ABC's of GDPR (General Data Protection Regulation)
So, what exactly is the GDPR, you ask? The GDPR is a European data protection law that regulates the collecting, storing, and processing of personal data on EU residents. The GDPR builds on the 1995 European Data Protection Directive, which each EU member state interpreted into its own data protection laws. Those laws will be superseded by the GDPR to allow a consistent standard for data protection across the EU. The GDPR aims to strengthen individuals’ direct control over the usage, retention, and movement of their personal data. In addition to increased privacy for individuals, the GDPR gives regulatory authorities greater power to take action against organizations that breach the new laws.1
This begs the question: who is responsible for complying with the GDPR? The answer: any organization that collects, stores, manages, or processes the personal data of an EU resident—no matter where the organization is geographically located. Simply put, if you handle EU personal data, you must comply with the GDPR.2
Let’s take a look into what organizations have to consider as they bring their operations into compliance with the GDPR. Organizations must keep in mind the seven principles at the heart of this regulation.3
- Lawfulness, fairness, and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.4 Personal data must always be processed under a lawful basis and in a manner compatible with the intended use/purpose.5 The data subject must also be made aware of her rights.6
- Purpose limitation: Personal data shall be collected for specified, explicit, and legitimate purposes. Personal data can only be used for the particular purpose it was obtained. If subsequent processing is contemplated, then the organization may need to go back to the data subject to obtain her consent.7
- Data minimization: Personal data collected shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. Personal data should not be stored for an excessive period of time.
- Accuracy: Personal data shall be accurate and, where necessary, kept up to date with regard to the specific purposes for which it is processed.
- Storage Limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which personal data is processed. When personal data is no longer necessary, it should be erased.
- Integrity and confidentiality: Personal data shall be processed in a manner that ensures its appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organization measures.8
- Accountability: An organization shall be responsible for complying with these principles, and must be able to show that policies are set in place to ensure that processing is performed in accordance with them.9
Rights of the Individual
By subjecting organizations to the principles above, the GDPR ensures that the following individual rights are conveyed to EU residents10:
- Right to be informed: Organizations must be transparent about how personal data is collected and processed, as well as the intended purposes for use. They must also inform customers of their rights and how to carry them out.
- Right of access: Individuals have the right to access and review their data, which must be facilitated through business processes or technical means.11
- Right to erasure: Individuals have the right to request the removal of all personal data provided that no compelling reason exists to retain such data.12
- Right to restrict processing: Individuals have the right to request that an organization stop processing their data for specific purposes.13
- Right to data portability: Individuals have the right to copies of all stored data in a machine, human-readable, and portable format. They may also request transfer of their data to another organization.14
- Right to rectification: Individuals have the right to correct information that they believe is incomplete or inaccurate.15
- Right to object: Individuals have the right to object to the use of their data.16
- Rights regarding automated decision making: Individuals have the right not to be subject to a decision based solely on automated processing, including profiling.17
As you can see, the GDPR endeavors to standardize and strengthen residents’ data protection rights across the EU. While the aim is EU resident-focused, the impact is much more global as the majority of companies are changing the way they handle data, whether data is collected from an EU resident or not. Regardless of the data protection strategies companies are considering, the message from the EU is loud and clear: protect the personal data and privacy of EU residents or else face harsh penalties—the higher of 20 million EUR or 4% of annual global revenue.18
While it’s easy to focus on the severity of non-compliance, the GDPR is beneficial to both businesses and customers. The GDPR is a catalyst for new business opportunities. By collecting, reviewing, and analyzing the personal data of its customers, organizations can enhance their marketing activities and improve customer engagement. Additionally, and more importantly, customers can be more confident knowing that the organizations with whom they share their information will protect their personal data and respect their privacy at all times.
- EU GDPR Information Portal, EU GDPR Portal, https://www.eugdpr.org/ (last visited Apr 21, 2018).
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, 2016 O.J. L 119/1, art. 3, at 32.
- Id. art. 5, at 35; rec. 39, at 7.; Alan Mac Kenna, GDPR for Developers - Data Subject Rights Serve IT Solutions (2018), https://www.serveit.com/gdpr-for-developers-data-subject-rights/ (last visited Apr 21, 2018).; Jessica Lam, Principles for the Processing of Personal Data under the GDPR Law Infographic (2017), http://www.lawinfographic.com/principles-processing-personal-data-gdpr/ (last visited Apr 21, 2018).
- A ‘data subject’ is an identified or identifiable natural person. General Data Protection Regulation, supra note 2, art. 4, at 33.
- There are six bases for the lawful processing of personal data: consent, performance of a contract, compliance with a legal obligation by law, protection of a vital interest, public interest/official authority by law, and legitimate interest. Id. art. 6, at 36.
- Id. rec. 58, at 11; 60, at 12.
- The GDPR allows for the subsequent processing of personal data for purposes other than the initial purpose for collection where the subsequent processing is compatible with the initial purpose. Id. rec. 50, at 9.
- Id. art. 32, at 51.
- Id. art. 24, at 47.
- GDPR Goes Into Effect 25 May 2018. Are you prepared?, Direct Law and Personnel, https://www.dlp.org.uk/gdpr/ (last visited Apr 21, 2018).
- General Data Protection Regulation, supra note 2, art. 15, at 43.
- Id. art. 17, at 43.
- Id. art. 18, at 44.
- Id. art. 19, at 45.
- Id. art. 20, at 45
- Id. art. 21, at 45.
- Id. art. 22, at 46.
- Id. art. 83, at 46.