The General Data Protection Regulation is the toughest and most stringent privacy legislation on the planet. Created and enacted by the European Union (EU), the GDPR imposes obligations on any business worldwide that targets or collects data relating to people in the EU (in similar fashion to the recent Chinese PIPL legislation).
The Basics
The legislation, which went into effect in May of 2018, applies to any company operating in the EU, as well as those outside of the EU that provide goods or services to clients or businesses in the EU. It levies harsh fines against violators, with penalties reaching into the tens of millions of euros.
The GDPR is particularly daunting as far as international cybersecurity law goes, because its regulations are large and far-reaching in scope, yet not very specifically defined. Compliance proves especially tricky for small and medium-sized enterprises.
The 1950 European Convention on Human Rights guaranteed the right to privacy to all Europeans, and it’s paved the way for continuous evolutions in privacy laws since it was created. The GDPR is the most recent evolution in European cybersecurity legislation, following explosive developments in the technology sector and an exponential increase in personal internet use (like the advent of online banking, Facebook, and widespread email accounts).
The GDPR defines a variety of legal terms specifically, including:
- Personal data: Any information that relates to an individual who can be directly or indirectly identified
- Data processing: Any action performed on data, whether automated or manual
- Data subject: The person whose data is processed (customers or site visitors)
- Data controller: The person who decides why and how personal data will be processed
- Data processor: A third party that processes personal data on behalf of a data controller. There are special rules for these individuals and organizations.
Under the GDPR, data controllers must take a risk-based approach to data security. They must identify and assess the risks to the personal data they collect and process, and they must implement appropriate technical and organizational measures to mitigate those risks.
Core Concepts
The GDPR establishes several core concepts, each with its own definition. The following are some key principles as they’re outlined in the legislation:
Accountability
Data controllers must be able to demonstrate their compliance with the GDPR. There are a variety of methods to accomplish this, including:
- Designating data security responsibilities to your team.
- Keeping good records of all data you collect, how it’s used, where it’s kept, who’s in charge of it, and so on.
- Training your employees and putting in place technological and organizational security measures.
- Having data processing agreements in place with third parties who you contract to handle data for you.
- Appointing a designated Data Protection Officer (DPO).
Data Security
Businesses are required to secure data by using adequate technical and organizational precautions. Technical measures can include anything from requiring your workers to use two-factor authentication on accounts where personal data are stored to contracting with cloud providers that employ end-to-end encryption as a security measure.
Organizational precautions entail things like employee training seminars, creating a data privacy policy in an employee handbook, or restricting access to personal information to only those workers in your organization who require it.
You have 72 hours to notify data subjects after a data breach, or you may be fined. This notification requirement may be waived if you employ technological safeguards, such as encryption or tokenization, to render stolen data useless.
Protection By Design and By Default
Under the GDPR, everything you do in your company must, “by design and by default,” consider data security. Essentially, this means that any new product or service must be designed in accordance with its standards.
Launching a new app? Make sure to plan ahead and ensure built-in protections for any personal data the app might possibly collect from users; do your best to minimize data collection in the first place, then secure what you do collect with the tightest measures possible.
When You’re Allowed to Process Data
There are only certain circumstances in which it’s legal to process personal data in the first place. Don’t do it unless you can justify it with one of the following criteria:
- You obtained explicit, clear consent from the data subject to process their data. (e.g. They’ve opted into your marketing email list.)
- Processing is required to execute or prepare for a contract in which the data subject is a party. (For example, before hiring someone, you’ll need to do a background check.)
- You must process the data to comply with a legal obligation. (e.g. You receive an order from the court in your jurisdiction.)
- You must process the data in order to save someone’s life.
- You must process the data to carry out a public service or execute an official responsibility.
- You have a good cause to use other people’s personal information. This is the most adaptable lawful basis, but the data subject’s fundamental rights and freedoms will always take precedence over this.
Once you’ve determined the legal basis for your data processing, you must record and notify the data subject. Transparency is key. If you want to change your justification, you must have a solid basis for doing so, document it, and notify the data subject.
Consent
The GDPR overhauled prior rules about what constitutes consent from a data subject to process their info. Consent under the GDPR must meet the following guidelines:
- “Freely given,” “specific,” “informed,” and “unambiguous” are the key terms used for defining consent.
- Consent must be “clearly distinguishable from the other matters” and communicated in “clear and plain language.”
- Subject access rights are revocable at any time, and you must comply with their wishes.
- Only with the knowledge and permission of their parent may children under the age of 13 give consent.
- Documentary proof of consent must be obtained.
Data Protection Officers
Despite popular opinion, not every data controller or processor needs to appoint a Data Processing Officer. You are, however, required to employ a DPO if any of the following three circumstances apply:
- You are a public entity other than a court performing judicial functions.
- You must track people on a large scale and systematically and frequently as part of your core operations.
- Your core activities include big-scale processing of data falling within Article 9 of the GDPR’s special categories, or data concerning criminal convictions and offenses, as specified in Article 10.
Even if you are not required to do so, you may choose to designate a DPO for a number of reasons. A competent DPO will have comprehensive understanding of the GDPR (and other similar legislation) and how it applies to the company, advising personnel regarding their obligations, offering data protection training sessions, conducting audits and monitoring GDPR compliance, and serving as a liaison with regulators.
For companies large enough and with enough resources to hire one, a DPO is a smart move as cybersecurity legislation is only getting more and more stringent.
People’s Privacy Rights
And, as all good data protection legislation should, GDPR promises individuals (aka “data subjects”) greater control over the data they share with businesses.
The following is a summary of data subjects’ privacy rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Enforcement
As noted in the beginning of this article, the GDPR is mainly enforced through the imposition of fines, edging into the hundreds of millions of euros.
Similarly, organizations found to be in violation of the new regulations are often subject to the resulting reputational damage.
The GDPR has certainly introduced its fair share—possibly more—of hurdles for businesses to overcome, but it almost surely won’t be the last of its caliber. Cybersecurity legislation is the new norm, and as our lives become increasingly intertwined with and reliant on technology and online data communication, legislation to protect individuals’ identity and security will only evolve to be tighter and more effective.
And, as we say in the US, “Ignorance is no defense.” So, it’s best to become familiar with the regulations now. The sooner you do, the less likely you are to face penalties down the road.