One of the largest and most significant pieces of privacy legislation is the General Data Protection Regulation (GDPR), which was enacted in 2016 and became enforceable in 2018. GDPR applies to citizens of European Union (EU) member states; it’s also enforceable beyond the EU member states’ borders, particularly for multinational organizations who process or control the personal data that could identify EU residents.
The UK also maintains an identical version of the law despite its exit from the EU. GDPR has also greatly influenced privacy regulations worldwide, including many US state privacy laws, such as the California Consumer Privacy Act (CCPA) or it’s more recent update, the California Privacy Rights Act (CPRA).
GDPR regards two categories of entities for regulation: data controllers and data processors as they pertain to a data subject (a person based in the EU who enjoys the protection of GDPR). Data controllers collect data from EU residents, while data processors perform various activities, known collectively as processing, on that data.
This latter definition has broad scope: cloud service providers, for example, are considered data processors if they host the systems that perform data processing. GDPR operates on a series of principles about the data gathered from data subjects:
- Personal data must be processed lawfully, fairly and transparently
- Personal data most only be collected for specified, explicit, legitimate purposes and may not be processed further for other purposes
- Data collection must be minimized to what is necessary for the intended purposes
- Personal data must be accurate and updated when necessary
- Personal data must not be stored longer than necessary for the purpose for which they are processed
- Personal data must be processed in a manner that maintains confidentiality and integrity
As its foundation, a functional privacy program that adheres to GDPR must have a strong information security program, as a privacy program cannot maintain confidentiality, integrity or purpose specificity for data processing without it. Further, GDPR contains substantial penalty provisions for noncompliance, with fines up to 10 million Euros or 2% of global annual turnover for general infringements and double that for serious infringements.
In October 2022, the European Data Protection Board (EDPB) approved the first GDPR compliance certification, called Europrivacy, for organizations in the European Economic Area (EEA). Europrivacy demonstrates compliance with GDPR for a range of data processing activities. It also can increase trust by business customers and consumers alike that organizations are adhering to their GDPR obligations.
When considering your privacy program and GDPR compliance, here are three tips to get started:
- Determine which forms of personally identifiable information (PII) your organization stores or processes. Not every form of PII is directly tied to an individual identity, but certain data elements, such as IP addresses or mobile device identifiers, when combined with others, can result in the identification of an individual.
- Consider your usage for PII and where you can enact data minimization, retention and disposal practices. GDPR requires such practices and requires that data processing occurs only for activities in which the data subject has given consent. If your organization currently uses data beyond its stated collection purpose, consider how to obtain consent in a lawful manner or how to avoid such usage.
- Work together with your information security team to develop a privacy program that fits with your overall security program. Consider readiness or gap assessment planning with Europrivacy as the most effective way to demonstrate GDPR compliance.