What is the General Data Protection Regulation (GDPR)?

In today's hyperconnected business world, people share information every day with companies across the globe, from e-commerce shopping and social media to online gaming and banking. While these digital processes are more convenient, they also put sensitive data at risk. Global compliance regulations, like the General Data Protection Regulation (GDPR), guide businesses on how to keep people's personal data secure.

Thanks to the latest technology, such as ChatGPT (or its version, FraudGPT), machine learning, and other large language models, cybersecurity threats are becoming more sophisticated. Consequently, modern technology standards like GDPR are essential for protecting people's private data.

General Data Protection Regulation (GDPR) Definition

The General Data Protection Regulation (GDPR) is a set of compliance rules that address how companies collect, store, share, and secure personal data. The regulations apply to the personally identifiable information (PII) of all citizens in the European Union (EU). Any business, even those outside the EU that handles the personal data of EU citizens, needs to follow the GDPR rules.

These data protection rules help businesses secure sensitive data to prevent a data breach or other cyberattacks. Organizations that don't comply with the rules risk hefty fines, equating to millions of dollars. The highest fine so far was €1.2 billion ($1.3 billion) imposed by the Irish Data Protection Commissioner against Meta Platforms Ireland Limited!

Key takeaways

GDPR is a compliance standard for protecting the privacy and security of EU citizens' personal data.
The GDPR rules apply to any organizations that process data belonging to EU citizens, even companies outside Europe.
The core principles of the General Data Protection Regulation focus on minimizing the use of personal data and the risk of data being exposed to the wrong people.
Under GDPR, citizens (also called data subjects) have rights that give them more control over their personal data, such as the right to be informed and the right to erasure.
Companies need to conduct a data protection impact assessment (DPIA) to assess and reduce any data security risks before starting a new project.

The General Data Protection Regulation, or GDPR, is a set of data protection principles that guide how businesses should keep EU citizens' data safe. These data privacy laws came into effect in 2018. Their main aim is to give citizens more control over their personal data. That means what personal info businesses store, whether it may be stored or transmitted, and how it'll be kept safe, for instance.

The rules apply to any data that can be used to identify an individual. This is called personally identifiable information or PII. PII includes things like the person's identification number, location data or even information about their health or economic situation.

GDPR focusses on keeping peoples' sensitive information out of the hands of cybercriminals. The principles and rights of the standards ensure that businesses always put the privacy and security of this personal data first. The framework ensures the PII is handled safely whether it's being stored in the cloud, emailed to a business partner or collected by a marketing company.

In fact, per Article 25 of the regulations, companies must implement data protection 'by design and by default.' That means any process must take data protection into account right at the start of the process. Every process or product development cycle should be designed to protect the data. Plus, that data is always processed in a way that keeps it the most secure, with the minimum amount of data and access to that data. In that way, data is protected by default.

The European Commission designed GDPR to standardize data privacy laws in Europe. It provides more modern data privacy rights to EU citizens, such as the right to have their personal data erased. Plus, it guides companies on how to improve their data protection measures.

Who does GDPR apply to?

Any company that works with the data of EU citizens must be GDPR compliant. That means companies in the EU, and anywhere across the globe that work with this personal data.

These data protection measures apply to data controllers and data processors. A company that decides how and why data is processed is called a data controller. For example, a digital marketing company that helps its clients track marketing metrics is a data controller. They decide why the metrics are collected and how they will be handled.

A company that processes data on behalf of a data controller is called a data processor. This could be a cloud storage provider like AWS or Oracle. Or for a SaaS product that processes the digital marketing company's client data.

The General Data Protection Regulation framework includes seven core principles that data controllers and data processors must follow. While the principles aren't strict rules, companies need to abide by all the principles and have detailed written records or evidence that proves their compliance.

Lawfulness, fairness and transparency. This principle refers to how the data is processed. It must be done in a way that abides by the law, is fair to the individual and in a transparent way. For example, data processing cannot go against any local data privacy laws. Plus, the data subject (the person whose data is being collected), must be informed exactly what info is being collected and how it'll be used.
Purpose limitation. The data that companies collect must only be used for the purposes that were specified to the data subject. In other words, if data was collected for verify a person's identity during an e-commerce transaction, that data cannot be used for sales or marketing purposes too (unless they've given their consent).
Data minimization. Data minimization means that companies must only collect and process the minimum amount of data they need for the purpose they've specified. For instance, if the data controller uses the data to offer personalized choices, such as additional shopping item suggestions, there is no need to collect data about the person's employment details.
Accuracy. Keeping individuals' personal data up to date and accurate is also an important principle. For example, updating a person's physical address if they relocate or emigrate.
Storage limitation. Companies can only store PII for as long as it's needed for their chosen task. In other words, they must delete any personal data that's no longer needed. For example, if an EU citizen finishes working for a company, the company must have a policy in place to delete their personal HR data. However, there are exceptions to this principle, such as retaining data for historical or scientific research.
Integrity and confidentiality. Any company that handles EU citizens data needs to protect that data. GDPR compliance in this instance means putting security measures in place, such as data encryption or two-factor authentication. Data controllers must make sure they process and store data securely at all times. The personal data must be protected against unauthorised access, accidental loss or any damage to the data.
Accountability. Accountability, in this case, means that the company processing the data must be able to demonstrate that they are GDPR compliant.

The accountability principle is particularly important. As with any regulatory standards, data controllers must be able to prove that they are compliant. A few ways you can help your organization be compliant is to:

Maintain accurate, detailed documentation of what data is stored, where it's stored, who is responsible for it, and how it's used.
Appoint a Data Protection or Data Privacy Officer to manage GDPR compliance security issues.
Educate the whole workforce on GDPR and their roles and responsibilities.
Set up contracts for any data processors your company works with to keep the data secure at all times.

Under GDPR, data subjects have specific rights to ensure the privacy and security of their personal data. In other words, individuals have more control over their data than with previous data protection regulations.

The right to be informed

Individuals covered by GDPR have the right to know what data companies have collected on them. Plus, what the data is used for, how long they'll keep it, and which other companies they share that personal data with.

The right of access

Individuals can find out what info companies have about them by submitting a Subject Access Request (SAR). The data controller must confirm whether they are processing the person's data and provide them with a copy of their personal data. The SAR does not have to be a formal request, and could even be made through social media, for instance.

The right to rectification

With this right, we're talking about correcting an individual's data when it's inaccurate or incomplete. The right to rectification means that the company must acknowledge that the data is inaccurate or incomplete and get that info updated within a month. However, since companies have many database resources, the one-month target can sometimes be an operational challenge.

The right to erasure

The right to erasure is also known as the right to be forgotten. Data subjects can ask for their personal data to be deleted if that data isn't needed anymore, such as switching mobile service providers, or in instances where the data has been unlawfully obtained.

The right to restrict processing

Sometimes, people might want to limit how companies process their data. For instance, if the data is inaccurate and busy being verified or the organization is busy verifying a data erasure request.

The right to data portability

An individual should be able to get their personal data so they can share it with another data controller. Or to have the data directly transferred between two organisations. The data must be in a machine-readable format. An example of data portability is transferring data from one wearable device to another.

The right to object

EU citizens can object to companies processing their data. For instance, when they opt out of direct marketing that requests their personal data, objecting to their data being used for research purposes.

Rights regarding automated decision-making and profiling

Today, it is common practice for companies to make decisions or assessments using AI-driven technology. For example, an automated approval process for a home loan. Under GDPR, people have the right to object to automated decision-making. Especially if it affects them in a legal way, such as being declined a home loan.

Conducting Data Protection Impact Assessments (DPIAs)

A data protection impact assessment (DPIA) is a process that helps a company identify any risk to peoples' personal data before starting a new project. The aim of the assessment is to eliminate any risks that could violate GDPR compliance. The data protection law mandates companies to carry out a DPIA before doing any data processing that could result in a high risks to citizens' freedoms and rights.

Examples of when a DPIA is needed include:

If a company is planning to use a new technology or software, such as a new SaaS product.
The company does systematic monitoring of a public place.
For processing individuals' personal data, such as their political or religious beliefs.
If PII is used to make automated decisions.
If the company processes data pertaining to children.

By implementing a DPIA companies can become more aware of any potential data protection risks when they start a new project. The assessment will also help the company build data security into the project from the beginning. As a result, they'll align better with the 'data privacy by design' component of the data protection rules. Another benefit of conducting a DPIA is demonstrating that the company is accountable, which helps build trust with individuals.

7 steps to conduct a DPIA

A DPIA is not just a once-off exercise for a data controller. It is a business process that is reviewed and improved on as needed. Here are the basic steps to conduct a DPIA.

Identify a project or operation that involves high-risk data processing.
Outline the data processing workflow.
List any potential threats or risks to the personal data.
For each risk, establish how you can reduce the impact.
Record all your DPIA findings in a detailed report that is signed by the executive team.
Refer to the report throughout the project to ensure the project team is mitigating those risks.
Review the plan when a new high-risk data protection situation arises.

How we protect individuals' privacy is very different today than it was a decade ago. While privacy rights have been in place in the EU since the 1950s, the amount of personal data, and it's accessibility is very different today. Modern security measures are essential to protect the vast quantities of PII available on digital channels.

In 1995, the EU passed the European Data Protection Directive that created basic standards for data security and privacy. But that became outdated as technology advanced. When Facebook came onto the scene in 2006, for instance, the amount of personal data people shared over the internet skyrocketed. As a result, the EU went back to the drawing board and began working on a framework that would better protect sensitive data. The updated data protection regulations, GDPR, were launched in 2018.

GDPR is an essential compliance requirement for any business that deals with EU citizens' data. It takes a modern approach to the data privacy and security issues that users around the globe face in their daily digital interactions. The General Data Protection Regulation sets the right standards for companies to continually put data privacy and security first in whatever they do.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.