The General Data Protection Regulation, or GDPR, is a directive established by the European Union to protect individuals' personal information. The regulation goes into force May 25, 2018, and it replaces the EU's 1995 Data Protection Directive. While the 1995 directive applied only to organizations with a physical presence in Europe, the GDPR will apply to all organizations that collect or process the personal data of EU citizens or residents.
Under GDPR, organizations will be required to implement data protection principles, as well as technical and organizational measures, to safeguard data and protect the individuals' privacy rights. Organizations subjected to EU GDPR compliance rules must implement comprehensive privacy protections, as well as ensure systems and procedures are adequate to properly test, monitor and measure data security.
What are individuals' data rights under GDPR?
Individuals -- referred to as "data subjects" under the GDPR-- will have greater control over their personal data under the regulation. The General Data Protection Regulation includes the following data subject rights:
Right to be forgotten. Data subjects can request personally identifiable data to be erased from a company's storage.
Right of access. Data subjects can review the data that an organization has stored about them.
Right to object. Data subjects can refuse permission for a company to use or process the subject's personal data.
Right to rectification. Data subjects can expect inaccurate personal information to be corrected.
Right of portability. Data subjects can access the personal data that a company has about them and transfer it.
Under the right to be forgotten, organizations must be able to provide data to individuals in a commonly used format and delete this data within a month of a request from a data subject. These organizations must also be sure their internal procedures are able to handle these types of requests.
One exception under the right to be forgotten is the deletion of data that would compromise freedom of expression or the ability to conduct research. For example, politicians will not be able to demand that comments be deleted from a news website.
Organizations must allow people access to their own data and not prevent them from giving it to another organization. A service provider, for example, will have to allow customers to transfer data to another service provider.
How will data breach notification and data collection consent rules change under the GDPR?
EU GDPR compliance requires organizations to deploy technologies designed to prevent data breaches, and it provides strict breach notification rules. If a data breach presents a serious risk to individuals, such as discrimination, damage to reputation, financial loss or loss of confidentiality, organizations must notify the relevant national supervisory authority and the individuals at risk. Organizations that don't already have adequate systems and procedures for detecting, reporting and investigating data breaches will be required to deploy them to comply with GDPR rules.
Under the GDPR, organizations will be required to use plain language when requesting personal data, and they will have to provide information about how they process it. They must say who they are, why they are processing the data, who receives it and how long it will be stored. They must get the individual's clear, affirmative consent to process the data.
Organizations should review the way in which they seek and record users' consent, making sure their procedures account for data subjects' rights under the GDPR. They should also review their privacy notices and make sure they explain the legal basis for processing personal data. If collecting information on children, they must consider whether they have adequate systems for verifying individuals' ages and obtaining parental consent.
Text of the EU's General Data Protection Regulation
Companies warned to prepare for tougher data protection rules in the EU
What specific measures does the GDPR require to protect personal data?
Article 32 of the GDPR requires organizations to deploy technical measures to ensure data security. The necessary technical measures and practices will vary, depending on the degree of risk that is present. Organizations are required to evaluate the risks that the personal data they process is subject to -- the higher the risk the data faces, the greater the measures that must be taken to secure the data. For example, those that process data related to health, race, sexual orientation, religion and political beliefs will have to apply greater safeguards than those that process less personal data. Specific security measures are not spelled out in the regulation, but examples are provided.
The EU GDPR compliance regulations require organizations to keep records of their data-processing activity, and there is a heavy emphasis on maintaining documentation to demonstrate compliance. Records proving the organization uses technology to continuously monitor data and evaluate vulnerabilities demonstrates an effort to comply.
Organizations that do not achieve EU GDPR compliance can be fined up to 20 million euros -- about $23.6 million -- or as much as 4% of annual revenue. It is expected that enforcement will initially focus on how well organizations comply with data breach requirements.
Will organizations have to name data protection officers to comply with the GDPR?
Public authorities and organizations that conduct large-scale, systematic, regular monitoring of individuals must designate data protection officers (DPOs) under the GDPR. The DPO is an enterprise security leadership role responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
Organizations that conduct large-scale processing of special categories of data, including health records or criminal records, must designate a DPO, as well. Other organizations will have to name DPOs based on how much data they collect and whether data collection is done on a large scale.
Two examples of organizations that would have to designate DPOs are those that process personal data about genetics and health for a hospital, and those that process personal data to target advertising via search engines tracking users' online behavior. A general practitioner who collects data on patient health or a local store that sends clients an annual advertisement are examples of businesses that would not have to designate DPOs.
U.K. office warns against misinformation surrounding GDPR
Indifference over GDPR compliance rules becoming a problem
Why the General Data Protection Regulation will have a huge influence on business