What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation of the European Union (EU) that became effective on May 25, 2018. It strengthens and builds on the EU's current data protection framework, the General Data Protection Regulation (GDPR) replaces the 1995 Data Protection Directive.
At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
The reforms are designed to reflect the world we're living in now, and brings laws and obligations - including those around personal data, privacy and consent - across Europe up to speed for the internet-connected age.
Fundamentally, almost every aspect of our lives revolves around data. From social media companies, to banks, retailers, and governments - almost every service we use involves the collection and analysis of our personal data. Your name, address, credit card number and more all collected, analysed and, perhaps most importantly, stored by organisations.
What does GDPR stand for?
GDPR stands for General Data Protection Regulation. It's the core of Europe's digital privacy legislation.
How did it come about?
In January 2012, the European Commission set out plans for data protection reform across the European Union in order to make Europe 'fit for the digital age'. Almost four years later, agreement was reached on what that involved and how it will be enforced.
SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened (cover story PDF) (TechRepublic)
One of the key components of the reforms is the introduction of the General Data Protection Regulation (GDPR). This new EU framework applies to organisations in all member-states and has implications for businesses and individuals across Europe, and beyond.
"The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information," said Andrus Ansip, vice-president for the Digital Single Market, speaking when the reforms were agreed in December 2015.
What is GDPR compliance?
Data breaches inevitably happen. Information gets lost, stolen or otherwise released into the hands of people who were never intended to see it - and those people often have malicious intent.
Under the terms of GDPR, not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners - or face penalties for not doing so.
Who does GDPR apply to?
GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world needs a GDPR compliance strategy.
There are two different types of data-handlers the legislation applies to: 'processors' and 'controllers'. The definitions of each are laid out in Article 4 of the General Data Protection Regulation.
SEE: GDPR compliant? Here's a handy five-step preparation checklist
A controller is a "person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data", while the processor is a "person, public authority, agency or other body which processes personal data on behalf of the controller". If you were subject to the UK's Data Protection Act, for example, you'll likely need to be GDPR compliant, too.
"You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR," says the UK's Information Commissioners Office, the authority responsible for registering data controllers, taking action on data protection and handling concerns and mishandling data.
GDPR ultimately places legal obligations on a processor to maintain records of personal data and how it is processed, providing a much higher level of legal liability should the organisation be breached.
Controllers are also forced to ensure that all contracts with processors are in compliance with GDPR.
What is personal data under the GDPR?
The types of data considered personal under the existing legislation include name, address, and photos. GDPR extends the definition of personal data so that something like an IP address can be personal data. It also includes sensitive personal data such as genetic data, and biometric data which could be processed to uniquely identify an individual.
When did GDPR come into force?
Following four years of preparation and debate, GDPR was approved by the European Parliament in April 2016 and the official texts and regulation of the directive were published in all of the official languages of the EU on May 2016. The legislation came into force across the European Union on 25 May 2018.
What's the GDPR compliance deadline?
As of 25 May 2018, all organisations are expected to be compliant with GDPR.
How does Brexit impact GDPR?
The UK is currently set to leave the European Union on 31 October 2019. The UK government has said this won't impact GDPR being enforced in the country, and that GDPR will work for the benefit of the UK despite the country ceasing to be an EU member. So Brexit is unlikely to have any impact on an organisation's GDPR compliance requirements.
What does GDPR mean for businesses?
GDPR establishes one law across the continent and a single set of rules which apply to companies doing business within EU member states. This means the reach of the legislation extends further than the borders of Europe itself, as international organisations based outside the region but with activity on 'European soil' will still need to comply.
One of the hopes is that by slim-lining data legislation with GDPR, it can bring benefits to businesses. The European Commission claims that by having a single supervisor authority for the entire EU, it will make it simpler and cheaper for businesses to operate within the region. Indeed, the Commission claims GDPR will save €2.3 billion per year across Europe
"By unifying Europe's rules on data protection, lawmakers are creating a business opportunity and encouraging innovation," the Commission says.
SEE: EU General Data Protection Regulation (GDPR): A cheat sheet (TechRepublic)
What that means, they say, is regulation guarantees data protection safeguards are built into products and services from the earliest stage of development, providing 'data protection by design' in new products and technologies.
Organisations are also encouraged to adopt techniques like 'pseudonymization' in order to benefit from collecting and analysing personal data, while the privacy of their customers is protected at the same time. (Although some groups have argued that this already comes too late, given the number of connected devices in the world.)
What does GDPR mean for consumers/citizens?
Because of the sheer number of data breaches and hacks that occur, the unfortunate reality for many is that some of their data - be it an email address, password, social security number, or confidential health records - has been exposed on the internet.
One of the major changes GDPR brings is providing consumers with a right to know when their data has been hacked. Organisations are required to notify the appropriate national bodies as soon as possible in order to ensure EU citizens can take appropriate measures to prevent their data from being abused.
Consumers are also promised easier access to their own personal data in terms of how it is processed, with organisations required to detail how they use customer information in a clear and understandable way.
Some organisations have already moved to ensure this is the case, even if it is as basic as sending customers emails with information on how their data is used and providing them with an opt-out if they don't issue their consent to be a part of it. Many organisations, such as those in the retail and marketing sectors, have contacted customers to ask if they want to be a part of their database.
In these circumstances, the customer should have an easy way of opting out of their details being on a mailing list. Meanwhile, some other sectors have been warned that they have a lot more to do in order to ensure GDPR compliance - especially when consent is involved.
GDPR also brings a clarified 'right to be forgotten' process, which provides additional rights and freedoms to people who no longer want their personal data processed to have it deleted, providing there's no grounds for retaining it.
Organisations will need to keep these consumer rights in mind.
Is this privacy email really from an actual company? Could it be a scam?
Organisations of all sizes in all sectors are sent customers emails, asking them to opt-in in order to keep receiving messages and other marketing material. For the most part, if the customer does want to remain on the list, they just needed to click the part of the email that tells the company they wish to remain in touch.
However, with so many organisations sending out emails on GDPR, criminals and scammers took it up as a prime opportunity to send out phishing emails in order to catch people unware - especially given how people were receiving more emails from organisations than usual.
However, those behind this scheme were very much leveraging GDPR in order to steal information, because while the real Airbnb message didn't ask for any information, those who receive the fake message are asked for their personal information, including account credentials and payment card information.
It's unlikely to be the only attempt by criminals to piggyback on GDPR for their own gain.
What is a GDPR breach notification?
GDPR sets out a duty for all organisations to report certain types of data breaches which involve unauthorised access to or loss of personal data to the relevant supervisory authority. In some cases, organisations must also inform individuals affected by the breach.
Organisations are obliged to report any breaches which are likely to result in a risk to the rights and freedoms of individuals and lead to discrimination, damage to reputation, financial loss, loss of confidentiality, or any other economic or social disadvantage.
In other words, if the name, address, data of birth, health records, bank details, or any private or personal data about customers is breached, the organisation is obliged to tell those affected as well as the relevant regulatory body so everything possible can be done to restrict the damage.
This needs to be done via a breach notification, which must be delivered directly to the victims. This information may not be communicated only in a press release, on social media, or on a company website. It must be a one-to-one correspondence with those affected.
Speaking in April 2019, the ICO looked to clarify when organisations should report a breach and how to do so. "It's important organisations understand what to expect if they suffer a cybersecurity breach," said ICO deputy commissioner for operations, James Dipple-Johnstone.
Under GDPR, when does an organisation need to make a notification about a breach?
The breach must be reported to the relevant supervisory body within 72 hours of the organisation first becoming aware of it. Meanwhile, if the breach is serious enough to mean customers or the public must be notified, GDPR legislation says customers must be made responsible without 'undue delay.'
What are the GDPR fines and penalties for non-compliance?
Failure to comply with GDPR can result in a fine ranging from 10 million euros to four per cent of the company's annual global turnover, a figure which for some could mean billions.
Fines depend on the severity of the breach and on whether the company is deemed to have taken compliance and regulations around security in a serious enough manner.
The maximum fine of 20 million euros or four percent of worldwide turnover - whichever is greater - is for infringements of the rights of the data subjects, unauthorised international transfer of personal data, and failure to put procedures in place for or ignoring subject access requests for their data.
A lower fine of 10 million euros or two percent of worldwide turnover will be applied to companies that mishandle data in other ways. They include, but aren't limited to, failure to report a data breach, failure to build in privacy by design and ensure data protection is applied in the first stage of a project and be compliant by appointing a data protection officer - should the organisation be one of those required to by GDPR.
What are the biggest GDPR fines so far?
As of May 2019, the largest GDPR fine issued so far is €50m. The French data protection watchdog, CNIL, issued the fine to Google in January after coming to the conclusion that the search engine giant was breaking GDPR rules around transparency and having a valid legal basis when processing people's data for advertising purposes. Google is appealing the fine.
Prior to the Google fine, the largest GDPR penalty stood at €400,000 when a Portugese hospital was fined for 'deficient' account management practices.
It's likely that many more fines are still to come as data protection watchdogs across Europe are currently investigating thousands of cases.
What's in a GDPR-compliant breach notification?
In the event of a company losing data, be it as a result of a cyberattack, human error or anything else, the company is obliged to deliver a breach notification.
This must include approximate data about the breach, including the categories of information and number of individuals compromised as a result of the incident, and the categories and approximate numbers of personal data records concerned. The latter takes into account how there can be multiple sets of data relating to just a single individual.
Organisations also need to provide a description of the potential consequences of the data breach, such as theft of money, or identity fraud, and a description of the measures that are being taken to deal with the data breach and to counter any negative impacts which might be faced by individuals.
The contact details of the data protection officer, or main point of contact dealing with the breach, will also need to be provided.
Do we need to appoint a Data Protection Officer?
Under the terms of GDPR, an organisation must appoint a Data Protection Officer (DPO) if it carries out large-scale processing of special categories of data, carries out large scale monitoring of individuals such as behaviour tracking or is a public authority.
In the case of public authorities, a single DPO can be appointed across a group of organisations. While it isn't mandatory for organisations outside of those above to appoint a DPO, all organisations need to ensure they have the skills and staff necessary to be compliant with GDPR legislation.
SEE: GDPR proves that tech giants can be tamed
There's no set criteria on who should be a DPO or what qualifications they should have, but according to the Information Commissioner's Office, they should have professional experience and data protection law proportionate to what the organisation carries out.
Failure to appoint a data protection officer, if required to do so by GDPR, could count as non-compliance and result in a fine.
What does GDPR compliance look like?
GDPR might seem complex, but the truth of the matter is that for the most part, the legislation is consolidating principles which currently form part of the UK's Data Protection Act.
However, there are elements of GDPR such as breach notification and ensuring that someone is responsible for data protection which organisations need to address, or run the risk of a fine.
There's no 'one size fits all' approach to preparing for GDPR. Rather, each business needs to know what exactly needs to be achieved to comply and who is the data controller who has taken responsibility for ensuring it happens.
"You are expected to put into place comprehensive but proportionate governance measures," says the UK's ICO. "Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place."
SEE: Will GDPR actually protect EU citizens? 61% of infosec pros say yes (TechRepublic)
That could be the responsibility of an individual in a small business, or even a whole department in a multinational corporation. Either way, budgets, systems and personnel will all need to be considered to make it work.
Under the GDPR provisions that promote accountability and governance, companies need to implement appropriate technical and organisational measures. These could include data protection provisions (staff training, internal audits of processing activities, and reviews of HR policies), as well as keeping documentation on processing activities. Other tactics that organisations can look at include data minimisation and pseudonymisation, or allowing individuals to monitor processing, the ICO said.
In preparing for GDPR, bodies such as the ICO offered general guidance on what should be considered. All organisations need to ensure they've carried out all the necessary impact assessments are and GDPR compliant, or risk falling foul of the new directives.
GDPR is here, so what now?
As of May 25th 2018, GDPR has come into force, with the days and weeks prior to it seeing a surge in companies sending emails to customers asking them to opt-in to new privacy and consent policies. Emails came so thick and fast in the first 24 hours that many web users felt overwhelmed.
In the run up to the date, some organisations and platforms, including social media site-scoring site Klout simply shut down operations - Klout didn't explicitly point to GDPR, but the date of May 25th probably isn't a coincidence. It isn't the only service to shut down operations or restrict access to European users.
European users who visited high-profile US news websites such as The LA Times, The Chicago Times and The Baltimore Sun on the morning of May 25th found that they weren't able to access the websites, with the publishers pointing to GDPR as the reason.
"Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and are commited to looking at options that support our full range of digital offerings in the EU market," said a statement on the Chicago Tribune website.
Similar statements were posted across news publications operated by the Lee Enterprises and Tronc groups - and a year on many of these publications still display the same message to European users who try to visit the sites.
Denying users access to products - at least for the time being - is viewed by many as a price worth paying to avoid potential fines. Although some would ask the the question, what were they doing with user data and what consent did they have?
What has GDPR changed since it was introduced?
As of May 2019, many of those issues with US publishers still haven't been resolved, with the likes of Tronc still displaying the same apology to users in Europe.
Publishers aren't the only organisations that are having to come to terms with the new reality as some of the largest technology companies including Facebook say they've started to feel the bite of GDPR. The social network has blamed GDPR for a decline of about a million monthly users during the second quarter of the year, as well as a dip in advertising revenue growth within Europe.
Organisations of all sizes have found themselves affected by it to some extent. Analysts at Forrester say many companies have reported a decrease of between 25% and 40% of their addressable market for emails and other forms of contact.
As a result, many companies find themselves having to think about new methods of attracting consumers and generating revenue. Analyst Gartner has suggested that some companies may have to rethink their data center strategy as a result of legislation such as GDPR.
In the year since GDPR was introduced, some of the world's largest technology firms have attempted to re-position their products as privacy-focused - a strategy that has likely come about in some part due to increased awareness around privacy and consent.
Apple CEO Tim Cook has called for the US to introduce an equivalent to GDPR to prevent data being weaponised against users. Meanwhile, Facebook CEO Mark Zuckerberg recently spoke about how privacy will be the future of Facebook – even though he admits himself that some may find that hard to believe.
What comes next for GDPR and data protection?
Countries and regions around the world appear to be taking cues from GDPR by introducing or modifying data protection legislation. Countries which have signalled they'll change their privacy laws since the introduction of GDPR include Brazil, Japan, South Korea, India and others.
Silicon Valley, California, is also set to introduce its own data privacy laws in the California Consumer Privacy Act, which comes into force as of 1st January 2020.
The legislation follows in the footsteps of GDPR by allowing individuals to have a greater say about how their personal data is used, but in many ways it doesn't go nearly as far: there's no set time-limit for notifying consumers about a breach and organisations won't face fines for non-compliance.
However, the introduction of this legislation into the heat of the technology industry appears to suggest that privacy and consent are issues that could change how Silicon Valley operates.
IT leader's guide to the threat of cyberwarfare (Tech Pro Research)
From security and mobiles to Windows and shadow IT.
Vendor Security Alliance tweaks auditing system to be GDPR compliant
The non-profit alliance has added GDPR compliance to its yearly vendor auditing system and announced it will be taking on new members for the first time.
How Europe's GDPR will affect Australian organisations
Failure to comply with the data protection regulations could result in a €20 million fine, and Australian organisations with links to Europe will not be exempt.
READ MORE ON CYBERSECURITY