In Europe, years of preparation and speculation came to a head, when the General Data Protection Regulation (GDPR) became law in May of 2018. It’s now been on the books for a few years.
GDPR replaced outdated data protection regulation that was nearly 20 years old. The E.U. deemed it necessary to update and modernize regulations so that they fit the online world, where people become increasingly likely to share personal information more freely than ever before.
The GDPR provides one consistent data protection framework across all E.U. countries. It impacts what businesses can do with sensitive personal data they collect, and it is enforced with fines.
Because the GDPR is extensive, there is often confusion around the details of the regulation. Below we hope to clear up any of this confusion and help businesses understand how GDPR impacts them. We also hope to shed light on how exactly individuals are protected.
GDPR Frequently Asked Questions
What exactly is GDPR?
GDPR places limitations on what businesses and organizations can do with the sensitive personal data that they collect. It’s the strongest attempt to this date to regulate the flow of data within the modern technology age.
The full text of the GDPR contains 99 articles and replaced a 1995 data regulation policy, that didn’t address many of today’s key issues. It took four years of discussion and negotiations before its adoption by the European Parliament and European Council in 2016. It took even longer (until 2018) to become enacted.
It’s also important to understand the difference between regulation and a directive when we talk about GDPR. Regulation has binding legal force behind it, through every member state of the GDPR. A directive requires member E.U. states to achieve a specific result without dictating how to do it. The GDPR is a regulation.
What are the key GDPR requirements?
The purpose of the GDPR is to give data subjects more control over their personal data once it is processed. This puts the responsibility on the companies that collect that data to ensure protection against loss or exposure.
Data controllers must notify their supervising authorities of a data breach within 72 hours of learning about the breach. They must provide details about the nature of the breach and the number of subjects.
Companies must also perform Data Protection Impact Assessments designed to identify risks to the personal data they collect. They also must conduct Data Protection Compliance Reviews to ensure that the risks they discover are being addressed.
A data protection officer must be appointed when companies collect any types of the following information:
- A subject’s genetic data
- Health, racial or ethnic origin of a subject
- Religious beliefs
Data protection officers advise companies about compliance issues. They are also required when this type of personal information is collected in regard to employees, by the human resources department.
Companies must follow these, and other requirements laid out by the regulation, or face fines.
Who Must Follow GDPR?
GDPR applies to any business or organization operating within the E.U., as well as any organization outside the E.U. that offers goods and services to customers inside the E.U. Because of this, most major corporations around the world need to comply.
GDPR splits those that handle data into two categories: controllers, and processors.
It defines a controller as a person, public authority, agency, or other body that determines the purposes and means of processing personal data. It defines a processor as any person, public authority, agency, or other body that processes personal data on behalf of the controller.
Controllers must make sure that any contract entered with a processor is GDPR compliant. The processor must maintain records of personal data and the methodization for processing. It also places a higher legal liability on processors should the organization be breached.
What data is protected under GDPR?
In short, the GDPR protects personal data. This is information that relates to an identified or identifiable person. This could be as basic as a list of names, or something more complex like IP addresses, cookie identifiers, or other potentially identifying information.
Companies will need to consider whether an individual could be personally identified from the information that they collect about them. Even when identifiers have been removed, or pseudonymized, it’s still considered personal data for the purposes of GDPR. Inaccurate information is also considered personal information under the GDPR.
Companies that handle these types of personal information, and either have locations in one of the EU countries or do business in an EU country need to follow the guidelines of the GDPR.
GDPR for Individuals
Individuals are given a number of data rights under the GDPR. Among them are:
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- The rights around automated decision-making and profiling.
Full context around these rights can be found in the text of the GDPR (through the link above). When data subjects feel that any of these data rights have been violated in the context of the GDPR, they can take recourse, and companies may be subjected to fines.
GDPR for Businesses
There are several steps that businesses can take to ensure that they fall into GDPR compliance, starting with reading the full document, through the link above. If you have questions following this step, it’s always practical to reach out to a business you know of that is GDPR compliant. You can also read any documents online that may help with interpreting the spirit of the GDPR.
It also helps to review and audit your own site on a regular basis, to ensure that it continuously meets standards. This is an important step as companies post new content, and use changing third-party services on their site regularly. For example, tools that collect contact data should be scrutinized.
You’ll want to pay attention to all the data you collect. It must remain compliant in how it’s entered, stored, moved, or deleted. Reviewing the data you collect is an important security step, and can also help with organizational efficiency.
Following all these steps can help your business better maintain GDPR compliance.
GDPR Fines (and some famous examples)
The GDPR has increased fines for non-compliance since the previous, Data Protection Directive. Supervisory Authorities hold investigative and corrective power. They can issue warnings, perform audits, require improvements, order data erasure, or block the transfer of data. All of this has a direct impact on subject companies’ data controllers and processors.
The SAs also issues fines when companies are found out of compliance. Fines are based on the SAs determination, and corrective orders can be issued in some cases without them. The fines may be as 2 to 4 percent of global annual turnover or €10m to €20m, whichever is higher.
Google has paid the largest GDPR fine to date, at €50m. A French data protection watchdog issued the fine regarding information the company collects for advertising purposes. The search engine is appealing the fine. Before that, a Portuguese hospital had the largest fine at €400,000, for deficient management practices.
European watchdogs are investigating thousands of cases, so more notable fines could be added at any point.
GDPR and Cookies
The regulation acknowledges that if cookies can be used to identify an individual, they can be considered personal data. That’s why it’s critical to use a program like CookieScript in order to understand and manage the personal information that your site is collecting. It’s possible that third-party cookies are collecting information through your website. Even when this happens, you are responsible for GDPR compliance.
It’s important to state that using a software program like CookieScript does not guarantee that your site is GDPR compliant. Cookies are only one aspect of compliance, and there are many other factors that can determine your status. That said, CookieScript has many features that will help ensure that cookie usage on your site is GDPR compliant, including:
- Third-party script management
- Consent recording
- Monthly website scans
- Automatic cookie categorization
- Cookie declaration automatic update
- Translation into 34 languages
CookieScript is designed to be easy to operate, and it is constantly updated to keep up with evolving E.U. regulations. We pride ourselves on the ease of use of the program so that you can quickly and easily discover and implement any changes that you need to make to align your business within the regulations.