In 2012, the European Commission sought to reform data privacy across the European Union (EU) and adapt to the technological age. After years of deliberation, the European Parliament published the General Data Protection Regulation (GDPR) to replace outdated privacy-related laws from 1995. Two years later, GDPR became law.
What is GDPR?
GDPR is a set of laws that outlines the digital rights of EU citizens relating to their personal information. In a nutshell, the GDPR’s primary goals are to:
- Give consumers more control over their private data
- Allow people to understand how companies use consumer data
- Ensure companies protect such data
- Set standardized laws across all countries in the EU
Companies who break the GDPR’s laws can face fines of up to €10 million, or 4% of the company’s annual global turnover, whichever is higher. This law means that big revenue companies need to fork over large sums if caught breaking the rules.
So far, GDPR issued its most significant fine of €50 million after the French data protection watchdog CNIL accused Google of processing people’s data for advertising.
What is the reach of GDPR legislation?
GDPR applies to every business within the EU and every business outside of the EU that has EU citizens as customers. This means that companies with global reaches – such as social media, streaming platforms, e-commerce, and most internet-related firms – all must comply with GDPR laws.
The GDPR specifies several company roles that are responsible for handling data:
- Data controllers specify how and why data is processed. Duties include notifying authorities of data breaches, ensuring third parties comply with GDPR, and providing personal data records when consumers ask for them.
- Data processors are, as their name would suggest, the ones responsible for processing the data. They answer to controllers and notify the controllers if they spot a data breach. GDPR holds data processors to high standards, and the blame ultimately falls upon them for breaches and rule-breaking.
- Data protection officers (DPO) are the ones responsible for overseeing GDPR compliance and security measures. Companies must appoint a DPO if they handle large amounts of data, are a public authority, or process data in a way that’s “particularly far-reaching for the rights of the data subjects.”
The GDPR does allow some exemptions, such as:
- Processed data related to household and personal matters
- Government and legal bodies for data usage to fight or prevent crime
- Activities that fall outside EU laws
What data does GDPR protect?
The GDPR defines personal data as “any information relating to an identified or identifiable natural person.”
This definition includes all the obvious choices – names, addresses, phone numbers, social security numbers, and more – but also contains IP addresses, genetic data, biometric data, political opinions, and social media posts. It doesn’t matter if the data is public and only makes indirect references – GDPR still applies.
With this in mind, GDPR mandates that companies adhere to “privacy by design” – all technologies and systems must have built-in data protection. For example, GDPR encourages pseudonymization – this replaces private data by artificial identifiers. With pseudonymization, a person’s name translates to a random code of characters. Anyone who steals such data won’t be able to decipher such cryptic codes.
Companies must also report data breaches to the relevant authorities or face hefty fines. Consumers affected by such violations can request compensation from the company.
What individual rights does GDPR grant?
GDPR empowers users by ensuring companies do their best to protect sensitive data. A few of these rights include the right to access, the right to be informed, and the right to be forgotten.
The right to access
As mentioned earlier, consumers can request an electronic copy of personal data from a company’s data controller. Companies must provide such data within one month. Those who ignore a user’s access request may face fines.
The right to be informed
“The right to be informed” means that consumers have a right to know:
- How companies use their data
- How long companies will retain such data
- Whom the companies will share data with
Companies must provide information in a way that clear, accessible, and easy-to-understand.
The right to be forgotten
One of GDPR’s significant rules is the consumer’s “right to be forgotten.” This gives people the right to request that organizations delete a user’s data. Users can exercise this right under a few different circumstances, including:
- The data is now unnecessary for the company
- The organization needs ongoing consent to use the data
- The organization uses the data for marketing practices without the user’s consent
- The company processed the data illegally
- The company must delete the data to comply with the law
The organization can sometimes override the user’s request, such as the use of data for public interest or legal reasons.
How do companies remain GDPR compliant?
The GDPR’s rules are incredibly comprehensive, and some companies might have trouble maintaining compliance. As a general guideline, your company should:
- Appoint a DPO. The DPO doesn’t have to be a unique position to appoint someone already within the company. You may consider hiring an outside DPO if they’re well-versed in the GDPR laws.
- Create a plan to protect data. Most companies already have an idea, but it’s essential to have a set of ground rules.
- Periodically review security measures. Make sure there are no gaps in your security plan. Regularly test for areas that hackers can exploit.
- Employ a “zero trust” policy. Nobody inside or outside the organization should be trusted with data by default. This policy means that nobody has access to anything without proper verification.
- Only give employees access to the information they need. One of the best ways to prevent data breaches is to ensure that employees don’t have access to unnecessary files. According to a Varonis report, 53% of companies had over 1,000 private files that every employee could access.
StartMail is headquartered in the Netherlands. All users (not just European citizens) are protected by strong Dutch and EU privacy laws, including GDPR!
Protect your email privacy – use StartMail! Try StartMail for free with a 30-day Trial Account.