What is GDPR?

GDPR stands for the General Data Protection Regulation (GDPR). It was passed by the European Union (EU) and went into effect on May 25, 2018. GDPR is a privacy law that imposes strict obligations for any organizations that target or collect data on EU residents.

GDPR defines data as, “any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous can also fall under the definition if it’s relatively easy to ID someone from it.“

As it is considered one of the most aggressive privacy laws in existence, the GDPR governing authorities can levy fines and penalties reaching the tens of millions of euros for any organization that violates its privacy mandates. 

Overview of GDPR

As a data privacy law, GDPR sets forth certain rights for EU citizens, or data subjects, as they are referred to in the legislation.

The GDPR outlines numerous privacy rights for data subjects, which provide said individuals with more control over the data that is collected on them by organizations. These privacy rights include: 

  1. The right to be informed of what data is being collected and how it is being used.
  2. The right to access the data that is being collected on them.
  3. The right to rectification of any data that is being collected about them that may be inaccurate.
  4. The right to the erasure of any data that is collected about them.
  5. The right to restrict the processing of data that has been collected about them.
  6. The right to data portability, allowing individuals to obtain and reuse their personal data.
  7. The right to object to an organization collecting or using their personal data.
  8. Rights in relation to automated decision-making and profiling.

What are the requirements of GDPR?

Organizations are obligated to facilitate the aforementioned privacy rights by implementing the necessary processes and policies within their business. The following is a summary of how GDPR expects organizations to facilitate GDPR privacy rights. 

Article 12 — Transparency and communication

Organizations are required to explain how they collect and process data in “a concise, transparent, intelligible and easily accessible form, using clear and plain language.” Additionally, they must make it simple for data subjects to make requests related to their rights (i.e. the right to object) and respond to requests in an appropriate and timely manner. 

Articles 13 & 14 — Collecting personal data

When organizations collect personal data from a data subject, they must communicate specific information to them about how the data is collected and used, even if the organization doesn’t collect data directly from them.

Article 15 — Right of access

Data subjects have the right to information about the organization’s data processing activities including what data you’re collecting, the source of the data, the purpose behind collecting it, and the amount of time you will keep the data among other things.

Article 16 — Accuracy

Should the information an organization collects on a data subject be inaccurate, they have the right to have it corrected and the organization must respond to these requests in an appropriate and timely manner. 

Article 17 — Right to erasure

Data subjects have the “right to be forgotten,” thus, request that an organization delete their data and the company must comply with a few exceptions. One exception includes a scenario in which processing their data is required to exercise the organization’s right to freedom of expression. In all non-exempt circumstances, the company must make it easy for data subjects to submit an erasure request. 

Article 18 — Right to restrict processing

Data subjects also have the right to object to the processing of their data or request a temporary change to how an organization processes it if they believe it to be incorrect, used illegally, or no longer required for the purposes a data controller initially collected it.

Article 20 — Data portability

An organization is required to store consumer data in a format that can be shared and understood easily if requested. Furthermore, if a data subject requests that an organization send their data to a third party, they are required by law to comply. 

Article 21 — Right to object

Consumers also have the right to object to their data processing. Should this occur, an organization can only override their objection by demonstrating that they have collected their data for a legitimate purpose as defined in GDPR. 

Who does GDPR apply to?

GDPR applies to any organization doing business in the EU, as well as any outside the EU with products or services to customers or businesses in the EU.

Key Takeaways

  • GDPR is a privacy law that applies to businesses that operate in the EU, and/or with EU residents, or EU businesses.
  • It provides certain rights to EU residents and businesses including, but not limited to, the right to be informed, the right to access, the right to rectification, and the right to restrict.
  • GDPR requires businesses to meet certain requirements around their privacy policies as well as implement security controls to protect that data.
  • Violations of a consumer’s GDPR rights can cause fines into the tens of millions of euros.