General Data Protection Regulation
Overview
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Historical Context
The GDPR was adopted on 14 April 2016, and became enforceable beginning 25 May 2018. As the GDPR is a regulation, not a directive, it is directly binding and applicable, but does provide flexibility for certain aspects of the regulation to be adjusted by individual member states.
The regulation builds upon many of the 1995 Directive's requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations. The full text of the GDPR, including its recitals, is approximately 260 pages long.
Principles
The regulation contains provisions and requirements related to the processing of personally identifiable information of individuals (data subjects) inside the European Union, and applies to all enterprises, regardless of location, that are doing business with the European Economic Area. Business processes that handle personal data must be built with privacy by design and by default, meaning that personal data must be stored using pseudonymisation or full anonymisation, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately.
Rights of the Data Subject
The regulation enumerates several rights of the data subject. These include the right to access, the right to be forgotten, the right to data portability, and the right to object. In addition, the data subject has the right to withdraw consent at any time, and the right to lodge a complaint with a supervisory authority.
Obligations of Controllers and Processors
Controllers and processors of personal data must put in place appropriate technical and organisational measures to implement the data protection principles. Business processes that handle personal data must be designed and built with considerations of privacy principles and incorporate safeguards to protect data (Data Protection by Design and by Default). Data controllers must design information systems with privacy in mind. For instance, using the highest-possible privacy settings by default, not releasing customer data publicly without the customer's consent, and getting valid consent before processing personally identifiable information (PII).
Penalties
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
Impact
The GDPR has had a broad impact on businesses and service providers around the world. It has led to a significant reevaluation and restructuring of enterprise data management, and dramatic shifts in the way businesses operate within the European Union and interact with European customers. New roles, such as Data Protection Officer, have been created to ensure compliance with the regulation.