GDPR stands for the General Data Protection Regulation. It's the main legislation governing digital privacy for individuals in the European Union. The GDPR was enacted on May 25, 2018.
As early as 2012, the Council of the European Union was discussing extending privacy regulations to better protect the rights of individuals. The attention to this matter was born from several factors, including the growing number of data breaches across the globe and negative attention corporations and other entities received due to how they treated people's data.
Prior to the GDPR, the European Union was not completely without regulation as regards data use and privacy. In October of 1995, the European Parliament had issued a data protection directive that most nations and European businesses used to inform data procedures.
As the need for more stringent regulation became apparent, EU leaders entered into talks. The discussion and subsequent creation of the GDPR lasted approximately four years. In 2016, the EU published the GDPR for public and business awareness, providing organizations with time to implement any changes necessary to comply. At the time, EU leaders framed the new legislation as a step-up from the old directive, noting that companies that were in compliance with the old requirements would only need to evolve up to the GDPR.
The GDPR, which has some fairly sweeping requirements, was implemented in May 2018. Organizations were expected to be in compliance at that time.
Any company or organization that collects or manages people's data and operates within an EU country must be compliant with the GDPR. Furthermore, the GDPR calls for any organization that markets to, sells to, or does business with customers who live in the EU also comply.
The GDPR covers all the members of the European Union. Those nations include:
Some other areas are also covered by the GDPR, including European Economic Areas Norway, Liechtenstein, and Iceland as well as dependent European territories such as the Azores, Martinique, and Saint Martin.
When the GDPR was implemented, the UK was part of the EU and governed by the privacy regulations. Knowing that it was moving to leave the EU within a few years, the UK created its own 2018 Data Protection Act. It mostly mirrors the GDPR to cut down on necessary changes once Brexit was fully effective. That means other countries doing business with consumers in the UK will have to follow similar requirements as those related to consumers in EU states.
The GDPR regulates how organizations collect, manage, and use personal data and personal sensitive data:
The GDPR requires that companies and other organizations comply with its 99 articles and protect the eight rights it lays out for individuals. Those include the right to:
The burden for protecting these rights falls to the organizations, and businesses don't even need a single customer in a European Union state to fall afoul of the GDRP. Any organization that may market to individuals in these states or collect any data from those consumers is on the hook for this compliance.
For example, if a website has a newsletter and solicits individuals to sign up with their names and email addresses, it's collecting personal data. If the site doesn't restrict access via geo-location, it's possible that someone in one of the EU states or territories could sign up for this newsletter, making the GDPR relevant.
For any organization where this could be a possibility, GDPR compliance is not optional. The fines mandated under the legislation can be stiff. Organizations found out of compliance might face fines up to $20m euros. In some cases, the fines are calculated based on global turnover, which can net out to even more.
Whether you're selling and marketing to a global audience — or one with a geo-location in the EU — or you're just running an online site for worldwide users, the GDPR is worth learning about. It affects organizations of all sizes, from small and mid-size companies to enterprises to global nonprofits.