What is General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a landmark legislation that updated and unified data protection and privacy laws across the European Union (EU), introducing new GDPR rules that have far-reaching implications for businesses and individuals alike. It harmonizes the individual data privacy laws of all 28 EU members, providing a consistent set of 99 articles for greater individual rights and protections and reflecting EU consumers’ increasing concern over data privacy.

An RSA Data Privacy & Security report revealed that 41% of consumers submit incorrect personal information to companies due to little faith in data privacy and fear of intrusive marketing. Another 90% of surveyed global consumers expressed concerns over organizations losing, manipulating, and stealing their personal data.

In this article, you'll find:

GDPR Overview

Many industry experts describe the GDPR as a data protection and privacy revolution as opposed to an overhaul of rights, with the new directive focusing on keeping businesses transparent and expanding consumers’ privacy rights. For instance, once a company detects a severe security breach, it must notify the supervising authority and all affected individuals within 72 hours.

Common questions about the GDPR include who it applies to and whether it affects all size companies. The GDPR mandate applies to companies of all sizes that process the personal data of EU residents, regardless of where the organization is based. It also affects anyone whose information is stored in the EU, including non-EU citizens, and it includes steep fines for companies that breach the rules.

Understanding GDPR requirements is critical for businesses to ensure compliance and avoid hefty fines. Basic facts about the regulation include:

  • Its provisions require businesses and organizations to protect EU citizens’ data and privacy for transactions occurring within EU member states.
  • It regulates how companies export personal data outside the EU.
  • Many consider it the world’s strongest data protection standard, enhancing how people access their information and the limits organizations must adhere to when dealing with personal data.

GDPR requires companies and organizations that conduct large-scale data processing and data subject monitoring to have a data protection officer (DPO). The DPO becomes a figurehead responsible for the company’s data governance and compliance.

Companies non-compliant with the GDPR rules face legal consequences, including a 20 million euros (or about $22.07 million) fine or 4% of annual global revenue, whichever is greater. Additionally, the DPO ensures the application of appropriate data protection principles to maintain personal data.

What is the Purpose of GDPR?

The General Data Protection Regulation exists because of public concern over privacy. It replaced the 1995 EU Data Protection Directive enacted long before the internet became a modern online business hub. Therefore, it was necessary to replace the outdated directive that failed to address how companies collected, transferred, and stored data.

Today, the GDPR protects the EU population and their data to ensure organizations collecting and storing data do so responsibly. It mandates the safe maintenance of personally identifiable information (PII) and requires organizations to protect it against unauthorized or unlawful processing, damage, destruction, and accidental loss. This includes many activities surrounding ransomware and malware. Examples of PII include:

  • Names and addresses.
  • Social Security, passport, driver’s license, taxpayer identification, and patient identification numbers, as well as financial accounts or credit card numbers.
  • Identifying characteristics like handwriting, fingerprints, or other biometric data.
  • Telephone numbers.
  • Birthplace.
  • Medical, educational, and employment information.
  • Internet or network activity.

It also identifies reasons for collecting personal data and specifies that it should be for a particular and legitimate purpose, and organizations cannot use it beyond that intention. The regulation goes as far as to place limits on how much data organizations and businesses can collect. It stipulates that data collection is limited to what is necessary for the purposes for which an organization processes and uses the data.

Furthermore, the GDPR states that organizations collecting data should ensure its accuracy and update it as needed.

Companies cannot legally process a person’s personally identifiable information if they fail to meet the following set conditions:

  • Receive express consent of the individual (data subject).
  • Processing the data is necessary for compliance with legal obligations.
  • Processing the data is needed for performing a contract with the individual or entering into a contract with them.
  • Processing protects the individual’s or a third party’s interests.
  • Processing is necessary for performing a public interest task or for exercising official authority vested in a controller.
  • Processing is needed for legitimate interests pursued by a third party or the controller, except where the rights, freedoms, and interests of a data subject override those of the former.

Who Does GDPR Apply To?

The purpose of imposing GDPR is to use a uniform EU data security law on member states so that individual members don’t need to write and enforce different data protection laws. Additionally, although it comes from the EU, it applies to global businesses outside the region.

For instance, it applies to a US-based company that does business in the EU and collects and handles the data of EU residents and citizens. A PWC survey showed that 92% of US-based companies consider GDPR data protection a priority.

Other specific compliance criteria for organizations include:

  • A presence in a European Union country.
  • Entities that process EU residents’ data even if the company has no presence in the region.
  • A company with over 250 employees.
  • Companies whose data processing impacts the freedoms and rights of data subjects, and that may or may not include certain types of personal data, even if it has less than 250 employees.

GDPR focuses a lot on personal data protection. Personal data is information that identifies a living person directly or indirectly. It could be something obvious like a name, location data, or a clear online username, or less apparent such as cookie identifiers or IP addresses.

It gives some categories of sensitive personal data greater protection, including information about:

  • Ethnic or racial origin
  • Religious beliefs
  • Biometric data
  • Political opinions
  • Genetic data
  • Health information
  • Sex orientation or sex life
  • Membership in trade unions

The crucial definition of personal data is anything that allows the identification of a person. It means pseudonymized data still falls under personal data in this broad context. Personal data is critical because the law covers individuals, companies, and organizations that either process or control it.

The GDPR defines the following three roles:

  1. A data subject: The owner of personal data.
  2. A data controller: Determines the type of personal data to collect and how to use it.
  3. A data processor: Processes personal data for controllers.

Controllers are the decision makers and exercise control over processing personal data and its purposes and uses. Sometimes there are joint personal data controllers, where two or more entities determine how to handle collected data. On the other hand, processors act on behalf of the relevant controllers under their instructions. Therefore, controllers have stricter regulations than processors.

How Does GDPR Protect Customers?

Users must consent to organizations and companies that wish to collect and use their personal data. In this case, personal data refers to information about a living, identified, or identifiable natural person, often called a data subject.

As stated above, personal data can include the following:

  • Name
  • Identification number (ID)
  • Location data
  • Information specific to the data subject’s physical, genetic, mental, economic, cultural, physiological, or social identity
  • Biometric data such as fingerprinting or facial imaging
  • Racial or ethnic information
  • Healthcare information
  • Union membership

It requires companies and organizations to notify visitors to their online sites of the data they collect, such as cookies. They must also consent to give information by clicking on the agree button. For example, many sites have popup disclosures notifying visitors that the site collects cookies – small files holding personal information like site preferences or settings.

Websites must also notify visitors and users early of a breach of the personal data the company or site holds. These EU data protection requirements are often more stringent than those in other jurisdictions.

Other mandates include the assessment of the website’s data security and the requirement to have a data protection officer to carry out these and other functions. Also, the company must provide the contact information of the DPO and other relevant employees to ensure ease of access to exercise their GDPR rights. These include the right to have their personal data erased from the site, among other measures.

It further protects consumers by ensuring organizations and other collectors make collected personal data anonymous or pseudonymized to replace the identity with a pseudonym. These measures allow organizations to perform more extensive data analysis like assessing their customers’ average debt ratios, which goes above and beyond the requirements to evaluate a loan’s creditworthiness.

It’s worth mentioning that GDPR affects data other than that collected from customers. For example, the regulation applies to HR records of employees.

Requirements of the EU GDPR

The EU GDPR has 11 chapters and 91 articles. Below are some of the key articles that impact the security operations of organizations:

  • Articles 17 and 18 give data subjects control over automatically processed personal data. Therefore, they may easily transfer their data between different service providers (right to portability). They may also direct controllers to erase their data under certain circumstances (right to erasure).
  • Articles 23 and 30 require organizations to implement reasonable measures to protect personal data against exposure or loss.
  • Article 31 specifies single data breach requirements and includes notifying supervising authorities of breaches within 72 hours and giving specific details.
  • Article 32 requires a data controller to quickly notify data subjects of breaches when they risk affecting their rights and freedoms.
  • Articles 33 and 33a require organizations to perform detailed data protection impact assessments. It helps identify risks and suitable mitigation processes.
  • Article 35 stipulates the conditions necessitating the appointment of a data protection officer. For example, the size of a company and the nature of the personal data it collects may warrant the position of a DPO. Companies require a DPO if they collect personal information about their employees for HR purposes or collect sensitive data subjects’ information like generic data, health, ethnic origin, race, or religious beliefs.
  • Article 36 and 37 outline the position and responsibilities of the DPO position in ensuring compliance.
  • Article 45 extends and stipulates the data protection requirements for international companies collecting or processing the personal data of EU citizens. It subjects these entities to the exact requirements as EU-based ones.
  • Article 79 outlines the fines and penalties for non-compliance.

The Principles of GDPR

There are seven fundamental principles in the legislation’s Article 5. These principles guide how organizations handle people’s data. They are not complex rules to follow, but an overreaching framework whose design lays out the purposes of GDPR.

Many principles are similar to those in the previous data protection laws. The seven principles are as follows:

  1. Lawfulness, fairness, and transparency: Ensures organizations inform data subjects how they will use their personal data.
  2. Purpose limitation: Organizations can only collect data for specific purposes.
  3. Data minimization: Limits the data collected to what organizations require for specific processing.
  4. Storage limitation: Organizations will not retain collected data longer than needed.
  5. Accuracy and updates: Organizations collecting and processing data should ensure its accuracy and update it. They must also change or delete data upon the request of data subjects.
  6. Integrity and confidentiality: Organizations must apply appropriate security and protection measures to secure personal data against theft and unauthorized access.
  7. Compliance: Data collectors must comply with the law.

What are the Rights for Individuals?

The above principles of the GDPR underlie the specific data subject rights under the data protection act. These include the following:

  • Right of access: Data subjects can access and review the data organizations store about them.
  • Right to be forgotten: Users can request the erasure of their personally identifiable information from an organization’s storage. The latter can refuse requests if it demonstrates a legal basis for the decision.
  • Right to object: Users can refuse permission to collect, process, or use their personal data. Again, the organization can ignore the refusal only after providing a sufficient legal reason for the decision.
  • Right of portability: Users can access and transfer their data.
  • Right to rectification: Users expect the correction of inaccurate data.

GDPR Breaches and Fines

During a security breach affecting personal data, data controllers have 72 hours to notify the supervisory authority (public authority the EU member country designates to oversee compliance). Additional breach notification requirements include:

  • A reason for delaying notifying the designated supervisory authority.
  • The minimum breach notifications include the nature of the breach, the types and number of data subjects’ compromised data, and the number of data records involved.
  • Direct notification of the data breach to all victims through a general announcement.
  • A detailed explanation of the possible consequences of the data breach and the measures to mitigate them.
  • The data controller must document everything about the breach and the remedies applied before providing a copy to the supervisory authority for verification.

GDPR fines and penalties have a tiered approach that includes two levels of fines, depending on the scope and type of infringement:

  1. For less serious infringements: Up to 10 million euros or up to 2% of the company’s preceding financial year’s global annual revenue, whichever amount is higher.
  2. For more serious infringements: Up to 20 million euros or 4% of the company’s preceding financial year’s global annual revenue, whichever amount is higher.

The biggest issue most companies focused on following the 2016 roll-out of GDPR was the ability of regulators to impose stiff financial fines for non-compliance. Regulators could fine businesses for any offenses, including failure to process personal data correctly, failure to have a data protection officer if required, or security breaches.

GDPR and Third-Party Data

There are several regulations regarding third-party personal data – data from parties other than EU data subjects – and sharing personal data outside the region. The data protection act of 2018 stipulates that:

  • Data controllers must obtain permission to transfer personal data to an international organization or another country
  • Data controllers must provide detailed descriptions of data collected from sources other than data subjects and its origin

After the United Kingdom withdrew from the EU, it updated its data protection laws and now uses the Data Protection act of 2018. It stipulates that UK companies doing business with EU customers and organizations should comply with the GDPR.

It’s worth noting that the GDPR places equal liability on data processors and data controllers. It means that a non-compliant third-party processor affects an organization’s compliance status. The act also has strict requirements for reporting breaches in the chain.

Therefore, a controller’s existing contracts with processors like SaaS vendors, payroll service providers, or cloud providers and customers must spell out the responsibilities. The agreement must also have consistent processes for managing, collecting, protecting, storing data, and reporting breaches.

How to Ensure GDPR Compliance

For businesses, simplifying GDPR compliance can be a daunting task. So how does a company ensure compliance? The regulations describe responsible data management’s expected results but do not specify technical measures to achieve that goal. Below are some best practices that help streamline your organization’s compliance efforts while ensuring it meets all regulatory requirements:

  • Always ask data subjects before collecting personal data.
  • Only collect the data required since organizations are responsible for all the data collected regardless of whether or not they use it or not.
  • Encrypt data at rest and in transit.
  • Don’t share data with other entities without the consent of users and approval of supervisory authorities.
  • Keep at least two updated and secure backups of all personal data in separate off-site locations.
  • Invest in the tools and capability to easily edit or delete specific data items, verify all actions, and document everything.
  • Read the GDPR and understand all the requirements.
  • Look at what other organizations are doing and how the GDPR affects their operations, and learn from them.

Eliminate Data Governance Gaps with Arctera

Complying with GDPR is not just a legal requirement; it’s also an opportunity for organizations to build customer trust by protecting their personal data.

Digital transformation has redefined the regulatory rules governing businesses globally. US businesses are now subject to several cybersecurity compliance regulations due to the nature of their business, such as GDPR and the California Consumer Privacy Act (CCPA). (See CPRA for an update on CCPA)

Many communication platforms and online operating environments have made compliance administration demanding and costly. Therefore, businesses are looking for effective, affordable ways to remain compliant while boosting productivity and expanding operations.

Arctera’s integrated portfolio of data compliance capabilities synthesizes intelligence across different data sources to streamline access, ensure regulatory compliance, deliver insights, support analysis, and minimize organizational risk.

The Arctera integrated approach to compliance and enterprise data management turns big data into actionable insights. Additionally, our Data Insight Integration’s reporting and visualization features allow users to classify at-risk data, engage data owners, and rescind access to sensitive personal data to improve data compliance and decision-making.

Moreover, the Arctera Integrated Classification Engine eliminates dark data challenges of data security and compliance. Users can archive and retrieve their data to and from anywhere.

Contact us today to receive a call from one of our representatives.

About Arctera

Arctera helps organizations around the world thrive by ensuring they can trust, access, and illuminate their data from creation to retirement. Created in 2024 from Veritas Technologies, an industry leader in secure multi-cloud data resilience, Arctera comprises three business units: Data Compliance, Data Protection and Data Resilience. Arctera provides tens of thousands of customers worldwide, including 70% of the Fortune 100, with market-leading solutions that help them to manage one of their most valuable assets: data.

Learn more at www.arctera.io
Follow us on X @arcteraio