close

GDPR

What does GDPR stand for?

The General Data Protection Regulation (GDPR) is the European Union's flagship data protection (i.e. data privacy) law. It is comprehensive, expansive and far-reaching, and sets a global high bar for protecting the privacy rights and freedoms of individuals. Since its commencement in May of 2018 it has inspired a series of global legislative reforms. The GDPR applies to any organization that processes the personal data of Europeans in any capacity and from any jurisdiction. Understanding and abiding by the GDPR's core principles and broadly applicable obligations has become a necessary focal point for organizations around the world, as the failure to comply with its requirements can result in administrative fines of up to 2 - 4% of global profits.

Right to Privacy

Considered a modern extension of the right to privacy, as established in 1950 via the European Convention on Human Rights, and the natural evolution of the 1995 EU Data Protection Directive. The GDPR was created to specifically address rapid advancements in Internet technology and the resulting rise of Big Tech and 'big data' in the 2010s.  The GDPR is complemented by and strengthens the EU ePrivacy Directive, a specialized pan-European law focused on online privacy, digital marketing and the confidentiality of electronic communications. Notably, the ePD applies to the use of cookies and similar tracking technologies for which the GDPR requires opt-in consent.

GDPR Requirements for Organizations

In one sense, the GDPR can be heralded as a triumph for basic human rights, but in another it can represent an obstacle, particularly for small to medium sized organizations hoping to remain in compliance with its various articles. The GDPR itself is a sprawling, principle-based body of law that must be carefully interpreted. Its potential applications and implications for specific businesses are numerous, and is difficult to navigate without qualified legal advice.

The GDPR's hallmark feature are its definitions of "personal data" (PD) and "special category data" (SPD). "Personal data" expands the notion of personally-identifiable information (PII) to include online and mobile identifiers; demographics, behaviors, characteristics and interests that can be compiled and analyzed for insights. "Special category data" is a specially protected subset of PD that includes categories like precise location information, uniquely identifiable biometric and genetic data, racial and ethnic origins, and religious or political beliefs.

If an organization processes any of this data concerning European residents, the GDPR applies. Further, it is not enough for an organization to say they comply -- the GDPR requires demonstrable compliance

GDPR Principles

While complex, the GDPR's compliance requirements are grounded in a set of foundational privacy principles, which are:

  1. Processing must be lawful, fair, and transparent. 
  2. Organizations must adhere to a purpose limitation, and may only process data for specific and legitimate purposes that have been explained in clear terms to the individual before processing.
  3. All processing must be carried out in the interest of data minimization, collecting and processing no more data than is necessary for the specified purpose.
  4. Organizations must maintain the accuracy of all data within its control, and keep up to date documentation of all processing activities.
  5. Organizations must adhere to strict storage limitations, and may only store personal data for as long as is appropriate for the specified purposes of processing. 
  6. All actions must be performed in the interest of integrity and confidentiality, ensuring all personal data in an organization’s control is ultimately secure, and encrypted when necessary. 
  7. Organizations must accept accountability and are responsible for being in compliance with all the above principles. 

These principles and related organizational obligations are complemented by a set of itemized, enforceable Rights of the Data Subject (i.e. privacy rights). These have been expanded and strengthened from the original Data Protection Directive and comprise the rights of Access, Correction, Deletion, Portability, Objection and Restriction concerning their data -- and how it is used. Individuals may not be discriminated or retaliated against for exercising their privacy rights, and organizations are bound to a set of operational requirements for honoring Data Subject Requests (DSRs).

New protections for personal data come with new responsibilities for those in a position of control over its colletion and use, and organizations should remain diligent, seeking assistance and outside resources wherever necessary to ensure full compliance in all circumstances.

Resources

Information Commissioner’s Office - https://ico.org.uk/

Brief overview of GDPR via - https://gdpr.eu/what-is-gdpr/

2022 The Privacy and Ecommerce Report
Learn More