The General Data Protection Regulation (GDPR) is Europe's data privacy law — the first of its kind, and still the world's most comprehensive piece of privacy legislation. To understand how GDPR (it's usually called just "GDPR," not "the GDPR") came to be, you can check out the quick explainer video below:
Does GDPR apply to my business?
If you're a European business, the answer is yes. Even if your business isn't based in Europe, it handles the personal data of EU citizens, so the answer is probably yes, too.
There are two specific groups who are subject to GDPR:
- Data Controllers: the person or business who determines the purposes for which personal data is processed.
- Data Processors: anyone who processes personal data on behalf of the data controller.
What are the key concepts to know in GDPR?
As the first law of its kind, GDPR laid out some concepts that are crucial to understanding the world of data privacy regulation in general. Some are used in other laws around the world. Others are GDPR only.
- Lawful Bases: GDPR says that any time you collect user data, you must have a legal basis to do so. There are six legally valid reasons to collect data.
- Data Subject Rights: GDPR also articulated a set of data rights, many of which have been adopted in other privacy laws all over the world. Understanding the set of rights that data subjects posses is crucial to understanding GDPR.
What are the basics of GDPR compliance?
Wrapping your head around the full scope of GDPR compliance can be a challenge. There are many different elements of business operations to consider and lots of detail around each GDPR requirement. It's best to start with an understanding of the basics and map out a compliance plan from there. See the checklist below for a simple guide to help guide your GDPR planning:
Get familiar with data subject rights.
Under GDPR, subjects have a set of rights that businesses must
be able to facilitate. Ensure your procedures and policies can deliver.
Conduct an audit to discover the data you have.
Mapping your data is an essential first step to complying with any
modern data privacy legislation. GDPR is no exception.
Appoint a data protection officer.
A DPO is a vital, centralized point of privacy authority in a business.
Designating a DPO puts you on the fast track to streamlining your
Understand the nature of GDPR consent.
Consent is at the heart of GDPR. It must be "freely-given,
specific, and unambiguous." It must also be easy for subjects
to withdraw consent at any time.
Can I get in trouble for violating GDPR requirements?
Yes, you can. Enforcement of GDPR is one of the major trends that privacy observers are watching. When GDPR came into effect in 2018, fines started slowly. Regulators gave businesses some time to get used to the new law, but fines have been climbing higher as the GDPR reaches maturity.
In the last year, regulators have levied a fine of $50 million on Google and announced intent to fine British Airways a whopping $183 million for a data breach. While these amounts are eye-watering, they're not the key concern for most businesses. Instead, it's the total number of fines issued — over 200 to date.
GDPR affects every business differently. If you're a smaller business that mostly handles US consumer data, GDPR is something to be aware of and measure yourself against. As businesses move up in scale, the importance of GDPR and the risks posed by getting data privacy wrong increase significantly.
There are many companies out there, including Ethyca, that offer GDPR solutions for companies of all shapes and sizes. With thoughtful planning and adequate caution, GDPR is nothing to be afraid of.