The General Data Protection Regulation (GDPR) is the privacy & data protection law that went into effect on the 25th of May, 2018. The regulation focuses on the use and processing of personal data, or: any information that could be used to identify a natural person. The regulation must be followed in all European countries, but also applies to non-EU companies that (intend to) serve or monitor ‘data subjects’ in the EU. Consequently, GDPR affects most companies.
Personal data is every piece of data that can be used to uniquely identify a natural person or data that is about an already identified person. It’s data that the user has explicitly provided, but also data that you have collected about them from either 3rd parties or based on their behaviour on the site. The aim of the GDPR is to protect EU citizens from privacy and data breaches.
The basic principles of the regulation
- Data minimization: GDPR requires companies to have legitimate reasons for collecting and using consumer data,
- Clear consent process: users should have an actual choice in the matter and not be denied services when they withdraw consent,
- Thanks to the right to be informed, long illegible terms and conditions full of legalese are a thing of the past,
- Secure storing of data: implement all security measures to protect data that you can think of, as well as measures to guarantee that the data has not been inappropriately modified,
- Clear retention process: transparency about how long data is stored,
- Users in charge of their data: users have the option to export (right to data portability) their data in a 'machine readable format', edit their data (right to rectification) or be deleted from a company’s system altogether in a reasonable timeframe (right to be forgotten).
- ... and you’re not compliant until all the software from 3rd parties you use is compliant. For good measure you should document your dependencies (processing activities) and those of 3rd parties.
- Breach notification must be done within 72 hours of first having become aware of the breach and Data processors are required to notify their customers, “without undue delay”.
- Appointing of a Data Protection Officer to keep internal records up-to-date.
- ‘Privacy by design’, the inclusion of data protection from the onset of the designing of systems, rather than an afterthought.
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).