Email, workplace productivity applications, messaging, file-sharing services, social media, banking and healthcare applications — more and more people are entrusting their private and sensitive data to cloud services. At the same time, data breaches and security incidents are becoming more frequent and more sophisticated.
Many security compliance frameworks are focused on data protection, keeping data safe from hackers and breaches. But the General Data Protection Regulation (GDPR) is just as concerned about data privacy. Its objectives are to keep data safe while giving people more power over who can process their personal data and why.
GDPR is a landmark legislation with far-reaching impact. It‘s already inspired similar data privacy laws around the world, most notably the California Consumer Privacy Act (CCPA). With so much of a focus being placed on both data protection measures and data privacy, organizations all over the world must stay aware of these regulations so they can stay compliant and avoid significant fines.
This article covers the basics of GDPR and compliance to help you understand the essentials of the law and how it applies to your business and customers.
Recommended Reading
Essential Guide to Security Frameworks & 14 Examples
What is GDPR & what does it stand for?
GDPR stands for the General Data Protection Regulation. It is a law passed by the European Union (EU) to establish data privacy and security laws for the European Economic Area, which includes all EU countries plus Iceland, Liechtenstein, and Norway.
Although it was drafted and passed by the EU, it applies to any organization that targets or collects data from EU residents.
GDPR is known for cracking down on violations by implementing steep fines, with penalties in the tens of millions of euros.
What is the purpose of GDPR?
The purpose of GDPR is to protect the personal data and privacy of EU residents.
Although GDPR was passed just a few years ago, its roots stretch back to the 1950s. The European Convention on Human Rights of 1950 states that everyone has a fundamental right to privacy.
As the internet became more prominent, the EU began to recognize the need for more modern protections. It passed the European Data Protection Directive in 1995, which established some baseline data privacy and information security standards. Each EU member state implemented its own law based on those guidelines.
Then in the late 2000s and early 2010s, the EU recognized the need for a more comprehensive solution and began considering ways to update the 1995 directive.
GDPR was passed by the European Parliament in 2016 and went into effect on May 25, 2018.
While GDPR is EU law, it applies to any organization that processes the personal data of EU residents, or offers goods and/or services to EU residents.
What is GDPR Compliance?
If an organization falls within the scope of GDPR, the organization must satisfy the requirements for properly processing personal data of EU residents.
Key requirements include:
- Establishing a legal basis for data processing: Organizations must have a valid legal basis for collecting and processing personal data, like fulfilling contractual or legal obligations.
- Obtaining explicit consent from data subjects: Organizations must explain how they process data in a form — most opt for a clearly-written privacy notice.
- Implementing technical and organizational safeguards: Organizations must implement safeguards to ensure customer data is handled securely. Safeguards may include appropriate logical access controls and conducting annual security and privacy awareness training.
- Sending breach notifications: In the event of a data breach, organizations must notify the supervisory authority within 72 hours.
- Appointing a data protection officer (if applicable): Certain organizations are required to appoint a data protection officer to oversee the organization’s data protection strategy and its implementation.
- Honoring data subject rights: Data subjects have certain rights under GDPR, including the right to be informed, the right of access, and the right to object.
Ultimately, these obligations outlined by GDPR limit how organizations can use personal data and provide individuals more autonomy over who can process their personal data and why.
