The General Data Protection Regulation (GDPR) is a set of privacy and security standards put into effect by the European Union (EU). Widely accepted as the world's strictest security and privacy law, GDPR imposes regulations on organizations that target or collect data relating to people in the EU. European Parliament signed GDPR into law in 2016, requiring all organizations to comply by May 2018.
The EU introduced GDPR to replace the monstrously antiquated Data Protection Directive 1995 and "harmonize" data privacy rules across Europe, providing greater protection and rights to individuals and improving how organizations handle consumer data. GDPR results from over four years of planning and built on previous data protection principles to dramatically modernize security and privacy laws.
Consisting of 99 articles across 88 pages, GDPR is a weighty tome that intimidates even the most seasoned compliance professionals. Keep reading for a practical, digestible overview that will help you gain an understanding of GDPR.
Who and what does GDPR apply to?
While it is an EU law, GDPR applies to any organization that operates within the EU, irrespective of location. Any organization or individual dealing with EU citizens' personal data must comply with GDPR. Personal data is any information that someone could use to directly or indirectly identify a living person; for example, names and addresses.
Some forms of personal data are deemed more sensitive and granted additional protections. These include, but are not limited to, information regarding:
- Racial or ethnic origin
- Trade union membership
- Genetic and biometric data
- Sexuality
Individuals or organizations that handle EU citizens' data fall into one of the following two categories:
- Controllers are the primary decision-makers, exercising total control over the purposes and means of processing personal data. If multiple groups control data, they are known as joint controllers.
- Processors act on behalf and the instruction of controllers. They are subject to less stringent obligations.
What are the principles of GDPR?
GDPR has seven main principles for the lawful processing of personal data. Processing refers to the collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure, or destruction of personal data. The principles are:
- Lawfulness, fairness, and transparency ensure organizations are clear, open, and honest with data subjects about who they are, their intentions, how they process data, and why they have a good reason for doing so.
- Purpose limitation ensures that organizations only collect data for "specified, explicit, and legitimate purposes."
- Data minimization ensures organizations only collect the data necessary for their purposes.
- Accuracy ensures organizations set up checks to correct, update or erase any incorrect or incomplete data.
- Storage limitation – Prevents organizations from storing data for longer than necessary.
- Integrity and confidentiality (security) ensure that organizations keep data secure from internal or external threats.
- Accountability ensures that organizations have adequate documents to prove they are complying with data processing policies.
What are the user's rights under GDPR?
GDPR grants data subjects a wide array of rights, giving them enhanced control over how organizations use their data. They are:
- The Right to be Informed – Individuals have the right to be fully informed about the collection and use of their data. Organizations must notify users in the event of a data breach.
- The Right of Access – Users can view their data and be told why it was collected and to whom it was disclosed within one month of the request, free of charge.
- The Right to Rectify Information – Data subjects can request a correction or completion of incorrect or incomplete data. Organizations must fulfill this request within one month.
- The Right to be Forgotten – Users can request that organizations delete their information because it's no longer relevant or they have withdrawn consent.
- The Right to Restrict Data Processing – Individuals can request to restrict how their data is processed.
- The Right to Data Portability - If a user requests to view their information, organizations must provide it in a clear and accessible format.
- The Right to Object – In some situations, such as direct marketing, data subjects can object to an organization processing their data.
- Automated Individual Decision-Making – Users should not be subject to automated decision-making processes with significant personal effects, data profiling, for example.
What are the consequences of GDPR non-compliance?
Failing to comply with GDPR will result in serious financial and reputational damage. In severe circumstances, fines can reach up to 17 million euros or 4% of a company's annual turnover. Organizations may also be required to pay their data subjects compensation for any damages that resulted from a data breach, and public opinion of an organization is likely to nose-dive in the wake of a GDPR non-compliance decision.
GDPR is the world's most stringent security and privacy law. It seeks to standardize and modernize data protection across Europe, giving users more control over their information. It applies to any organization or company, regardless of location, that processes the data of EU citizens. Non-compliance can result in fines, legal proceedings, and irrevocable reputational damage.
Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.