No matter where in the world your company is located, you need to comply with the General Data Protection Regulation (GDPR) if you conduct business with anyone in Europe. GDPR is a piece of legislation passed by the European Union (EU) Parliament in 2016. It consists of 99 articles that are grouped into 11 chapters, so discussing everything it covers here is impossible. However, by looking at the 5 Ws — what, why, who, when, and where — you can get a good idea of what GDPR is all about.

What Is GDPR?

GDPR is a regulation that replaces EU’s Data Protection Directive. It is being touted as the most important change in data privacy regulations in the last 20 years. One of the most noteworthy departures from past legislation is that GDPR requires companies to comply with its mandates — and the cost of noncompliance is high. The maximum fine, which is reserved for the most serious violations, is EUR 20 million (around $23 million USD) or 4% of a company’s annual global turnover (whichever is greater). The fine structure is tiered, so companies with less serious infractions will face smaller fines.

Why Was GDPR Created?

GDPR was created mainly to protect EU citizens from privacy and data breaches. Toward that end, the legislation spells out the rights that citizens have when it comes to their personal data. For instance, they have the right to find out which companies are storing personal data about them, what the data is being used for, and where it is located. Furthermore, companies must give citizens a digital copy of their data, free of charge, upon request.GDPR was also created to help change the way organizations approach data privacy. Nowadays, companies often include data protection measures in their systems as an afterthought. To comply with GDPR, businesses need include these measures when they are initially designing the systems. The regulation does not, however, tell companies how to design their systems and which specific measures to include. That is left to their discretion.A third reason for GDPR’s existence is uniformity. It was created in an effort to standardize data privacy laws across Europe.

Who Is Affected by GDPR?

Numerous people and organizations are affected by GDPR. Every EU citizen is protected by the legislation. And every organization that processes or holds the personal data of those citizens is required to comply with it. Companies do not have to be located within the EU to fall under GDPR’s jurisdiction. For example, U.S. and Canadian companies that have customers who live in the European Union must adhere to the regulation.

When Do Companies Need to Be in Compliance?

When the EU Parliament passed GDPR in April 2016, it knew it had to give organizations time to understand and adhere to the requirements. Thinking that two years would be sufficient, it set May 25, 2018 as the date when companies need to be in compliance.

Where Is There More Information about GDPR?

If you want more information about GDPR, the best place to start is EUGDPR.org, the official GDPR website. The More Resources page has an extensive list of articles, videos, and other resources you can check out.

 

The table below breaks down some of the main challenges in the GDPR and how to address them.

GDPR Article What does it mean How to address it
Article 25: Data Protection by Design and By Default Embrace accountability and privacy by design as a business culture. Safely remediate access controls to least privilege
Article 30: Records of Categories of Personal Data Processing Activities Implement technical and organizational measures to properly process personal data Create asset register of sensitive files; Understand who has access; know who is accessing it; know when data can and should be deleted.
Article 17: Right to Erasure and “to be forgotten” Be able to discover and target specific data and automate removal find it, flag it, remove it.
Article 32: Security of Processing Ensure least privilege access; implement accountability via data owners; Provide reports that policies and processes are in place and successful. Automate and impose least privileges through entitlement reviews and pro-actively enforced ethical walls
Article 33: Notification of personal data breach to the supervisory authority Prevent and alert on data breach activity; have an incidence response plan in place. Detect abnormal data breach activity, policy violations and real-time alert on it as it happens.
Article 35: Data Protection Impact Assessment Quantify data protection risk profiles. Conduct regular quantified data risk assessments.