22.07 million) fine or 4% of annual global revenue, whichever is greater. Additionally, the DPO ensures the application of appropriate data protection principles to maintain personal data.
The General Data Protection Regulation exists because of public concern over privacy. It replaced the 1995 EU Data Protection Directive enacted long before the internet became a modern online business hub. Therefore, it was necessary to replace the outdated directive that failed to address how companies collected, transferred, and stored data.
Today, the GDPR protects the EU population and their data to ensure organizations collecting and storing data do so responsibly. It mandates the safe maintenance of personally identifiable information (PII) and requires organizations to protect it against unauthorized or unlawful processing, damage, destruction, and accidental loss. This includes many activities surrounding ransomware and malware. Examples of PII include:
It also identifies reasons for collecting personal data and specifies that it should be for a particular and legitimate purpose, and organizations cannot use it beyond that intention. The regulation goes as far as to place limits on how much data organizations and businesses can collect. It stipulates that data collection is limited to what is necessary for the purposes for which an organization processes and uses the data.
Furthermore, the GDPR states that organizations collecting data should ensure its accuracy and update it as needed.
Companies cannot legally process a person’s personally identifiable information if they fail to meet the following set conditions:
The purpose of imposing GDPR is to use a uniform EU data security law on member states so that individual members don’t need to write and enforce different data protection laws. Additionally, although it comes from the EU, it applies to global businesses outside the region.
For instance, it applies to a US-based company that does business in the EU and collects and handles the data of EU residents and citizens. A PWC survey showed that 92% of US-based companies consider GDPR data protection a priority.
Other specific compliance criteria for organizations include:
GDPR focuses a lot on personal data protection. Personal data is information that identifies a living person directly or indirectly. It could be something obvious like a name, location data, or a clear online username, or less apparent such as cookie identifiers or IP addresses.
It gives some categories of sensitive personal data greater protection, including information about:
The crucial definition of personal data is anything that allows the identification of a person. It means pseudonymized data still falls under personal data in this broad context. Personal data is critical because the law covers individuals, companies, and organizations that either process or control it.
The GDPR defines the following three roles:
Controllers are the decision makers and exercise control over processing personal data and its purposes and uses. Sometimes there are joint personal data controllers, where two or more entities determine how to handle collected data. On the other hand, processors act on behalf of the relevant controllers under their instructions. Therefore, controllers have stricter regulations than processors.
Users must consent to organizations and companies that wish to collect and use their personal data. In this case, personal data refers to information about a living, identified, or identifiable natural person, often called a data subject.
As stated above, personal data can include the following:
It requires companies and organizations to notify visitors to their online sites of the data they collect, such as cookies. They must also consent to give information by clicking on the agree button. For example, many sites have popup disclosures notifying visitors that the site collects cookies – small files holding personal information like site preferences or settings.
Websites must also notify visitors and users early of a breach of the personal data the company or site holds. These EU data protection requirements are often more stringent than those in other jurisdictions.
Other mandates include the assessment of the website’s data security and the requirement to have a data protection officer to carry out these and other functions. Also, the company must provide the contact information of the DPO and other relevant employees to ensure ease of access to exercise their GDPR rights. These include the right to have their personal data erased from the site, among other measures.
It further protects consumers by ensuring organizations and other collectors make collected personal data anonymous or pseudonymized to replace the identity with a pseudonym. These measures allow organizations to perform more extensive data analysis like assessing their customers’ average debt ratios, which goes above and beyond the requirements to evaluate a loan’s creditworthiness.
It’s worth mentioning that GDPR affects data other than that collected from customers. For example, the regulation applies to HR records of employees.
The EU GDPR has 11 chapters and 91 articles. Below are some of the key articles that impact the security operations of organizations:
There are seven fundamental principles in the legislation’s Article 5. These principles guide how organizations handle people’s data. They are not complex rules to follow, but an overreaching framework whose design lays out the purposes of GDPR.
Many principles are similar to those in the previous data protection laws. The seven principles are as follows:
The above principles of the GDPR underlie the specific data subject rights under the data protection act. These include the following:
During a security breach affecting personal data, data controllers have 72 hours to notify the supervisory authority (public authority the EU member country designates to oversee compliance). Additional breach notification requirements include:
GDPR fines and penalties have a tiered approach that includes two levels of fines, depending on the scope and type of infringement:
The biggest issue most companies focused on following the 2016 roll-out of GDPR was the ability of regulators to impose stiff financial fines for non-compliance. Regulators could fine businesses for any offenses, including failure to process personal data correctly, failure to have a data protection officer if required, or security breaches.
There are several regulations regarding third-party personal data – data from parties other than EU data subjects – and sharing personal data outside the region. The data protection act of 2018 stipulates that:
After the United Kingdom withdrew from the EU, it updated its data protection laws and now uses the Data Protection act of 2018. It stipulates that UK companies doing business with EU customers and organizations should comply with the GDPR.
It’s worth noting that the GDPR places equal liability on data processors and data controllers. It means that a non-compliant third-party processor affects an organization’s compliance status. The act also has strict requirements for reporting breaches in the chain.
Therefore, a controller’s existing contracts with processors like SaaS vendors, payroll service providers, or cloud providers and customers must spell out the responsibilities. The agreement must also have consistent processes for managing, collecting, protecting, storing data, and reporting breaches.
For businesses, simplifying GDPR compliance can be a daunting task. So how does a company ensure compliance? The regulations describe responsible data management’s expected results but do not specify technical measures to achieve that goal. Below are some best practices that help streamline your organization’s compliance efforts while ensuring it meets all regulatory requirements:
Complying with GDPR is not just a legal requirement; it’s also an opportunity for organizations to build customer trust by protecting their personal data.
Digital transformation has redefined the regulatory rules governing businesses globally. US businesses are now subject to several cybersecurity compliance regulations due to the nature of their business, such as GDPR and the California Consumer Privacy Act (CCPA). (See CPRA for an update on CCPA)
Many communication platforms and online operating environments have made compliance administration demanding and costly. Therefore, businesses are looking for effective, affordable ways to remain compliant while boosting productivity and expanding operations.
Veritas’ integrated portfolio of data compliance capabilities synthesizes intelligence across different data sources to streamline access, ensure regulatory compliance, deliver insights, support analysis, and minimize organizational risk.
The Veritas integrated approach to compliance and enterprise data management turns big data into actionable insights. Additionally, our Data Insight Integration’s reporting and visualization features allow users to classify at-risk data, engage data owners, and rescind access to sensitive personal data to improve data compliance and decision-making.
Moreover, the Veritas Integrated Classification Engine eliminates dark data challenges of data security and compliance. As a Gartner Magic Quadrant Leader, we lead the market in enterprise information archiving. Users can archive and retrieve their data to and from anywhere.
Veritas offers an integrated product portfolio second-to-none in the market. A comprehensive and robust technology ecosystem backs it, with no other provider coming close to the scale and versatility that Veritas Enterprise Data Services provides.