The GDPR, or General Data Protection Regulation, is at the center of the European Union’s efforts to address its citizens’ data privacy and security concerns, and harmonize data protection regulations across E.U. member states. It is widely considered the most robust set of data protection standards implemented by any governing body.
The GDPR has become the de facto international standard for data security, transparency, and privacy. This is due to its uniquely strong standards, the fact that it regulates data exported outside the E.U., and because it applies to organizations in any country that collect data related to E.U. citizens. Most transnational organizations find it easier to streamline their protocols to match GDPR standards than create an inconsistent patchwork of policies and practices across the globe.
Like most data protection laws, GDPR protects personal data such as names, email addresses, location information, gender, and other individual identification markers. The GDPR also regulates the collecting, verifying, recording, organizing, structuring, sorting, erasing, storing, and transferring of personal data.
Subjects of data collection have the following rights under GDPR:
- Right to Be Informed – The right to know why the data is being requested and how it will be collected, processed, and stored.
- Right to Access – After data is collected, the right to know the reasons and uses for the data collection remain in effect, meaning that the right to be informed does not cease once the data has been submitted.
- Right to Rectification – The right to have inaccurate data corrected.
- Right to Erasure – The right of having the permanent deletion of personal data, often called the Right to Be Forgotten.
- Right to Restriction of Processing – The right to block personal data that has already been collected.
- Right to Data Portability – The right to transfer personal data in a secure and user-friendly way in a widely available format.
- Right to Object to Processing – The right to consent to the processing of any data, and the right to exclude personal data from marketing databases.
- Right to Not Be Subject to Automated Decision-Making – The right to demand human intervention instead of having decisions made by computer algorithms.
Enforcement and Penalties
Any organization that seeks to do business or interact with an E.U. country, and even only one E.U. citizen residing abroad, should seek compliance with GDPR because enforcement is rigorous, and fines for non-compliance are significant. The maximum penalty is the greater of either 20 million euros or 4% of worldwide turnover. Data protection authorities (DPAs) in the E.U. issued 318 fines in 2020 alone.
- Review GDPR regulations – An in-depth reading of the law by a data security expert familiar with the organization’s data flow should identify which parts of GDPR are relevant to the organization’s operations.
- Data mapping – Thorough mapping will identify all data coming into the organization, its path within the organization, and its outflow.
- Analyze practices – With a comprehensive understanding of the regulations and a data map, every step of the data flow – data entry, data passage, and data exit is reviewed for legal compliance.
- Security measures – Ensure that robust privacy and security measures are in place at every contact point.
- Review consent protocols and disclosures – Under GDPR, people must give explicit consent when their data is acquired, processed, stored, and transferred. Implied consent protocols that are compliant with less-robust privacy laws are not allowed under GDPR.
By meeting GDPR requirements, an organization meets the world’s strictest regulatory standards for data privacy and protection. Compliance gives data subjects peace of mind and provides organizations with a framework to address data security. It is clearly in an organization’s best interest to be thorough with implementation because of vigorous enforcement and significant fines for non-compliance.
For companies handling digital information, a Trust Center is essential in helping your customers understand how you are keeping their data private and secure.
You may contact one of our trust center experts to find out how to get started with a reliable trust center.
Please email us at email@example.com to schedule a no-pressure, free consultation.