To understand the story of the General Data Protection Regulation (GDPR), we must rewind back to 2011. That was when newly graduated Austrian lawyer and data protection activist Max Schrems filed a request with Facebook to see all the information that the company held on him.
Max was livid when he received a 1,200-page dossier in return and vowed to start a movement in order to protect the privacy rights of fellow Europeans. His initial effort took the shape of “Europe vs. Facebook,” which aimed to drive awareness of the issue through lobbying strategies.
The first round of discussions about the enactment of a new law in the EU started in 2012. However, it is important to note that the GDPR simply strengthened existing EU legislation on data collection, previously passed in the 1990s.
[Learn more about online privacy. Sign up for the ExpressVPN blog newsletter.]
The older set of laws had struggled to reflect the realities of the internet age, making it necessary to update the regulations. According to the EU’s GDPR site, the right to privacy for every EU citizen is enshrined in the 1950 European Convention of Human Rights. It states that “everyone has the right to respect for his private and family life, his home and correspondence.”
When did GDPR come into force?
The European Union’s General Data Protection Regulation (GDPR) took effect on May 25, 2018, but the voices championing this groundbreaking piece of legislation were active for several years prior, as explained above.
While the GDPR was officially adopted into law in May 2018, the legislation was first approved in April 2016. It gave corporations a two-year transition period to bring their systems up to speed with the tenets of the law.
What is the meaning of GDPR?
At the heart of GDPR is the understanding that EU residents must be in control of their personal data. Corporations can’t store data willy-nilly and engage in invasive data tracking and collection in order to get richer.
That’s why it creates a legal framework for the proper collection, storage, and processing of personal information of EU residents. The regulation applies to all companies as long as they conduct business with Europeans and not only if they have an office there. For example, if you’re an e-commerce store in Canada but are actively shipping orders to countries in Europe, you are bound by the rules of GDPR.
The principles of GDPR are such that consumer rights must be upheld at all times and given priority over everything else.
What types of data does the GDPR cover?
Organizations collecting any or all of the following data points are liable to GDPR rules:
- Personally identifiable information such as names, addresses, telephone numbers, social security numbers, and credit card details.
- User IP addresses, locations, cookies, and RFIDs
- Biometric data such as fingerprints
- Gender, race, and ethnic data
- Sexual orientation
- Political opinions
- Household income
GDPR breaches and fines
The European Union describes the GDPR as the “toughest privacy and security law in the world.” While it was drafted and passed inside the cooperation bloc, it applies to organizations based anywhere in the world as long as they process data related to EU citizens and residents.
Penalties for non-compliance are extremely stiff and can reach into the tens of millions of euros. Hence, businesses who fail to reach a minimum compliance standard can expect heavy fines and more egregious violations may result in a levy of 4% of global revenue.
For behemoths like Amazon and Facebook, this number could range in the billions of euros.
GDPR terms dictate that organizations only collect the data that they need and after express consent from users. Plus, after storing the data they must ensure that they invest in proper mechanisms to safeguard its integrity and prevent its misuse. Any data breaches or cyber attacks must be reported immediately and without prejudice.
How do businesses get GDPR compliant?
GDPR compliance is a complex beast and many companies have started new departments dedicated to achieving this goal.
However, as a general rule here are seven things you need to look out for:
1. User consent
Whenever you ask a user to input personal information such as an email address, telephone number, home address, or credit card number, the terms of consent must be crystal clear and jargon free. Users should know that their data will be stored and the rights they have over it. Plus, they should be free to withdraw consent at any point in the future.
2. Notification of data breaches
Cyber attacks are an everyday reality in the internet age, and the GDPR has taken significant steps to ensure residents are informed if it affects their personal information.
If companies processing the data of EU residents are hit by a cyber attack that pilfers data, then they have a maximum of 3 days (72 hours) to notify both their users and data controllers. The GDPR doesn’t specify exactly how this notification should be issued, but experts agree that an email or similar document will suffice.
A failure to meet this deadline will attract stiff fines.
3. Right to view personal data
Under the GDPR, users are granted the right to access their personal data whenever they wish. When an organization receives a request of this nature, they must provide them with a free electronic copy of all the data that they currently possess on the individual. What’s more, they must also include whether they’ve used the data such as for better advertisement tracking or other use cases.
4. Right to be forgotten
Consumers can request organizations to completely scrub their information from their servers. For context, Google’s received 3.2 million right to be forgotten requests since 2014. When received, the organization must ensure that the data is removed entirely and not transferred to a server in a different location.
5. Data protection officer
Under the GDPR, all organizations meeting certain criteria must have a data protection officer, who will serve as the central focal point for GDPR compliance. The office must have expert knowledge of GDPR law and practices. However, there are some exemptions to this requirement, which the EU outlines in detail.
6. Data integrity and security implementation
We’ve outlined earlier how it’s essential for companies to notify their users in the case of a cyber breach, but the EU wants organizations to do all they can to prevent this from happening in the first place.
It says firms should implement “appropriate technical and organizational measures” to safeguard data including things like deploying end-to-end encryption and forcing employees to use two-factor authentication when dealing with sensitive accounts and servers.
Furthermore, it’s encouraged to carry out extensive staff training on cybersecurity best practices, adding a data privacy policy to the employee handbook, and limiting access to data on a “need-to-know” basis.
7. Establish privacy by design and default
The EU wants companies to get serious about implementing data privacy and security in upcoming products and services. Detailed in Article 25 of the GDPR legislation, the EU says everything in your organization must “by design and default” incorporate data protection.
For example, new apps and services must collect the bare minimum of data needed to run the product efficiently. If all you need is a user’s telephone number and email address, then there’s no need to ask for their age, marital status, and permanent address too. Plus, organizations should be mindful of how to secure this data after collecting it.
As we outlined earlier, the GDPR is a complex piece of legislation that requires expert assistance and knowledge. The full text of all the GDPR’s provisions are available on the EU’s site and will make for several hours of reading.