What is GDPR compliance: Everything you need to know about your data and how it’s being used

As of May 25, 2018, The General Data Protection Regulation (GDPR) rules went into full force across the European Union (EU). The GDPR laws established guidelines for how personal information is collected, processed, and used, while also governing the right to control what gets used. Deleting Chrome search history is one thing, but GDPR is much more than just a simple privacy option. GDPR also affects all countries that handle personal data of individuals within the EU. Fines are hefty for those that fail to abide by GDPR properly. The bottom line is that GDPR protects EU residents and gives them the right to control what information a person or company withholds and uses.

The Facebook and Cambridge Analytica scandal of 2018 brought the concepts of personalized advertising and data harvesting into view, and it highlighted the dangers of such practices. In summary, the British analytics firm, Cambridge Analytica, was accused of harvesting data from millions of Facebook accounts without the users’ consent and knowledge to influence voting habits in the 2016 Presidential Election.

The Cambridge Analytica scandal + Facebook may have even played a role in the Brexit vote. Facebook allegedly opened the door to make such a gross betrayal of trust possible.

Despite being set up to manage how businesses handle data, the GDPR aims to protect anyone who uses the web. If you shop online, allow cookies on websites, sign up to social networks, and even subscribe to newsletters, the new regulations directly affect you and how you browse. If you ever share personal data with another person or company, GDPR plays a role in how data gets used.

Here’s everything you need to know.

What is GDPR?

The EU’s General Data Protection Regulation (GDPR) results from four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data gets used.

The UK already relies on the Data Protection Act 1998, which became enacted following the 1995 EU Data Protection Directive, but the new legislation will supersede this. GDPR introduces more stringent fines for non-compliance and breaches and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.

Why was the GDPR drafted?

The drivers behind the GDPR are twofold.

First, the EU wanted to give people more control over how their data gets used. Many companies like Facebook and Google swap access to people’s data for the use of their services. The current legislation got enacted before the internet and cloud technology created new ways of exploiting data, and the GDPR seeks to address that. By strengthening data protection legislation and introducing stricter enforcement measures, the EU hopes to improve trust in the emerging digital economy.

Second, the EU wants to give businesses a more straightforward, more evident legal environment to operate, making data protection law identical throughout the single market (the EU estimates this will save companies a collective 2.6 billion a year).

When did GDPR go into effect?

The GDPR went into effect on May 25, 2018. Because GDPR is a regulation, not a directive, the UK did not need to draw up new legislation. Instead, the laws applied automatically. The regulation actually started on May 24, 2016, when all sections of the EU agreed to the final text. Still, businesses and organizations had until May 25th, 2018, for the law to apply.

To whom does the GDPR apply?

“Controllers” and “processors” of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is a party doing the actual processing of the data. So the controller could be any organization, from a profit-seeking company to a charity or even a government. A processor could be an IT firm doing the actual data processing.

As previously mentioned, but very important, controllers and processors based outside the EU will still require GDPR compliance when dealing with data belonging to EU residents.

It’s the controller’s responsibility to ensure their processor abides by data protection law, and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they’re far more liable under GDPR than they were under the Data Protection Act.

How do I give consent under the GDPR?

Consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs.

Controllers must record how and when an individual gave consent, and that individuals may withdraw their consent whenever they want. If your current model for obtaining consent doesn’t meet these new rules, you’ll have to bring it up to speed or stop collecting data under that model.

What counts as personal data under the GDPR?

The EU has substantially expanded the definition of personal data under the GDPR. To reflect the types of data that organizations now collect about people, online identifiers such as IP addresses qualify as personal data. Other data, such as economic, cultural, and mental health information, are also considered personally identifiable information.

Pseudonymized personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.

Anything that counted as personal data under the Data Protection Act also qualifies as personal data under the GDPR.

When can I access the data companies store about me?

You can ask for access at “reasonable intervals,” and controllers must generally respond within one month. The GDPR requires that controllers and processors be transparent about how they collect data, what they do with it, and how they process it. The explanations must be clear (using plain language) in describing the data policies and procedures to you.

You have the right to access any information a company holds about you, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. Where possible, data controllers should provide secure, direct access for people to review what information a controller stores about them.

You can also ask for that data, if incorrect or incomplete, to get rectified whenever you want.

What’s is GDPR’s “right to be forgotten?”

You have the right to demand that your data gets deleted if it’s no longer necessary for the purpose it was collected. This scenario is known as the “right to be forgotten.” Under this rule, you can demand that your data gets erased if you’ve withdrawn consent for it to be collected, or object to the way it gets processed.

The controller is responsible for telling other organizations (for instance, Google) to delete any links to copies of the data and the copies themselves.

What if I want to move my data elsewhere?

Controllers must now store people’s information in commonly used formats (such as CSV files) to move a person’s data to another organization (free of charge) if the person requests it. Controllers must do this within one month.

What if a company suffers a data breach?

It’s the company’s responsibility to inform the data protection authority of any data breach that risks people’s rights and freedoms within 72 hours of the organization becoming aware of it. The UK authority is the Information Commissioner’s Office. Information Commissioner Elizabeth Denham believes the administration needs more resources to cope with policing GDPR, and responding to organizations who notify it of breaches. In March 2017, she told the EU Home Affairs Sub-Committee that more funding was necessary to recruit and retain skilled people.

That deadline is tight enough to mean that companies probably won’t know every detail of a breach until after discovering it. However, their initial contact with their data-protection authority should outline the nature of the data that’s affected, roughly how many people are impacted, what the consequences could mean for them, and what measures they’ve already actioned or plan to action in response.

Even before you call the data protection authority, the company should tell those affected by the data breach. Those who fail to meet the 72-hour deadline could face a penalty of up to 2% of their annual worldwide revenue, or €10 million ($11,305,550 as of July 12, 2020, and subject to currency fluctuation), whichever is higher.

Okay, what other fines are there for failing to obey the GDPR?

If a company doesn’t follow the basic principles for processing data, such as consent, ignoring individuals’ rights over their data, or transferring data to another country, the fines are worse. The data protection authority could issue a penalty of up to €20 million ($22,611,500 as of July 12, 2020, and subject to currency fluctuation) or 4% of the company’s global annual turnover, whichever is greater.