April 19, 2023
Estimated reading time: 6 minutes
GDPR: An overview
General Data Protection Regulation (GDPR) is an EU regulation advocating for data privacy protection. With such a high volume of data collection, treatment and sharing in the digital age, companies need to protect the data privacy rights of individuals and use personal information responsibly.
What is GDPR?
GDPR is legislation that replaced the EU’s original data protection law; the European Data Protection Act. It was introduced in 2018, and the UK GDPR follows an almost identical framework post-Brexit.
The regulation splits companies into data collectors and data processors and assigns each role with separate responsibilities.
The primary purpose of GDPR was to provide confidence to the general public. After several high-profile data breaches, it was clear that a more robust framework was required.
One such breach happened to the tech organisation, Yahoo in 2013, which affected every one of their 3 billion users. This has since been used as a ‘case study’ for the GDPR’s implementation because the full extent of their data breach was not disclosed until the company was sold to Verizon. Now, GDPR ensures that the public and regulators are informed immediately after a breach is identified.
Plus, large institutions such as Facebook (now Meta) have been caught selling huge volumes of data. The Cambridge Analytica scandal brought to light a violation of privacy since the subjects of the data did not consent to the sharing of their social profiles and other subsequent information.
Unfortunately, it’s hard to quantify the full extent of this sale. Some believe that data has been used to deny individual health insurance applications in particular, based on the sharing of genetic data, for example.
Now that the regulation has been in play for several years, it’s working to uphold public confidence in the way businesses behave around data. The knock-on effects, at least financially, encourage investing and preserve the integrity of the financial markets.
In 2019, the French data protection authority (CNIL) fined Google a total of €150 million for failing to make cookies as easy to reject as it is to accept them. With Google Analytics being a huge power in the data collection space, this created big ripples in the industry as far as user consent and may have encouraged smaller firms to comply.
Requirements of GDPR
There are seven key components of GDPR:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
Lawfulness, fairness and transparency
This first requirement frames the basic nature of GDPR, in that the capture of data must have consent from the party it is collected. Moreover, there must be a legitimate reason to collect the data in the first place, and the company must follow its legal obligations.
GDPR requires a clear reason for the collection and data processing. For example, companies might demonstrate that they have performed proper due diligence through the collection of certain data before signing with a new supplier or customer.
Without ‘approved’ reasons for data collection or processing activities (ie. a legitimate interest) GDPR prevents companies from dealing with personal data.
Just like businesses require a legitimate reason, they must also not collect data past the necessary amount. More specifically, GDPR states that data collection and processing must be “adequate, relevant and limited”.
To comply with GDPR, any information must meet a minimum standard of accuracy. In some cases, businesses will also be required to measure the importance of the information they collect, and then perform additional checks when the type of data exceeds a certain threshold.
As a general rule, regulated companies must hold their records for a minimum of five years under GDPR. However, this can vary depending on the type of data and how it is used.
Notably, though, GDPR empowers members of the public to gain insight on the exact data held about themselves. They also have the power to ask businesses to amend erroneous information or delete the records altogether. Therefore, companies must possess the technology to be able to flexibly amend or delete small subsections of data if required.
In a GDPR setting, data integrity refers to the security of your records against both internal and external breaches.
In the wrong hands, the data that some companies collect could cause financial ruin. An operational resilience strategy in the event of a successful cybersecurity attack is also important in order to maintain individual privacy rights.
Under the regime, data controllers and data processors have different roles. However, GDPR sets out their responsibilities very clearly so that firms and their senior leaders are held accountable for their decisions.
Also falling under accountability is the Privacy Management Framework that some larger firms are required to follow. This could mean performing a data protection impact assessment or working directly with a supervisory authority (like the Data Protection Commission) for guidance on how to protect sensitive data for your GDPR compliance.
Comparative GDPR regulations around the world
Since GDPR was the first data privacy regime of its kind, it’s no surprise that many other jurisdictions have followed suit with their own data protection regulations and privacy over individual rights. This includes the likes of:
- Brazil’s Lei Geral de Proteção de Dados Pessoais
- California’s Consumer Privacy Act (CCPA)
- Colorado’s Privacy Act
- Australian Privacy Act
Each of these is fairly comparable in terms of its approach to data protection.
The Colorado Privacy Act applies to any business operating inside of the state of Colorado, or serving customers who reside in Colorado. Again, this law separates data controllers and data processors, as well as promotes several consumer rights. For example, the supervisory authority requires companies to display a clear ‘opt-out’ button for those who wish to prevent the collection of their data.
Likewise, Lei Geral de Proteção de Dados Pessoais was introduced shortly after GDPR in 2018. It centralises best practices in data protection, requiring each compliant business to assign a Chief of Data Protection. Moreover, any information collected must inform, correct, delete or anonymise at the request of its data subject.
Who must comply?
GDPR applies to each and every company operating within an EU member state or doing business with any customer that is an EU citizen. So, whether you’re a single entrepreneur or a multi-national corporation, GDPR applies to all your customer data if they’re EU residents.
The majority of GDPR requirements apply to data processors since they typically ‘treat’ the data and would be more responsible for upholding its accuracy, integrity and security, for example.
Having said that, data processors often operate specifically for data purposes, which means that the majority of companies fit into the data controller role. You might have the addresses of customers, collect email addresses as part of your marketing or have the banking details of a supplier. Each of these types of data falls under the privacy notice and protection of GDPR.
Although you’ll hopefully already be compliant with GDPR principles, a helping hand is always useful. CUBE’s RegPlatform provides dedicated regulatory intelligence insights for your specific business situation. So, you can see exactly which data privacy regulations are around the corner without the risk of non-compliance fines OR falling behind your competitors.
Contact CUBE to stay ahead of emerging data privacy regulations.