GDPR – General Data Protection Regulation

You might be asking yourself what the General Data Protection Regulation (GDPR) has to do with you because you’ve probably never heard of it unless you own a business that does business in Europe or has website visitors from Europe. Although GDPR is specifically for European countries, the data that goes to those nations fall under the jurisdiction of the regulation even if you’re here in America. According to eugdpr.org, “Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Previously, territorial applicability of the directive was ambiguous and referred to data process ‘in context of an establishment.”

GDPR goes into effect May 25th, 2018 so there isn’t much time to prepare.

Data processing is defined by the law as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

If this law wasn’t far-reaching enough already, eugdpr.org goes on to say “The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU. ”

The jurisdiction of GDPR makes most of the developed world subject to a European Union law.

The penalties for breaking GDPR law are substantial. The $700,000 fine that Hilton Hotels & Resorts had for their data breach would have been $420,000,000 under GDPR because the fine is calculated off the companies annual global revenue and is capped at 4% or 20 million Euro’s, whichever is higher. Here’s some more information about fines from the law, “There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.”

GDPR is broken into the following sections for a total of 99 articles:

  • General provisions (Article 1 – 4)
  • Principles (Article 5 – 11)
  • Right of the data subject (Articles 12 – 23)
  • Controller and processor (Article 24 – 43)
  • Transfers of personal data to third countries or international organizations (Article 44 – 50)
  • Independent supervisory authorities (Article 51 – 59)
  • Cooperation and consistency (Articles 60 – 76)
  • Remedies, liability, and penalties (Articles 77 – 84)
  • Provisions relating to specific processing situations (Articles 85 – 91)
  • Delegated acts and implementing acts (Articles 92 – 93)
  • Final Provisions (Articles 94 – 99)

If your businesses data flow or data storage fit the above description of the jurisdiction, you can download MailChimp’s condensed PDF of the law, or you can go to this website for an organized version of the law.

In conclusion, the key takeaways are that business owners must be aware of where their data is going, where it is stored, create the necessary documentation and notices, and implement the required controls.