GDPR Basics: How It Started
It has been more than two years since the General Data Protection Regulation (GDPR) went into effect. Personal privacy continues to be a topic of immense importance for people and companies around the world. We are going to cover some basics of privacy in this and a series of future posts. Understanding GDPR is helpful, as new regulated like California Consumer Protection Act (CCPA) appear. The underlying goal of GDPR and other acts is the personal right to privacy.
The European Union’s General Data Protection Regulation (GDPR) came into effect May 25th, 2018. Many companies around the world still struggle with compliance: misinterpretation, cost, necessary training and reporting mechanisms still confound many.
GDPR came into being for one major reason, a cultural difference between Europe and North America: while European’s consider their privacy information as something that should belong strictly to them, even as a partial definition of themselves, people in North America have long since surrendered to the idea that their privacy data is currency, information that supports many business models that they prefer to support in exchange for online communications, better prices while shopping online, the convenience of doing web searches for whatever interests them, and more. Of particular interest to GDPR is what happens to privacy data once it is collected: how is it processed, who gets the results, and what they do with those results, most often without the data subject’s consent. Having control over one’s own privacy information is really what GDPR is all about.
GDPR is designed to strengthen and unify data privacy laws across Europe, but it’s jurisdiction is global, given that any entity anywhere in the world that deals with EU privacy data, offers good or services, or monitors the behavior of EU citizens, is liable.
GDPR supersedes the UK’s Data Privacy Act of 1998 (superseded also by the Data Protection Act of 2018, which supplements but is far less stringent than GDPR); Privacy Shield (2017), recently declared invalid; and the US-EU Safe Harbor Framework (2000).
Elements of GDPR
The GDPR presents these changes to those older frameworks:
- Increased Territorial Scope: as mentioned, if an entity deals with EU privacy data from anywhere in the world, they are in scope for GDPR compliance.
- Penalties: Maximum penalties for non-compliance are 4% of annual gross revenue or 20M €, whichever is greater. Since enacted in 2018, the largest GDPR fines have been:
|Company||Fine in Euro||Fine in USD|
|British Airways||204.6M €||$240.14M|
|Marriott International Hotels||110.3M €||$129.46M|
|Google, Inc.||50M €||$58.68M|
|Austrian Post||18.5M €||$21.71M|
|Deutsche Wohnen SE||14.5M €||$17.02M|
|1&1 Telecom GmbH||9.5M €||$11.15M|
- Breach Notification: EU Supervisory Authorities must be advised within 72 hours of a breach, or suspected breach.
- Right to Access: through a mechanism called Subject Access Request (SAR), if a data subject requests knowledge of all information an entity has collected on them, the processing and distribution of the same, this information must be reported to them within a maximum of 30 days.
- Right to be Forgotten: If a data subject requests that all their data, records of processing it, and distributions of it be deleted permanently, entities must comply with their request, with some exceptions. If the data is needed for legal proceedings, if it’s in the interest of the public good, if it’s part of contractual obligations, or if the data was voluntarily posted by the data subject in a public forum, entities may decline the request. The data subject then has the right to appeal to Supervisory Authorities, inviting scrutiny upon the entity for GDPR Compliance.
- Privacy by Design: This is a new introduction of business case development whereby risk to the data at hand is determined through a Data Privacy Impact Assessment (DPIA). High risk business activities need to be reported to Supervisory Authorities for approval; better to design business use-cases that remove such high risk.
- Data Protection Officers (DPO): Also a new construct put forth by GDPR is the idea of having a single authority in all privacy management activities. An entity must satisfy one of 3 conditions to introduce a DPO requirement, which we’ll cover later in this paper.