Information Center

What is General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) legislation updated and unified data protection and privacy laws across the European Union (EU). It replaced the 1995 EU Data Protection Directive.

The European Parliament approved the data protection act on April 14, 2016, but it went into effect on May 25, 2018. Hence, many people refer to GDPR as the data protection act of 2018.

The GDPR harmonized the data privacy laws of all 28 EU members and provided greater rights and protection to individuals. It came as EU consumers became increasingly concerned over data privacy.

An RSA Data Privacy & Security report revealed that 41% of consumers submit incorrect personal information to companies due to little faith in data privacy and fear of intrusive marketing. Another 90% of surveyed global consumers expressed concerns over losing, manipulating, and stealing their personal data.

Many describe the GDPR as data protection and privacy revolution rather than an overhaul of rights. The new directive focuses on keeping businesses transparent and expands consumers’ privacy rights (data subjects). For example, once a company detects a severe security breach, it must notify the supervising authority and all affected individuals within 72 hours.

GDPR mandates apply to all data that EU citizens produce, irrespective of whether or not the organization collecting the data is EU-based. It also affects everybody whose information is stored in the EU, including non-EU citizens. Additionally, it includes steep fines for companies breaching the rules.

What is GDPR?

GDPR stands for General Data Protection Regulation. It is a data protection act with provisions that require businesses and organizations to protect EU citizens’ data and privacy for transactions occurring within EU member states. It also regulates how companies export personal data outside the EU.

The GDPR harmonized the individual member states’ data protection policies to develop a consistent set of 99 articles. As a result, many consider it the world’s strongest data protection standard that enhances how people can access their information and the limits organizations must adhere to when dealing with personal data.

GDPR requires companies and organizations that conduct large-scale data processing and data subject monitoring to have a data protection officer (DPO). The DPO becomes a figurehead responsible for the company’s data governance and compliance with GDPR.

Companies non-compliant with the GDPR rules face legal consequences, including a 20 million euros (or about $20.26 million) fine or 4% annual global turnover. Additionally, the DPO ensures the application of appropriate data protection principles to maintain personal data.

What is the Purpose of GDPR?

GDPR exists because of public concern over privacy. It replaced the 1995 EU Data Protection Directive enacted long before the internet became a modern online business hub. Therefore, the GDPR was necessary to replace the outdated directive that failed to address how companies collected, transferred, and stored data.

Today, the GDPR protects the EU population and their data to ensure organizations collecting and storing data do so responsibly. It mandates the safe maintenance of personal data and requires organizations to protect it against unauthorized or unlawful processing, damage, destruction, and accidental loss.

The GDPR also identifies reasons for collecting personal data and specifies that it should be for a particular and legitimate purpose, and organizations cannot use it beyond that intention. The regulation goes as far as to place limits on how much data organizations and businesses can collect. It stipulates that data collection is limited to what is necessary for the purposes for which an organization processes and uses the data.

Furthermore, the GDPR states that organizations collecting data should ensure its accuracy and update it as needed.

Companies cannot legally process a person’s personally identifiable information if they fail to meet the following set conditions:

  • Receive express consent of the individual (data subject)
  • Processing the data is necessary for compliance with legal obligations
  • Processing the data is needed for performing a contract with the individual or entering into a contract with them
  • Processing protects the individual’s or a third party’s interests
  • Processing is necessary for performing a public interest task or for exercising official authority vested in a controller
  • Processing is needed for legitimate interests pursued by a third party or the controller, except where the rights, freedoms, and interests of a data subject override those of the former

Who Does GDPR Apply To?

The purpose of imposing GDPR is to use a uniform EU data security law on member states so that individual members don’t need to write and enforce different data protection laws. Additionally, although the GDPR comes from the EU, it applies to global businesses outside the region.

For instance, it applies to a US-based company that does business in the EU and collects and handles the data of EU residents and citizens. A PWC survey showed that 92% of US-based companies consider GDPR data protection a priority.

Other specific compliance criteria for organizations include:

  • A presence in a European Union country
  • Entities that process EU residents’ data even if the company has no presence in the region
  • A company with over 250 employees
  • Companies whose data processing impacts the freedoms and rights of data subjects, and that may or may not include certain types of personal data, even if it has less than 250 employees

GDPR focuses a lot on personal data protection. Personal data is information that identifies a living person directly or indirectly. It could be something obvious like a name, location data, or a clear online username, or less apparent such as cookie identifiers or IP addresses.

GDPR also gives some categories of sensitive personal data greater protection, including information about:

  • Ethnic or racial origin
  • Religious beliefs
  • Biometric data
  • Political opinions
  • Genetic data
  • Health information
  • Sex orientation or sex life
  • Membership in trade unions

The crucial definition of personal data is anything that allows the identification of a person. It means pseudonymized data still falls under personal data in this broad context. Personal data is critical under GDPR because the law covers individuals, companies, and organizations that either process or control it.

The GDPR defines the following three roles:

  1. A data subject: The owner of personal data
  2. A data controller: Determines the type of personal data to collect and how to use it
  3. A data processor: Processes personal data for controllers

Controllers are the decision makers and exercise control over processing personal data and its purposes and uses. Sometimes there are joint personal data controllers, where two or more entities determine how to handle collected data. On the other hand, processors act on behalf of the relevant controllers under their instructions. Therefore, controllers have stricter regulations than processors.

How Does GDPR Protect Customers?

Users must consent to organizations and companies that wish to collect and use their personal data. In this case, personal data refers to information about a living, identified, or identifiable natural person, often called a data subject.

As stated above, personal data can include the following:

  • Name
  • Identification number (ID)
  • Location data
  • Information specific to the data subject’s physical, genetic, mental, economic, cultural, physiological, or social identity
  • Biometric data such as fingerprinting or facial imaging
  • Racial or ethnic information
  • Healthcare information
  • Union membership

GDPR requires companies and organizations to notify visitors to their online sites of the data they collect, such as cookies. They must also consent to give information by clicking on the agree button. For example, many sites have popup disclosures notifying visitors that the site collects cookies – small files holding personal information like site preferences or settings.

Websites must also notify visitors and users early of a breach of the personal data the company or site holds. These EU data protection requirements are often more stringent than those in other jurisdictions.

Other mandates include the assessment of the website’s data security and the requirement to have a data protection officer to carry out these and other functions. Also, the company must provide the contact information of the DPO and other relevant employees to ensure ease of access to exercise their GDPR rights. These include the right to have their personal data erased from the site, among other measures.

The GDPR further protects consumers by ensuring organizations and other collectors make collected personal data anonymous or pseudonymized to replace the identity with a pseudonym. These measures allow organizations to perform more extensive data analysis like assessing their customers’ average debt ratios, which goes above and beyond the requirements to evaluate a loan’s creditworthiness.

It’s worth mentioning that GDPR affects data other than that collected from customers. For example, the regulation applies to HR records of employees.

Requirements of the EU GDPR

The EU GDPR has 11 chapters and 91 articles. Below are some of the key articles that impact the security operations of organizations:

  • Articles 17 and 18 give data subjects control over automatically processed personal data. Therefore, they may easily transfer their data between different service providers (right to portability). They may also direct controllers to erase their data under certain circumstances (right to erasure).
  • Articles 23 and 30 require organizations to implement reasonable measures to protect personal data against exposure or loss.
  • Article 31 specifies single data breach requirements and includes notifying supervising authorities of breaches within 72 hours and giving specific details.
  • Article 32 requires a data controller to quickly notify data subjects of breaches when they risk affecting their rights and freedoms.
  • Articles 33 and 33a require organizations to perform detailed data protection impact assessments. It helps identify risks and suitable mitigation processes.
  • Article 35 stipulates the conditions necessitating the appointment of a data protection officer. For example, the size of a company and the nature of the personal data it collects may warrant the position of a DPO. Companies require a DPO if they collect personal information about their employees for HR purposes or collect sensitive data subjects’ information like generic data, health, ethnic origin, race, or religious beliefs.
  • Article 36 and 37 outline the position and responsibilities of the DPO position in ensuring GDPR compliance.
  • Article 45 extends and stipulates the data protection requirements for international companies collecting or processing the personal data of EU citizens. It subjects these entities to the exact requirements as EU-based ones.
  • Article 79 outlines the fines and penalties for GDPR non-compliance.

The Principles of GDPR

The GDPR has seven fundamental principles in the legislation’s Article 5. These principles guide how organizations handle people’s data. They are not complex rules to follow but an overreaching framework whose design lays out the purposes of GDPR.

Many principles are similar to those in the previous data protection laws. The seven principles are as follows:

  1. Lawfulness, fairness, and transparency: Ensures organizations inform data subjects how they will use their personal data.
  2. Purpose limitation: Organizations can only collect data for specific purposes
  3. Data minimization: Limits the data collected to what organizations require for specific processing.
  4. Storage limitation: Organizations will not retain collected data longer than needed.
  5. Accuracy and updates: Organizations collecting and processing data should ensure its accuracy and update it. They must also change or delete data upon the request of data subjects.
  6. Integrity and confidentiality: Organizations must apply appropriate security and protection measures to secure personal data against theft and unauthorized access.
  7. Compliance: Data collectors must comply with the GDPR.

What are the GDPR Rights for Individuals?

The above principles of the GDPR underlie the specific data subject rights under the data protection act. These include the following:

  • Right of access: Data subjects can access and review the data organizations store about them
  • Right to be forgotten: Users can request the erasure of their personally identifiable information from an organization’s storage. The latter can refuse requests if it demonstrates a legal basis for the decision
  • Right to object: Users can refuse permission to collect, process, or use their personal data. Again, the organization can ignore the refusal only after providing a sufficient legal reason for the decision
  • Right of portability: Users can access and transfer their data
  • Right to rectification: Users expect the correction of inaccurate data

GDPR Breaches and Fines

During a security breach affecting personal data, data controllers have 72 hours to notify the supervisory authority (public authority the EU member country designates to oversee GDPR compliance). Additional breach notification requirements include:

  • A reason for delaying notifying the designated supervisory authority
  • The minimum breach notifications include the nature of the breach, the types and number of data subjects’ compromised data, and the number of data records involved
  • Direct notification of the data breach to all victims through a general announcement
  • A detailed explanation of the possible consequences of the data breach and the measures to mitigate them
  • The data controller must document everything about the breach and the remedies applied before providing a copy to the supervisory authority for verification

The GDPR has a tiered approach for fining violators of its regulation. It has two levels of fines depending on the scope and type of infringement:

  1. The first penalty tier is 10 million euros or up to two percent of the company’s preceding financial year’s global annual turnover, whichever amount is higher.
  2. The second penalty tier is 20 million euros or four percent of the company’s preceding financial year’s global annual turnover, whichever amount is higher.

The biggest issue most companies focused on following the 2016 roll-out of GDPR was the ability of regulators to impose stiff financial fines for non-compliance. Regulators could fine businesses for any offenses, including failure to process personal data correctly, failure to have a data protection officer if required, or security breaches.

GDPR and Third-Party Data

GDPR has several regulations regarding third-party personal data – data from parties other than EU data subjects – and sharing personal data outside the region. The data protection act of 2018 stipulates that:

  • Data controllers must obtain permission to transfer personal data to an international organization or another country
  • Data controllers must provide detailed descriptions of data collected from sources other than data subjects and its origin

After the United Kingdom withdrew from the EU, it updated its data protection laws and now uses the Data Protection act of 2018. It stipulates that UK companies doing business with EU customers and organizations should comply with the GDPR.

It’s worth noting that the GDPR places equal liability on data processors and data controllers. It means that a non-compliant third-party processor affects an organization’s compliance status. The act also has strict requirements for reporting breaches in the chain.

Therefore, a controller’s existing contracts with processors like SaaS vendors, payroll service providers, or cloud providers and customers must spell out the responsibilities. The agreement must also have consistent processes for managing, collecting, protecting, storing data, and reporting breaches.

How to Ensure GDPR Compliance

So how does a company ensure GDPR compliance? The regulations describe responsible data management’s expected results but do not specify technical measures to achieve that goal. Below are some best practices to ensure GDPR compliance:

  • Always ask data subjects before collecting personal data
  • Only collect the data required since organizations are responsible for all the data collected regardless of whether or not they use it
  • Encrypt data at rest and in flight
  • Don’t share data with other entities without the consent of users and approval of supervisory authorities
  • Keep at least two updated and secure backups of all personal data in separate off-site locations
  • Invest in the tools and capability to easily edit or delete specific data items, verify all actions, and document everything
  • Read the GDPR and understand all the requirements
  • Look at what other organizations are doing and how the GDPR affects their operations, and learn from them

Eliminate Data Governance Gaps with Veritas

Digital transformation has redefined the regulatory rules governing businesses globally. US businesses are now subject to several cybersecurity compliance regulations due to the nature of their business, such as GDPR and the California Consumer Privacy Act (CCPA).

Many communication platforms and online operating environments have made compliance administration demanding and costly. Therefore, businesses are looking for effective, affordable ways to remain compliant while boosting productivity and expanding operations.

Veritas’ integrated portfolio of data compliance capabilities synthesizes intelligence across different data sources to streamline access, ensure compliance, deliver insights, support analysis, and minimize organizational risk.

The Veritas integrated approach to compliance and enterprise data management turns big data into actionable insights. Additionally, our Data Insight Integration’s reporting and visualization features allow users to classify at-risk data, engage data owners, and rescind access to sensitive personal data to improve data compliance and decision-making.

Moreover, the Veritas Integrated Classification Engine eliminates dark data challenges of data security and compliance. As a Gartner Magic Quadrant Leader, we lead the market in enterprise information archiving. Users can archive and retrieve their data to and from anywhere.

Veritas offers an integrated product portfolio second-to-none in the market. A comprehensive and robust technology ecosystem backs it, with no other provider coming close to the scale and versatility that Veritas Enterprise Data Services provides.

 

Veritas customers include 98% of the Fortune 100, and NetBackup™ is the #1 choice for enterprises looking to back up large amounts of data.

 

Learn how Veritas keeps your data fully protected across virtual, physical, cloud and legacy workloads with Data Protection Services for Enterprise Businesses.