General Data Protection Regulation (GDPR)

Goal: To enhance the protection of EU citizens’ personal data and increasing the obligations of organizations to deal with that data in transparent and secure ways.

Reason: To provide better experiences for customers and individuals who trust businesses with their data.

Applies to: EU-based businesses and any business that controls or processes data of EU citizens (this includes US businesses). This means a company’s geographical location has nothing to do with the jurisdiction of GDPR.

Penalty: Up to €20 million or 4 percent of global revenues, whichever is higher.

Glossary:

Term Definition

Personal Data

Any information related to an identified/identifiable data subject (e.g., name, national ID number, address, IP address, health info)

Data Controller

A company/organization that collects individuals’ personal data and makes decisions about what to do with it

Data Processor

A company/organization that helps a controller by “processing” data based on its instructions, but doesn’t decide what to do with data

Data Processing Any operation or set of operations which is performed on personal data or on sets of personal data, by automated means or otherwise, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Requirements:

Requirement Explanation

Personal Data

Any information related to an identified/identifiable data subject (e.g., name, national ID number, address, IP address, health info)

Lawful basis of processing

1. Legal Reason to use an individual’s data
2. Legal Basis – ability to track the legal reason

Examples of Legal Reasons

  • Consent/Opt-In with proper notice
  • Performance of a contract (e.g. sending customer a bill)
  • “Legitimate Interest” (e.g. they are a customer, and you want to send them products related to what they already have purchased).
Consent (Opt-In) 1. Notice (through disclosure of specifically what they are opting into)
2. Affirmative opt-in (no pre-checked checkboxes)
3. Granular Consent – notice explains ways personal data will be processed and used
4. Must be freely given; not a condition of purchase/service
5. Auditable logs/evidence of the notice, consent and when it was obtained

Withdrawal of Consent (Opt-Out)

1. Individual must have the ability to see what they signed up for
2. Ability to opt out

Cookies

1. Notice that cookies are being used to track the individual (in a language they can understand)
2. Affirmative opt-in to being tracked by cookies
Deletion 1. Individual has right to request that the business delete all personal data about them
2. If there is a deletion request, the business must permanently remove all data
3. The business must comply within 30 days of request

Access / Portability

1. Individuals must have access to the personal data stored by a business
2. If access is requested, the business must provide a copy of personal data stored
3. Individuals can request to verify the lawfulness of processing

Modification

Individuals can request modification of stored personal data if it is inaccurate or incomplete

Security Measures

1. Encryption of data at rest
2. Encryption of data in transit
3. Data pseudonymization
4. Data anonymization

Reporting

Businesses must report any data breaches to all customers within 72 hours of occurrence