What Is GDPR?
GDPR stands for the General Data Protection Regulation. It's the main legislation governing digital privacy for individuals in the European Union. The GDPR was enacted on May 25, 2018.
A Brief History of the GDPR
As early as 2012, the Council of the European Union was discussing extending privacy regulations to better protect the rights of individuals. The attention to this matter was born from several factors, including the growing number of data breaches across the globe and negative attention corporations and other entities received due to how they treated people's data.
Prior to the GDPR, the European Union was not completely without regulation as regards data use and privacy. In October of 1995, the European Parliament had issued a data protection directive that most nations and European businesses used to inform data procedures.
As the need for more stringent regulation became apparent, EU leaders entered into talks. The discussion and subsequent creation of the GDPR lasted approximately four years. In 2016, the EU published the GDPR for public and business awareness, providing organizations with time to implement any changes necessary to comply. At the time, EU leaders framed the new legislation as a step-up from the old directive, noting that companies that were in compliance with the old requirements would only need to evolve up to the GDPR.
The GDPR, which has some fairly sweeping requirements, was implemented in May 2018. Organizations were expected to be in compliance at that time.
Do Companies Outside of Europe Need to Worry about the GDPR?
Any company or organization that collects or manages people's data and operates within an EU country must be compliant with the GDPR. Furthermore, the GDPR calls for any organization that markets to, sells to, or does business with customers who live in the EU also comply.
What Countries Are Covered by the GDPR?
The GDPR covers all the members of the European Union. Those nations include:
- Czech Republic
- the Netherlands
Some other areas are also covered by the GDPR, including European Economic Areas Norway, Liechtenstein, and Iceland as well as dependent European territories such as the Azores, Martinique, and Saint Martin.
When the GDPR was implemented, the UK was part of the EU and governed by the privacy regulations. Knowing that it was moving to leave the EU within a few years, the UK created its own 2018 Data Protection Act. It mostly mirrors the GDPR to cut down on necessary changes once Brexit was fully effective. That means other countries doing business with consumers in the UK will have to follow similar requirements as those related to consumers in EU states.
What Data Is Covered By the GDPR?
The GDPR regulates how organizations collect, manage, and use personal data and personal sensitive data:
- Personal data is defined as any piece of information that can be used to identify someone. Names, addresses, phone numbers, email addresses, usernames, IP addresses, and government ID numbers are common forms of personal data. The GDPR includes information related to pseudonyms if someone could be identified by it.
- Personal sensitive data is less structured and can include information such as political views, religious beliefs, genetic information, and sexual orientation.
Some Main Obligations Under GDPR
The GDPR requires that companies and other organizations comply with its 99 articles and protect the eight rights it lays out for individuals. Those include the right to:
- Be made aware of data collection practices as they occur, such as the cookies that are collected when someone visits a website.
- Access personal information given to a company, including getting a copy of what personal information an organization has about the individual upon request. This right can't be exercised in such a way to impede the rights of others, though.
- Correct mistakes in personal data recorded by a company, such as incorrect names, dates of birth, or financial records.
- Withdraw consent for data to be collected or processed, even after original consent was provided.
- Request that certain data processing be restricted, though this is limited by a set of conditions.
- Receive information about automatically processed data under certain conditions.
- Object to the processing of data for several covered reasons.
- Not be subject to decisions made solely on the basis of profiling or other automatic data processes.
The burden for protecting these rights falls to the organizations, and businesses don't even need a single customer in a European Union state to fall afoul of the GDRP. Any organization that may market to individuals in these states or collect any data from those consumers is on the hook for this compliance.
For example, if a website has a newsletter and solicits individuals to sign up with their names and email addresses, it's collecting personal data. If the site doesn't restrict access via geo-location, it's possible that someone in one of the EU states or territories could sign up for this newsletter, making the GDPR relevant.
For any organization where this could be a possibility, GDPR compliance is not optional. The fines mandated under the legislation can be stiff. Organizations found out of compliance might face fines up to $20m euros. In some cases, the fines are calculated based on global turnover, which can net out to even more.
Whether you're selling and marketing to a global audience — or one with a geo-location in the EU — or you're just running an online site for worldwide users, the GDPR is worth learning about. It affects organizations of all sizes, from small and mid-size companies to enterprises to global nonprofits.