The General Data Protection Regulation (GDPR) is a landmark piece of data privacy legislation and is the yardstick by which every other privacy law is measured. Passed by the European Union in 2016, it protects the data privacy rights of EU citizens, though its effects are far reaching. What is GDPR, though, and how might it affect you?
Key Takeaways: GDPR Laws Explained
- The GDPR is one of the most important data privacy laws passed in recent years.
- It defines how businesses and organizations can collect and process data collected from their users, employees or other businesses or persons they interact with.
- Although it applies to all companies that handle the data of EU citizens, including ones based outside the Union, it does not apply to the citizens of other countries, such as the United States.
Although it seemingly only covers EU citizens, anyone wanting to do business in the EU market needs to abide by its rules, even if they’re not incorporated in an EU country. This effectively includes almost every online service. Read on to find out what the GDPR is, what its effects are and how companies can become compliant.
04/28/2023 Facts checked
We rewrote the article to reflect current events and more succinctly explain how the GDPR impacts users and what businesses can do to comply with it.
What Is GDPR?
The GDPR is a data privacy law protecting the personal information of EU citizens. Adopted in 2016, it came into force on May 25, 2018, and it applies to any company that processes personal data belonging to EU citizens, regardless of where it’s located.
The GDPR grants EU citizens several important rights. It stipulates that a company cannot process their personal data without gaining explicit consent from the user. It also lets the user view and correct any personal data relating to them.
Importantly, the GDPR includes the so-called right to be forgotten, which means that a user can choose to have all of their data deleted, and the company must abide by their choice.
While these are the most important stipulations under the GDPR, it also includes several other aspects. For example, if a company suffers a data breach, it must inform all affected users. The company must also employ a data protection officer (DPO) to handle all GDPR related issues.
The GDPR defines affected users as “data subjects,” while any entity or organization processing personal data is defined as a “data controller” or “data processor.” The latter terms differ slightly in usage: a data controller is the entity that defines the purpose for data collection or processing, while the data processor is the entity that processes the data, and can be internal or external to the data controller.
The Seven Key Principles of the GDPR
The GDPR was created with seven principles in mind.
1. Lawfulness, Fairness and Transparency
Personal data must be processed in a lawful and transparent manner.
2. Purpose Limitation
Collected data must have a clearly defined and legitimate purpose, and must not be processed in a way that strays from this purpose.
3. Data Minimization
Collected data must be relevant to the service provided and for the purposes that the user has consented to.
Personal data must be accurate and up to date, and the data subject must be allowed to rectify any inaccurate data.
5. Storage Limitation
Collected and processed data must not be kept for a time period longer than is necessary for the purpose it was provided for.
6. Integrity and Confidentiality (Security)
Personal data must be secured in a way that protects it from theft, accidental loss or unauthorized processing.
All data controllers are responsible for properly applying GDPR rules and are liable to punishment in the form of fines if they do not comply.
What Is Personal Data Under GDPR?
One important aspect of the GDPR is how broadly it interprets the term “personal data.” Its definition includes any data that might be used to identify a person, either on its own or in combination with other data. This includes all manner of sensitive personal data, such as a user’s name, age, location or IP addresses.
Additionally, certain data is given special protection, such as biometric data, genetic data (including race and ethnicity) and medical information, as well as political affiliation, sexual orientation and religious beliefs.
This broad definition allows users protection from companies that use deep analysis to gather data and profile their users. For example, under this definition, something as innocuous as a Facebook like could be considered identifiable information, and thus fall under personal data.
Importantly though, only truly anonymized data that has removed any individually identifying information is not considered personal data. Pseudonymized data (a dataset that doesn’t identify you as a person but carries all your information) is still considered personal data, as it’s surprisingly easy for a data broker to deanonymize it and attach this data to a real person.
Fortunately, there are tools, such as Surfshark’s Incogni and DeleteMe, that can completely remove your data from the archives of data brokers. You can read our review of Incogni and DeleteMe review to gain a better understanding of how it all works.
The Data Protection Officer (DPO)
Under the GDPR, a data protection officer, or DPO, is responsible for all GDPR-related issues at a company, and all GDPR-compliant companies must employ one. The DPO is the main point of contact between a company and regulatory and supervisory authorities, as well as users who want to exercise their rights.
Their responsibilities are varied and include:
- Maintaining compliance
- Conducting audits and regular and systematic monitoring
- Providing data protection impact assessments
- Providing employee training
- Providing data processing advice
- Handling data subject requests
- Communicating with the relevant supervisory authority
While the DPO is a single person, a large company should have a data protection team to ensure full GDPR compliance.
The DPO themselves must:
- Be a permanent employee of the company
- Not answer to any higher authority, other than top management
- Not control any processing of data
- Manage their own budget
The History of EU Data Protection
Europe took its first step toward data protection with the 1950 European Convention on Human Rights, which made privacy a basic human right. Then, with the advent of the internet, new regulations became necessary and the 1995 European Data Protection Directive came into force.
However, no one could have predicted the exponential growth the internet experienced in the coming decades, nor the massive data harvesting black holes of social media and tech giants like Google and Microsoft. Thus, further protections became necessary in order to safeguard the right to privacy of EU citizens.
This led to the creation of the General Data Protection Regulation, first passed by the European Parliament in 2016, with a two-year grace period for companies to become compliant. As of 2018, all companies processing the personal data of EU data subjects must abide by the GDPR.
Does the GDPR Apply in the UK?
Despite Brexit, the GDPR still applies in the U.K., as it was enshrined in law in the form of the Data Protection Act (DPA) of 2018. The U.K. Information Commissioner’s Office is the public authority responsible for overseeing all data processing activities in the U.K. and ensures that the GDPR is still followed by U.K. companies and data controllers and processors that hold data of U.K. citizens.
How Does GDPR Affect Users?
Under the GDPR’s data protection principles, users have a great deal of control over their personal data. One important aspect is consent to any personal data collection, processing or transferal. No data processor can collect or process your data without your explicit consent.
There’s also the aspect of data portability, which basically means that you’re allowed to retrieve and save all the data a data processor has regarding you and, if you wish, transfer that data to another entity.
For example, if you want to switch your password manager for a new one, you must be able to download all of your login information in a format that allows you to upload it to another password manager.
However, the most important aspect of the GDPR for a user is probably the right to be forgotten, which allows users to completely erase all collected data from a data controller’s or processor’s databases.
How Do Businesses Ensure GDPR Compliance?
GDPR rules apply to all businesses, organizations or other entities that handle data of European users or are headquartered in EU member states. To ensure GDPR compliance, data processors and controllers must follow the rules set about in the GDPR. Here are a few steps for your business to become GDPR-compliant.
- Identify the legal basis for processing user data.
As the data you collect and process must pertain to a specific purpose, you need to make sure that the purpose is both legal and relevant to the service you provide, and that you’ve gained consent for its collection and processing.
- Review and update company privacy policies and practices.
All data collection and processing practices must be updated to adhere to GDPR standards. Privacy policies and consent forms must be laid out in a clear and plain language.
- Conduct a preliminary data audit.
Identify all the personal data that the company collects, processes and stores. This includes data about employees, customers and any other individuals with whom the company interacts.
- Ensure data security.
Your business must take measures to properly secure the data it stores. This includes proper storage, encryption and backups, as well as restricting access to user data, the best principle for which is a zero-trust policy.
- Appoint a data protection officer.
This is a necessity under the GDPR. Employing a DPO ensures that there’s an individual whose sole purpose is to oversee proper data regulation and GDPR adherence.
- Educate and train your employees.
You need to provide proper training for your employees in order for them to be able to responsibly handle personal data, respond to data subject requests — such as data correction or deletion — and report a security breach.
- Conduct regular audits and reviews.
Make sure that your business keeps up to date with security and privacy trends and that your privacy practices are updated as industry standards evolve. Continuously monitor data access and regularly review your data collection and processing procedures.
To ensure compliance, the GDPR imposes heavy fines on companies that breach its terms. The fine for failing to comply with their legal obligation is 10 million euros, or 2% of the data controller’s annual global turnover (whichever is greater).
Final Thoughts: GDPR
The GDPR is one of the foremost data privacy laws in the world, leading to a revolution of sorts in terms of online data privacy. While most companies around the globe must comply with it, U.S. citizens are unfortunately left unprotected. Although five states have implemented their own data protection legislation inspired by the GDPR, there’s still little protection at the federal level.
What are your thoughts on the GDPR? Do you feel that it provides an adequate level of protection for EU citizens? Would you like to see such a law signed in the U.S.? Let us know in the comments below, and as always, thank you for reading.
The GDPR is a data protection regulation that governs how personal data of individuals in the European Union is collected, processed and stored.
The GDPR ensures the basic human right to privacy for EU citizens by protecting them from malicious use of data collection and processing.
Any companies or entities that process the data of EU citizens must abide by the GDPR, even if they’re based in the U.S. However, those companies do not need to afford the same level of data protection to their U.S. data subjects.