Boiling the GDPR down to basics sounds too good to be true, but we did it.
The world has changed drastically over the last three years, but a few things remain on our radar. Brexit is still progressing, Harry and Meghan continue to be household names, and the GDPR continues to impact global businesses. Thankfully, kids eating Tide Pods was just a blip.
So to celebrate this very special, slightly belated birthday, let’s get into the basics of GDPR.
What Is GDPR?
The General Data Protection Regulation (GDPR) became law within the E.U. on May 25, 2018. It was created to give E.U. citizens more control over their personal data. Under GDPR, companies must ensure that personally identifiable information (PII) is collected legally and that the data is appropriately managed and safeguarded. Almost everything we do as individuals and enterprises involves collecting and analyzing personal data. The GDPR aims to give people the power to protect their PII while telling organizations how to comply.
Basically, GDPR is for businesses and citizens, so everyone in the European Union can fully benefit from the digital economy.
Who Does the GDPR Apply To?
Your name, address, credit card number and more are constantly collected, analyzed and stored by organizations. The GDPR covers that kind of data and impacts many businesses, regardless of what they sell, their size or their location. GDPR applies to all organizations operating within the E.U. and organizations working outside the E.U. that provide goods or services to customers or organizations within the E.U. So if you’re an American company like Google or a hotel an E.U. citizen wants to stay at, you need to abide by GDPR rules. And hefty fines find their way to organizations that don’t comply.
The Basics of GDPR Compliance
The GDPR defines personal data as any information related to a natural person (data subject) that can directly or indirectly identify that person. It’s everything from names, photos, email addresses, banking info, social posts, medical history, and even I.P. addresses.
It’s pretty broad. So companies must take documented steps to limit access to all PII to only authorized individuals. If your company collects banking information, only job roles that specifically require access to that data should be able to access it.
The documented steps need to cover the following.
The GDPR specifically prohibits the use of rambling, confusing terms and conditions statements. Legalese is bad! Queen’s English is preferred, or whatever language you speak. The phrasing just needs to be clear. Each time data is used for new purposes, a new request for consent is required. And, it must be as easy to withdraw consent as it is to give it!
Companies have 72 hours after discovery to notify all data subjects of a security breach—methods include email, phone calls and public announcements.
Right to Access
All E.U. citizens have the right to understand how their information is used. How is their data being processed? Where is it being processed? Why is it being processed? And companies have to provide this, for free, promptly.
Right to Be Forgotten
Since PII belongs to the people, companies will erase all personal data when requested by individuals. And the company will cease further distribution of the data.
Privacy by Design
Companies will process only the data essential for the completion of their business. For example, suppose your company collects banking information. In that case, only job roles that specifically require access to that data should access it.
Data Protection Officers
Enterprises need to designate a Data Protection Officer (DPO) to oversee the application of the GDPR. They protect personal data from misuse, unauthorized access and other security breaches.
Regardless of size, an organization must appoint a DPO if:
- The organization is a public authority or body.
- The organization’s core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
- The organization’s core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offenses.
7 Principles of GDPR
The GDPR has seven fundamental principles. They’re the building blocks for solid data protection and the key to your GDPR compliance.
- Lawfulness, fairness and transparency. People need to understand what, how, and why you’re processing their data. It’s theirs, after all.
- Purpose limitation. You should only collect data for precise, specified, and legitimate purposes. It can not be used in secondary ways, clashing with your original intentions.
- Data minimization. Only collect the data you need, which makes sense because of the purpose limitations.
- Accuracy. Data must be accurate and up to date. Inaccurate and outdated data should be erased or corrected.
- Storage limitation. If data can be linked to individuals, it can only be kept for as long as you need to carry out the specified purposes. There are some exceptions for scientific, statistical, or historical research use, but we’re not diving that deep in this blog.
- Integrity and confidentiality (i.e., security). The personal data you hold is processed securely and protected from unauthorized or unlawful processing, accidental loss, destruction, or damage.
- Accountability. You’re responsible for the data you hold and should be able to demonstrate your compliance with the GDPR.
How to Demonstrate GDPR Compliance
Organizations complete self-directed GDPR assessments. Accountability is one of the data protection principles. You’re responsible for complying with the GDPR, and you must be able to demonstrate your compliance. To help, you can apply for certification, but it’s voluntary.
Timelines for implementation vary between processors and controllers. They are impacted significantly by company structure, but the process can take anywhere from six to 36 weeks.
What do E.U. citizens do if they think their personal data protection rights are abused? There are three options.
- Lodge a complaint with the national Data Protection Authority (DPA)
- Take legal action against the company or organization
- Take legal action against the DPA
The Information Commissioner’s Office (ICO) is another route to go. The ICO is the U.K.’s independent body set up to uphold information rights. Their role is to defend information rights in the public interest.
GDPR fines are expensive! The GDPR states explicitly that some violations are more costly than others. Less severe infringements can result in a penalty of up to €10 million or two percent of the firm’s worldwide annual revenue from the preceding financial year. More severe violations result in a fine of up to €20 million, or four percent of the firm’s worldwide annual revenue from the preceding financial year. Regardless of the severity, they’ll always wallop you with whichever amount is higher.
Over three years, there have been 661 GDPR fines issued. The largest was against search engine giant Google for €50 million. The smallest was a mere €28 to a small company out of Hungary. What did Google do wrong? They didn’t correctly disclose to users how they collected data across its search engine, Google Maps, and YouTube to present personalized ads. Google may be based in the United States, but they collect information from E.U. residents. Companies, regardless of location, need to comply with the regulations of the GDPR when dealing with E.U. citizens.
British Airways ($230 million) and Marriott ($124 million) were also issued some of the most significant GDPR fines. British Airways received a penalty following a data breach and Marriott failed to carry out due diligence after acquiring a company that wasn’t compliant.
Is GDPR the Same as the California Consumer Privacy Act (CCPA)?
The CCPA is also celebrating a birthday! The comprehensive privacy law was enacted in California in June 2018 and became effective January 1, 2020. The CCPA grants Californians the power to protect their PII similarly to GDPR. Like most birthday buddies, they have a lot in common. Similarities include the right to data deletion and data portability, giving people control over how companies use their personal data online.
However, the GDPR and CCPA are not the same. There are some key differences. One of the biggest is that the CCPA only regulates companies doing business in California based on their annual gross revenues and/or how much data they process and sell. GDPR does not consider that and applies to all businesses that deal with E.U. citizens.
How Tugboat Logic Can Help
This blog is just the basics of GDPR. Like an actual three-year-old, GDPR is constantly growing and evolving, making compliance obligations a little tricky.
Tugboat Logic can help you out! Our software automates GDRP compliance to get you up and running quickly and cost-effectively, so you can focus on what you do best. And if you have any questions, our team of ex-auditors and security veterans is happy to help.