The General Data Protection Regulation (GDPR) is the strictest privacy and security law in the world. Although it was drafted and adopted by the European Union (EU), it places obligations on organizations anywhere, as long as they target or collect data relating to people in the EU.
The GDPR will impose heavy fines on those who violate its privacy and security standards, with fines of up to tens of millions of dollars.
With the GDPR, Europe is showing its strong position on privacy and data security at a time when more and more people entrust their personal data to cloud services and breaches are daily.
The regulation itself is broad, sweeping, and not very detailed, making GDPR compliance a daunting prospect, especially for small and medium-sized businesses (SMEs).
We have published this article to serve as a resource for SME owners and managers to address specific challenges they may face.
While it is not a substitute for legal advice, it can help you understand where to focus your GDPR compliance efforts. We also offer advice on privacy tools and how to mitigate risk.
As the GDPR continues to be interpreted, we will keep you updated on the evolution of best practices.
If you found this page – “what is GDPR?” – chances are you are looking for a crash course. Maybe you haven’t even found the document itself yet (hint: here are the full rules ). Maybe you don’t have time to read it all. This page is for you.
In this article, we try to demystify the GDPR and hopefully make it less overwhelming for SMEs concerned with GDPR compliance. However, it is always recommended to consult a data and GDPR compliance professional to ensure that you understand the law and its application.
The right to private life is part of the European Convention on Human Rights of 1950, which states that “everyone has the right to respect for his private and family life, his home and his correspondence”.
On this basis, the European Union has sought to ensure the protection of this right through legislation.
As technology progressed and the internet was invented, the EU recognized the need for modern protections. Thus, in 1995, it adopted the European directive on data protection, establishing minimum standards of confidentiality and data security, on which each member state has based its own implementing law.
But already, the Internet was turning into the data vacuum it is today. In 1994, the first advertising banner appeared online. In 2000, a majority of financial institutions offered online banking services.
In 2006, Facebook opened to the public. In 2011, a Google user sued the company for scanning their emails.
Two months later, the European Data Protection Authority said the EU needed “a comprehensive approach to the protection of personal data” and work began to update the 1995 directive.
The GDPR came into effect in 2016 after the adoption of the European Parliament and, as of May 25, 2018, all organizations had to comply.
Scope, sanctions and key definitions
First, if you process the personal data of citizens or residents of the EU, or if you offer goods or services to such people, the GDPR applies to you even if you are not in the EU . We talk more about this in another article .
Second, the fines for violating the GDPR are very high .
There are two levels of penalties, which amount to a maximum of 20 million euros or 4% of worldwide turnover (whichever is greater), and those affected have the right to claim compensation for damages. We’re also talking more about GDPR fines .
The GDPR defines in detail a set of legal terms. Here are some of the most important that we refer to in this article:
Personal data – Personal data is all information that relates to an individual who can be identified directly or indirectly. Names and e-mail addresses are obviously personal data.
Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions may also be personal data.
The pseudonymous data can also fall within the definition if it is relatively easy to identify someone from them.
Data Processing – Any action performed on the data, whether automated or manual.
If you are an owner or employee of your organization who manages data, this is you.
Processor : A third party who processes personal data on behalf of a controller
They can include cloud servers like Tresorit or email service providers like ProtonMail .
What the GDPR says about …
Principles of data protection
If you process data, you must do so according to seven principles of protection and responsibility set out in article 5.1-2 :
- Lawfulness, fairness and transparency : The processing must be lawful, fair and transparent for the data subject.
- Limitation of purposes: You must process the data for the legitimate purposes explicitly specified to the data subject when you collected it.
- Data minimization : You should only collect and process the amount of data absolutely necessary for the specified purposes.
- Accuracy : You must keep personal data accurate and up to date.
- Storage limitation – You may only store personally identifiable information for as long as necessary for the specified purpose.
- Integrity and confidentiality : Processing should be carried out in a way that ensures appropriate security, integrity and confidentiality (for example by using encryption).
The GDPR states that data controllers must be able to demonstrate that they are compliant with the GDPR. And that’s not something you can do after the fact: if you think you’re GDPR compliant but can’t show how, then you’re not GDPR compliant.
Designate data protection responsibilities for your team.
- Keep detailed documentation of the data you collect, how it is used, where it is stored, which employee is responsible for it, etc.
- Have data processing agreement contracts in place with third parties that you contract to process the data for you.
- Designate a data protection officer (although not all organizations need one, more information on this in this article ).
You are required to process data securely by implementing ” appropriate technical and organizational measures “.
Technical measures range from requiring your employees to use two-factor authentication on accounts where personal data is stored, to entering into contracts with cloud providers that use end-to-end encryption .