The Regulation (EU) 2016/679 (General Data Protection Regulation), or GDPR, was agreed upon by the European Parliament and Council in April of 2016. It became applicable as of May 25, 2018. It was created to harmonize data privacy laws in all member states across Europe. It replaced the previous (1995) data protection directive and is Europe's new framework for data protection laws.
GDPR provides a variety of privacy rights to members of the EU, regardless of whether the individual is in residence in the EU or elsewhere. It is irrespective of where or by what entity the individual's personal data is being processed.
It provides definitions for twenty-six (26) common terms, which ultimately extended any previously perceived lack of clarity in determining exactly what would constitute "personal data." Businesses regulated by the GDPR are responsible for a number of obligations to their consumers, including robust consent requirements, privacy by design, and mandatory breach notifications. Many of the rules can only be satisfied through material changes to an organization's processes, infrastructure, and network.
GDPR is the primary basis for the majority of privacy laws currently enacted or in committee in the United States.
The official legal text (in a neatly indexed and searchable version) can be found online, as well as a local PDF.
What Does That Mean?
DO I HAVE TO DO THIS?
This Regulation applies to companies processing personal data:
-
in the Union, or
-
of data subjects who are in the Union but not established in the Union, or
-
in a place not established in the Union but where Member State law applies by virtue of public international law.
The entire point of GDPR is to protect data belonging to EU citizens and residents. Therefore, the law applies to all organizations, whether EU-based or not, if they meet one of two conditions:
-
They offer goods and services to people in the EU, or
-
They monitor online behavior.
There are only two exceptions to the Regulation's full scope:
-
Data is collected for "purely personal or household activity."
-
If an organization has fewer than 250 employees, the regulation frees them from certain record-keeping obligations, but they are not totally exempt.
WHAT IF I DON'T?
Although GDPR was enacted by the EU as a whole, it is enforced by the individual regulatory enforcement agencies of each country (Information Commissioner's Office - ICO - UK, Data Privacy Commission - DPC - Ireland, etc.). This leads to a certain level of subjectivity in its application.
Organizations in breach of GDPR can be fined up to 4 percent of annual turnover, or up to €20 million ($24.1 million), whichever is largest.
In general, some Member States have been more proactive in issuing fines. Spain led in number of fines issued, but Italy led in total fine amounts. Luxembourg issued the largest fine to date to Amazon (€746 million).
In contrast, Ireland's DPC has been slow to fine companies under its jurisdiction. (Not surprisingly, several major tech giants, including Facebook, Twitter, Google, and Apple have declared Ireland as their main establishment.)
WHAT CAN YOU DO FOR ME?
We use AI/ML to scan the data being processed and categorize any potential privacy violations.
We identify all of the data being stored or processed through the system or locally (client-side), itemizing, and verifying that each piece of data is categorized and noted.
We determine the levels of disclosure and consent required, cross-referencing any data definitions and/or privacy notices/policies for completeness.
We analyze your software source code for hard-coded or production data embedded or in use for testing or any other reason.
We produce artifacts that can be used for to assist your remediation efforts and provide templates for required documentation.
...and so much more!