On May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) went into effect. Ever since, a steady stream of privacy policy updates have been trickling into email inboxes. The GDPR has the potential to change how companies handle information collected from individuals not just in the EU but around the world. In this post, I discuss the background behind the GDPR and highlight some basic components of the regulation. In my next post, I will discuss where GDPR applies and why even companies who do not do business in the EU should pay attention to the regulation. In my final post in the series, I will discuss what businesses should know about GDPR compliance.
Broadly speaking, the GDPR addresses what happens to the personal data that companies collect about people. In a nutshell, it provides that when a company collects a person’s “personal data,” it must obtain consent in order to process that data, have a system to keep track of that personal data, be prepared to provide an individual a copy of their own personal data upon request (sometimes called data portability), and be able to delete all of an individual’s personal data upon request (sometimes referred to as “the right to be forgotten”).
Among the myriad of other provisions, the GDPR also requires that companies report data breaches within 72 hours of when they happen, that companies retain only the limited personal data necessary to make their services work, and that further restrictions apply when personal data is collected from children. Failure to comply with GDPR can result in steep penalties: The greater of 20 million Euros or 4% of annual revenue.
Understanding the history and underlying general principles that led to the GDPR can be instructive in understanding the regulation itself. The principles behind GDPR trace back to Article 8 of the 1950 European Convention on Human Rights (ECHR), which established the right to respect for private and family life — in other words, a right to privacy. Then, in 1981, the Council of Europe adopted Convention 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data, which declared the right to privacy with regard to personal information to be a fundamental freedom.
By contrast, the right to privacy is not explicitly stated in the U.S. Constitution or Bill of Rights, although it is a constitutional right nonetheless. The history about how the right to privacy has developed in the United States over time is fascinating. If you are interested in further reading, law geeks may enjoy this scholarly history of privacy law in the United States, while this recent article in The New Yorker provides a more colloquial (i.e., readable) history of privacy law without the footnotes.
The first step in GDPR compliance is understanding the regulation’s scope and basic provisions. The Washington Post has published a concise summary of the GDPR. In addition, companies and data privacy experts (some with an interest in selling services or products related to GDPR compliance) have created very detailed and informative guides to help companies reach compliance, including Microsoft, the International Association of Privacy Professionals and DLA Piper. GDPR is a complex regulation. In addition to educating yourself on the basics, you should also consult with both technology and legal professionals in order to determine what measures, if any, are recommended for your business in order to be in compliance.
Photo credit: www.thoughtcatalog.com