What is GDPR?
GDPR stands for General Data Protection Regulation.
GDPR is a European Union (EU) law that addresses data protection and privacy for all individuals within the EU. The goal of the GDPR is to provide consumers with a greater degree of control tied to how their personal data is collected, used, and retained by companies and organizations. The law applies to all EU organizations, citizens, and people residing in the EU, but it also applies to all organizations outside of the EU that provide services to and collect consumer information from EU citizens (who are referred to as data subjects in the GDPR).
It requires data collectors or data processors to provide a reasonable level of protection to safeguard the privacy of the data of those EU citizens. A data controller is an organization that collects data from EU residents (data subjects), and a processor is an organization that maintains or processes that data. When comparing the GDPR to UAB’s Data Access Policy, data controllers are similar to UAB’s definition of data stewards, while processors are similar to UAB’s definition of data custodians.
Personal Data
The GDPR goes beyond the traditional definition of personally identifiable information (PII) by including name, address, telephone number, email address, photos, signatures, biometric data, etc. Technology-related identifiers such as usernames, IP and MAC addresses, and browser cookies can be used to identify a person and, in some cases, their location. Under GDPR, any information relating to personal data must be protected.
Requirements
In general, the GDPR establishes a number of requirements for organizations who serve as data collectors or data processors. Below is a high-level overview of some of those requirements and is not exhaustive of all requirements:
- Organizations must appoint a Data Protection Officer and post a Privacy Policy online.
- Data subjects are granted a right to their information, which means a collector or processor must be able to tell the subject what data is collected and how it is processed.
- The use of pseudonymization can be used to transform data so that it cannot be tied to a specific EU data subject without the use of additional information. Encryption and tokenization are strategies for leveraging pseudonymization.
- A data controller is legally required to provide notification of a data breach within 72 hours of discovery if the breach likely will negatively impact the data subject, such as exposing them to identity theft, fraud, targeted phishing attempts, etc. If the personal data that has been compromised has been rendered undecipherable to unauthorized parties, such as via encryption, then notifying the data subjects of the breach is not required. However, U.S. federal, state, and local laws regarding breach notification still apply.
Consent to collect personal data
- Consent cannot be required for providing a product or service to a data subject if that personal data is not necessary for the provision of that service or contract.
- Explicit consent must be given in advance.
- Collectors must be able to prove they received consent from data subject, including consent for children (15 years of age or younger) by the child’s parent or legal guardian.
Revoking consent
- Data subjects can revoke their consent and the collector/processor must create a process to allow this to happen at any time and the data subject’s data to be completely removed from the organization’s information systems (including backups)
- A data retention policy must be created and enforced to ensure that the data subjects’ personal data is not stored in perpetuity.
Decisions on how to secure the personal data must be based on risk analysis. Organizations should perform a risk assessment tied to storing, transmitting, and processing GDPR data. Based on that assessment, the organization must implement the security controls that reduce the risk to a level that is acceptable to management’s risk appetite. Conducting such risk assessments should be performed at least on an annual basis.
Penalties
GDPR has garnered the attention of many U.S. businesses and organizations because of the potential sanctions that can be levied on an organization should a breach occur and the private data of EU citizens is compromised. Should a data breach occur or non-compliance with the GDPR be proven, an organization potentially can be fined up to $20 million euros (roughly $24 million) or 4 percent of the organization’s annual global turnover, whichever is higher.
Additional Resources
This page provides a high-level overview of the GDPR, but additional resources are required to fully understand its requirements and application of those requirements.