The EU GDPR has already had a profound effect on the way tech companies handle user data. But many still have basic questions about the bill. This article answers them.

No statistic sums up the confusion surrounding the GDPR as the EY-IAPP survey, in which one in five respondents think complete GDPR compliance is “impossible.” Either these organizations still have serious misunderstandings about the GDPR or are resigning themselves to perpetually violating the GDPR and putting themselves at risk of incurring GDPR fines. This suggests that there is still a substantial portion of small and medium-sized businesses that have not had the time or resources to fully comprehend the GDPR.  

We’ll tackle some of the most basic GDPR questions here.

What does GDPR stand for?

First things first. GDPR stands for General Data Protection Regulation. It is a European Union law and replaces the Data Protection Directive, which was not.

What does the GDPR stand for, philosophically?

At its core, the General Data Protection Regulation is meant to fundamentally reshape how personal data are collected and processed by giving all individuals living in the European Union (or the greater European Economic Area) new rights to access and control their data on the Internet. There are many new rights, but several of the most common include:

  • Legal basis for processing — Your organization must justify data processing based on one of seven legal bases described in Article 6, such as a user’s unambiguous and explicit consent.
  • The right to be erasure — Also known as “the right to be forgotten,” your organization must respect your users’ request to delete their data, under certain circumstances.
  • The right to access — Your organization must supply your users with a copy of all the data you have collected from them.
  • The right to rectification — Your organization must correct any data that a user feels are inaccurate or complete data that a user feels is incomplete.
  • The right to data portability — Your organization must transfer the data you have from a user to another organization or the user, under certain circumstances.

Does the GDPR only apply to tech companies?

Short answer: no. According to Article 3 of the GDPR, any “controller” or “processor” that provides any good or service to an individual that lives in the EU (or the EEA) is subject to the GDPR.

According to Article 4, a controller is a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data,” while a processor is a “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

There is a lot to parse in those two phrases, but essentially a controller is any person, agency, organization, or business that collects, analyzes, share, or otherwise uses data. Are you a hotel that asks clients for personal information when they check in? If you have European clients, you are subject to the GDPR.

What are ‘personal data’?

Knowing whether the information you process qualifies as personal data is crucial to determining whether the GDPR applies to your organization. While a complete answer would run several pages (See our blog post dedicated to this question here), basically any subjective or objective information that could be used, or used in combination with publicly available information, to identify a living human being counts as personal data.

What effect has the GDPR had so far?

The GDPR requires controllers to report data breaches to the relevant supervisory authority, generally that country’s Data Protection Office, within 72 hours. This new requirement has shined a light into how often personal data is exposed. One survey showed that nearly 60,000 data breaches were reported in the first eight months after the GDPR went into effect.

It has also led to significant investment in hiring and training privacy personnel and purchasing privacy technology. Nearly 80 percent of the companies responding to the EY-IAPP survey said privacy training was their priority for GDPR compliance this year. In the same survey, a quarter of companies said they had changed their data processor due to the GDPR, and fewer than half expect to keep their current processor. The GDPR has created a massive new marketplace for secure-by-design technology and services.

Finally, the GDPR has led to a groundswell in awareness about how personal data are handled and how many organizations process personal data every day. Data protection laws were signed in California and Brazil that openly cite the GDPR as an inspiration. Other countries around the world have also begun debating their own data protection laws as well. It seems like it is only a matter of time before there is an American version of the GDPR.

How many fines have been assessed under the GDPR?

According to one study, only 91 fines have been assessed under the GDPR — although one was the record-setting €50 million fine against Google. Given that there were almost 60,000 reported data breaches, this is almost certainly an underrepresentation. And 2019 should see a dramatic acceleration of GDPR enforcement. This year, data protection agencies were busy staffing up, answering compliance questions, and interpreting the GDPR for themselves, same as companies. This year, data protection agencies will be more able to pursue investigations. Furthermore, privacy advocates, like the nonprofit None of Your Business and the French Association La Quadrature du Net have already filed dozens of GDPR complaints against major corporations, like Google, Facebook, Instagram, and WhatsApp. As these complaints work their way through the system, it is likely we will see more major fines against some of the world’s largest corporations. As Raegan MacDonald, the Head of EU Public Policy at Mozilla told The Next Web, “I suspect that if 2018 is the year of implementation, 2019 will be the year of enforcement.”

Is the GDPR impossible to comply with?

We end where we began. The GDPR is undoubtedly a complicated document, but encouragingly, it seems less complex now to the privacy professionals tasked with implementing it than it did last year. Respondents to the EY-IAPP survey have given progressively lower difficulty scores for nearly every GDPR compliance responsibility each year since the survey began in 2017.

The majority of businesses and consumers actually appreciate what the GDPR stands for: keeping data safe and giving individuals greater control. It seems likely that its principles will spread globally. While there has been a lag in enforcement over the past year, companies put off GDPR compliance at their own peril. With the right resources and some dedication, all organizations can take the steps necessary steps to protect their users data.
For more help complying with the GDPR, click over to our GDPR checklist.