GDPR: A Quick Overview

GDPR is all about protecting personal data – and it’s not just changing the landscape of regulated data protection law, but the way that companies collect and manage personal data.

The GDPR is an evolution of the EU’s existing data rules, the Data Protection Directive (DPD). It addresses many of the shortcomings in the DPD: adding requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying the consumer and authorities when there is a breach, and strengthening rules for data minimization.

It’s important to note that the EU GDPR covers personal data. It’s what we in the US would call personally identifiable information (PII). Think names, addresses, phone numbers, account numbers, and more recently email and IP addresses.

One way to describe the GDPR is that it simply legislates a lot of common sense data security ideas, especially from the Privacy by Design school of thought: minimize collection of personal data, delete personal data that’s no longer necessary, restrict access, and secure data through its entire lifecycle.

What are the new requirements?

  • Privacy by Design – Privacy by Design (PbD) has always played a part in EU data regulations. By with the new law, its principles of minimizing data collection and retention and gaining consent from consumers when processing data are more explicitly formalized.
  • Right to Erasure and To Be Forgotten – There’s been a long-standing requirement in the DPD allowing consumers to request that their data be deleted. The GDPR extends this right to include data published on the web. This is the still controversial right to stay out of the public view and “be forgotten”.
  • Extraterritoriality –  The new principle of extraterritoriality in the GDPR says that even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects — for example, through a website—then all the requirements of GDPR are in effect. In other words, the new law will extend outside the EU. This will especially affect e-commerce companies and other cloud businesses.
  • Breach notification – A new requirement not in the existing DPD is that companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects will also have to notified but only if the data poses a “high risk to their rights and freedoms”.
  • Fines – The GDPR has a tiered penalty structure that will take a large bite out of offender’s funds. More serious infringements can merit a fine of up to 4% of a company’s global revenue. This can include violations of basic principles related to data security — especially PbD principles. A lesser fine of up to 2% of global revenue — still enormous — can be issued if company records are not in order or a supervising authority and data subjects are not notified after a breach. This makes breach notification oversights a serious and expensive offense.

Overall, the message for companies that fall under the GDPR is that awareness of your data—where is sensitive data stored, who’s accessing it, and who should be accessing it—will now become even more critical.