General Data Protection Regulation

The General Data Protection Regulation: Europe Leads the Way

In May 2018 the European Union enacted the General Data Protection Regulation. Abbreviated to GDPR, this regulation launched much discussion about who owns your personal information, what rights individuals have related to data about themselves and what steps companies must take in order to keep personal data private.

Out of date computer to illustrate history of data protection laws

Background

How Did GDPR Originate?

Data privacy has been a long-standing topic throughout the world. With the growing popularity of computing and an increasing emphasis on digital communication, the Organisation for Economic Co-operation and Development (OECD) began to examine the rights of individuals with respect to their data in 1980. The result was a series of data handling principles that, in 1995, eventually formed the foundation of the Data Protection Directive (DPD).

Read more

The DPD was the first EU-wide data privacy effort and the precursor to the General Data Protection Regulation. It began defining personally identifiable information (PII), stated that use of the data must be transparent and proportional to permission given, called for regulatory bodies in the member states and addressed the transfer of data to third countries (non-EU countries).

While this was a strong initial effort, technology has evolved since the DPD was designed. The General Data Protection Regulation was crafted to modernize and expand upon its intent. Additionally, as a regulation, GDPR immediately became law in all member states, which had not been the case with DPD.

Map of world to represent GDPR fines

Global Law

To Whom Does the General Data Protection Regulation Apply?

In one sense GDPR is a global law. The requirements stated within apply to any company that processes data of European Union citizens. For example, if a company operating in the United States uses data belonging to a citizen of Germany, it must operate within the guidelines established by GDPR.

So, it’s not about where you are or what business you’re in; rather, it’s about whose data your business uses.

Computer chips to represent the data being protected by GDPR

GDPR Details

What Does the GDPR State?

The General Data Protection Regulation standardizes what is allowed in terms of processing and controlling personal data. Obviously, there are fine details that should be reviewed by your legal team, but at its heart, it:

Read more

Broadens the definition of personally identifiable information to state that this is any data that can be used to identify someone. The scope now includes information like fingerprint scans, IP addresses and more.

Expands individual rights. EU citizens now have the right to know when their data is collected and how their data will be used. They have the right to request their data be deleted, as well as to request access to or a copy of their data.

Extends responsibility to both data controllers and data processors. Now both are responsible for safeguarding personal data. And, a data protection officer may be required to oversee related processes.

Demands quick response to security breaches. Companies must now notify people who are impacted by a data breach within 72 hours of learning about the breach.

What happens if you don't comply with GDPR?