GDPR Basics
General Data Protection Regulation (GDPR)
Goal: To enhance the protection of EU citizens’ personal data and increasing the obligations of organizations to deal with that data in transparent and secure ways.
Reason: To provide better experiences for customers and individuals who trust businesses with their data.
Applies to: EU-based businesses and any business that controls or processes data of EU citizens (this includes US businesses). This means a company’s geographical location has nothing to do with the jurisdiction of GDPR.
Penalty: Up to €20 million or 4 percent of global revenues, whichever is higher.
Glossary:
Term | Definition |
Personal Data |
Any information related to an identified/identifiable data subject (e.g., name, national ID number, address, IP address, health info) |
Data Controller |
A company/organization that collects individuals’ personal data and makes decisions about what to do with it |
Data Processor |
A company/organization that helps a controller by “processing” data based on its instructions, but doesn’t decide what to do with data |
Data Processing | Any operation or set of operations which is performed on personal data or on sets of personal data, by automated means or otherwise, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Requirements:
Requirement | Explanation |
Personal Data |
Any information related to an identified/identifiable data subject (e.g., name, national ID number, address, IP address, health info) |
Lawful basis of processing |
1. Legal Reason to use an individual’s data Examples of Legal Reasons
|
Consent (Opt-In) | 1. Notice (through disclosure of specifically what they are opting into) 2. Affirmative opt-in (no pre-checked checkboxes) 3. Granular Consent – notice explains ways personal data will be processed and used 4. Must be freely given; not a condition of purchase/service 5. Auditable logs/evidence of the notice, consent and when it was obtained |
Withdrawal of Consent (Opt-Out) |
1. Individual must have the ability to see what they signed up for 2. Ability to opt out |
Cookies |
1. Notice that cookies are being used to track the individual (in a language they can understand) 2. Affirmative opt-in to being tracked by cookies |
Deletion | 1. Individual has right to request that the business delete all personal data about them 2. If there is a deletion request, the business must permanently remove all data 3. The business must comply within 30 days of request |
Access / Portability |
1. Individuals must have access to the personal data stored by a business 2. If access is requested, the business must provide a copy of personal data stored 3. Individuals can request to verify the lawfulness of processing |
Modification |
Individuals can request modification of stored personal data if it is inaccurate or incomplete |
Security Measures |
1. Encryption of data at rest 2. Encryption of data in transit 3. Data pseudonymization 4. Data anonymization |
Reporting |
Businesses must report any data breaches to all customers within 72 hours of occurrence |