The General Data Protection Regulation (GDPR) has positioned itself as one of the strictest laws for the privacy of consumer data, and it’s still making waves, with several big companies accused of misusing personal data.
In June 2021, Luxembourg’s data-protection commission, the Commission Nationale pour la Protection des Données (CNPD), levied a fine proposal of over $425 million against Amazon for its collection and usage practices for personal data.
The case has the potential to surpass any other GDPR case to date, but with a growing global economy and drive toward more transparent data usage, it likely won’t be the last major case of consumer data privacy violations.
See below to learn about how GDPR came to exist, how it works, and what you can do to become GDPR compliant and evade hefty fines and violations.
Deep Dive Into the General Data Protection Regulation (GDPR)
The European Union (EU) passed the European Data Protection Directive in 1995, but as the internet, e-commerce, and digital marketing rose to prominence, it determined that a more stringent regulation needed to develop to protect the privacy and autonomy of consumer data. The discussions for editing the 1995 directive began in 2011, GDPR passed European Parliament in 2016, and all covered organizations were expected to be compliant by May 25, 2018.
The main idea behind GDPR is that individuals, not companies, own their personal data and have the right to know how it’s being used, dictate how it can be used, and remove it from circulation. Businesses are required to provide transparent information to consumers about the personal data they collect and how it’s used. They’re also required to keep this information safe and easily accessible if a consumer requests their data to be edited or removed.
The main players in GDPR can be described as subjects, controllers, and processors:
- Data subjects are the individuals who own their personal data and have the right to consent to or refuse certain uses of their data.
- Data controllers are the entities that collect this personal data from data subjects, decide how that data will be processed, and are held responsible for any personal data privacy violations or breaches outlined in GDPR.
- Data processors are third-party entities that process data according to the instructions of their data controller. They are also liable for GDPR compliance, though they have slightly different rules to follow than data controllers.
The official GDPR regulation consists of 88 pages of wide-ranging rules, scenarios, compliance requirements, and enforcement procedures. Some of GDPR’s main data protection rules are below.
Principles of data protection
All organizations that process personal data are obligated to comply with these seven protection and accountability principles:
- Lawfulness, fairness, and transparency: The data subject has a right to data processing that is lawful, fair, and transparent to them.
- Purpose limitation: Data processors should only process data for the purposes that they outlined to the data subject at the time of consent.
- Data minimization: Entities should only collect, process, and store the minimum necessary personal data they need for the task at hand.
- Accuracy: Entities are required to keep personal data accurate and update/audit it regularly.
- Storage limitation: Entities can only store personal data for the length of time that they need to complete the task at hand.
- Integrity and confidentiality: An entity’s processing practices should ensure high levels of security and confidentiality.
- Accountability: The data controller will be held responsible for showing compliance with all of these principles.
When an entity can process data
Data controllers and processors are allowed to process data in several different scenarios, but as a general rule, entities should get explicit consent from a data subject before they do anything with their personal data. The scenarios in which data processing is allowed include the following:
- The subject gave an entity specific, clear consent to process their data, often via an opt in.
- An entity needs to process personal data to enter into an agreed-to contract with the data subject.
- Data processing is required for an entity to comply with a legal obligation or order.
- Data processing is necessary in a life-or-death situation.
- Data processing will contribute to the public interest.
- An entity has a legitimate interest, though this will always be overridden by a consumer’s preferences.
Rights of the consumer
One of the core principles of GDPR is making sure that consumers maintain the right to know, access, change, and ultimately own anything that happens to their personal data. The eight main rights of the consumer in GDPR are listed below:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
GDPR compliance is heavily focused on the seven principles of data protection, but several other requirements provide more detail about what entities must do and examples of how they can effectively comply with GDPR.
Appropriate technical measures for data security
Much like HIPAA and other data privacy and security regulations, GDPR requires data controllers and processors to establish appropriate technical measures for data security. Some examples of appropriate technical measures include requiring staff to use multi-factor authentication (MFA), adding end-to-end encryption security measures across a network, and installing software like anti-malware and firewalls.
Appropriate organizational measures for data security
According to Ray Pathak, VP of data privacy at Exterro, GDPR training for employees is one of the most crucial ways to meet appropriate organizational measures:
“The most powerful way is training and awareness,” Pathak said. “It is one thing to create policies and procedures that lay out what employees are to do in their everyday job, and another to make it relevant to them, so they can actually understand and apply it.”
“The wrong way to do it is having employees sign off on a very technical policy document or for them to attest they read the policy, which too many organizations do.”
“The right way is to have role-based training: HR, sales, product, marketing, corporate. Synthesize the requirements into their everyday situation and train to that.”
GDPR requires affected organizations to demonstrate their accountability to the law on an ongoing basis, which many organizations get wrong, according to Pathak:
“One key element organizations fall short on is the accountability section,” Pathak said. “It is one thing to comply with the law, but it is quite another to be able to demonstrate compliance on an ongoing basis.”
“Demonstrating compliance means documenting processes, creating and storing evidence of compliance, and also producing ongoing attestation of this compliance. Showing a point-of-time compliance in 2018 when GDPR went live is not enough. You have to show ongoing compliance, which is where businesses fall short.”
“Many companies treated GDPR as a project, checked all the boxes to comply and then ended the project. GDPR is not a project. It is an ongoing process that can continually evolve over time.”
Data protection by design and by default
This GDPR concept states that all company software, whether in existence or in development, have to comply with GDPR standards and take into consideration how data will be used. Especially when a company is in the process of developing a new tool that will access personal information, it must take a look at what the tool will be able to access by design and default and if that level of access is absolutely necessary for functionality. If not, change its default levels of access to adhere to minimum necessary rules in GDPR.
Read Next: Data Governance Best Practices
GDPR is enforced both across the European Union and in each individual EU country. The European Data Protection Board is the overall governing body for GDPR regulation across the EU, but much more happens at the member state level.
Each EU member state adheres to GDPR’s basic rules, but they are able to adjust and add to those regulations as they see fit. Each member state enforces its specific approach to GDPR through a supervising authority, or a public authority that monitors and addresses instances of non-compliance for personal data from that member state.
GDPR penalties can amount to severe fines, not to mention the lost trust and reputation that organizations face. The two main tiers of financial penalties for GDPR violations either max out at 20 million euros or 4% of global revenue, defaulting to whichever amount is higher. Beyond these specific fines, data subjects are also allowed to seek compensation for any damages that the violation causes them.
Even if certain companies believe they are not digitally working with the consumer data of EU residents, there are several reasons to comply with GDPR or at least become familiar with its contents.
First of all, the California Consumer Privacy Act (CCPA) passed into law in 2018 after GDPR, and it’s likely that consumer-driven rights for personal data will expand to other states and countries in the future. It’s also possible that a company is directly or indirectly working with an EU resident’s personal data without even realizing it, meaning that it is liable for privacy violations. Overall, compliance is good for a company’s relationship with customers, as strong privacy and security are tools for marketing its high-quality products or services.
Perhaps most importantly, regulations like GDPR force a company to take a second look at its security infrastructure — which could ultimately save it from costly security breaches in the future.
Read Next: The Pros and Cons of Edge Computing