General Data Protection Regulation (GDPR)

Written By: Liban A.

What is the GDPR?

The General Data Protection Regulation (GDPR) regulates internet privacy for the citizens in the European Union (EU) and European Economic Area (EEA). It was created on April 16th, 2016, and fully implemented on May 25th, 2018. It is an extensive law about security and privacy for citizens’ data in the EU. The law punishes those who break its guidelines for data collection by giving out harsh fines. Large companies, such as Meta (Facebook), Amazon, and Google, have been fined in the past due to these regulations. The penalties depend on how badly the organization violated the guidelines of the law, such as when British Airlines was fined about 22.4 million Euros for failing to secure the data of 400,000 customers (about half the population of Delaware), resulting in all that data being stolen by hackers. Meta had to pay 1.2 billion Euros (1.3 billion USD) to the Irish Data Protection Commission for transferring data from European citizens to the main company of Meta in the United States. Meta has been fined multiple times by the EU for privacy issues, but this fine is the largest any company has had to pay out.

What are the policies for the GDPR?

There are policies that govern data management to protect the information and security of European citizens. Since many American companies operate both in the US and EEA, they must be mindful about how they handle data transfers between the two areas, and the GDPR guidelines are general best practices for data privacy and security that should be followed regardless of where the company operates.

The general policies that dictate the GDPR are as follows:

Consent: Requires clear and explicit consent from individuals for the processing of their personal data.

Data Rights: GDPR grants several rights to individuals:

Right to Access: Individuals can request confirmation of whether their data is being processed and access to that data.
Right to Rectification: Individuals can request correction of inaccurate or incomplete data.
Right to Erasure (Right to be Forgotten): Individuals can request the deletion of their data under certain conditions, such as when the data is no longer necessary for its original purpose.
Right to Restriction of Processing: Individuals can request limitations on the processing of their data in certain circumstances.
Right to Object: Individuals can object to the processing of their data, including for direct marketing purposes.

Data Protection Officer (DPO): A DPO is responsible for advising on and monitoring GDPR compliance within an organization. They ensure that the organization follows data protection laws and acts as a point of contact for data subjects and regulatory authorities.

Data Breach Notification: Organizations are required to report data breaches to the relevant supervisory authority within 72 hours (about three days) of becoming aware of the breach. If the breach is likely to result in a substantial risk to the rights and freedoms of individuals, the organization must also notify affected individuals without undue delay.

Data Portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format. They can also request the transmission of this data to another data controller where technically feasible.

Accountability and Compliance: Organizations are responsible for demonstrating compliance with GDPR principles and must implement appropriate measures to protect data. Organizations must demonstrate compliance with GDPR principles by implementing appropriate technical and organizational measures, such as data protection policies, pseudonymization, and regular security assessments.

Overall, the GDPR is designed to protect individuals’ personal data by placing obligations on organizations that collect and process such data, ensuring transparency, accountability, and control over personal information. Organizations that only operate in the United States can find these practices useful since they set clear guidelines on how the data of the individual should be handled and what to do if that data is exposed due to a data breach. High-profile data breaches occur in the US every year where the company clearly did not handle the privacy or security of customer’s data as well as expected, and the companies suffer reputational and financial consequences as a result. An example of this would be the Equifax breach back in 2017, which exposed the data of 147.9 million Americans (just under half of the US population) as well as millions of British and thousands of Canadian citizens. It is important for large and small organizations to have secure data management to avoid or reduce the impact of data breaches.