The General Data Protection Regulation (GDPR) is a comprehensive data protection law that was implemented in the European Union (EU) in May 2018. Its primary objective is to provide individuals with greater control over their personal data and harmonize data protection regulations across the EU member states. GDPR applies to both EU-based organizations and non-EU organizations that process the personal data of individuals residing in the EU. It has extraterritorial reach, meaning that even if a company is located outside the EU, if it offers goods or services to EU residents or monitors their behavior, it must comply with GDPR.
GDPR places significant responsibilities on organizations that collect and process personal data. It requires organizations to obtain explicit consent from individuals for data collection, use, and processing activities. It also grants individuals the right to access their data, correct inaccuracies, and request its deletion. Organizations must implement appropriate security measures to safeguard personal data and promptly report data breaches to the supervisory authorities.
GDPR revolves around personal data, which encompasses information enabling direct or indirect identification of individuals. This includes obvious identifiers such as names and locations, as well as less evident ones such as IP addresses and cookie IDs. Additionally, sensitive personal data, such as racial or ethnic origin, political opinions, and health information, receives heightened protection under GDPR.
Under GDPR there are several special categories of sensitive personal data that are given greater protections. Individuals, organizations, and companies acting as 'controllers' or 'processors' of personal data are subject to the law. Controllers, as main decision-makers, determine the purposes and means of data processing, while processors act solely on their instructions. Joint controllership may occur when multiple entities influence data handling.
At the core of GDPR are key principles – they're laid out in Article 5 of the legislation – which have been designed to guide how people's data can be handled. They don't act as hard rules, but instead as an overarching framework that is designed to lay out the broad purposes of GDPR. The principles are largely the same as those that existed under previous data protection laws.
The best way to comply with data security requirements is to implement both technical and organizational measures. Technical measures range from enforcing two-factor authentication for data access to choosing cloud providers with end-to-end encryption. Organizational measures include staff training, incorporating data privacy policies into employee handbooks, and restricting data access to necessary personnel.
In case of a data breach, notification to data subjects must occur within 72 hours to avoid penalties, although this requirement may be waived if encryption renders the data unusable by attackers.
Moreover, GDPR mandates "data protection by design and by default." This means integrating data protection principles into the design of new products or activities. For instance, when launching a new app, minimize data collection and employ the latest security technology to safeguard personal data, as stipulated in Article 25 of the GDPR.
Non-compliance with GDPR can result in substantial fines. The regulation imposes two tiers of fines depending on the nature and severity of the violation. The first tier can reach up to €10 ($10.9) million or 2% of the organization's global annual turnover, whichever is higher. The second tier can go up to €20 ($21.8) million or 4% of the global annual turnover, again depending on the specific violation. These fines can have a significant financial impact on organizations and serve as a strong deterrent to ensure compliance with the regulation.
GDPR also affects global companies that store and process data in the cloud. Cloud service providers and organizations that utilize cloud services must ensure that the cloud infrastructure meets the security and privacy requirements mandated by GDPR.
Companies need to assess the jurisdiction in which their data is stored and transferred, as transferring data to countries with inadequate data protection regulations may violate GDPR. Organizations must carefully choose cloud providers that offer appropriate safeguards, such as data encryption, access controls, and data breach notification mechanisms. Additionally, contractual agreements with cloud providers must include provisions that comply with GDPR requirements to protect the personal data of individuals.