What is the General Data Protection Regulation (GDPR)? To whom does it apply and what does it require?
The General Data Protection Regulation (GDPR) is a law adopted in the European Union (EU) which took effect on May 25, 2018. GDPR seeks to protect the personal data of EU data subjects (citizens and residents) and affords privacy protection for such individuals. The regulation broadly defines personal data as any information that relates to an identifiable, living human being, which can include the person's name, address, phone number, location, health records, income and banking information, etc. Essentially, if one can use the data to identify a person in any way, it is likely personal data that would render an entity receiving that data subject to the law.
Specifically, the law imposes requirements on entities that collect, use and process personal data of EU data subjects. Since the law does not limit its scope to EU-based companies, companies all over the world that employ individuals in the EU, offer goods and services to individuals in the EU, or track or profile individuals in the EU are impacted by this regulation.
The GDPR also recognizes two different roles that determine an entity's responsibilities under the regulation - data controllers and data processors. Data controllers determine the purpose and means of processing personal data. Data processors process the data on behalf of the data controller. As an example, a US-based company with EU employees would likely be a data controller since as an employer it collects personal data on those EU employees for business/employment purposes. That same company with EU employees might contract with a health and welfare broker who takes some of that personal data and processes it to enroll the employees in the company's health plan. The broker would likely be a data processor in this instance, as they are processing that information on behalf of a data controller (i.e., the employer company).
If an entity is a data controller, then they are subject to the GDPR's requirement that data processing be fair and transparent, for a specified and legitimate purpose, and limited to the data needed to fulfill that processing purpose. The regulation also gives specific legal grounds under which a controller can process personal data, including if the person gives his/her consent, if there is a contractual or legal obligation, if doing so will protect the vital interests of the person, or if it is to carry out a task that is in the public interest or in the company's legitimate interest. Keep in mind, though, that the regulation makes it clear that an individual's right to their personal data will often trump the business' interests.
Even if a company has the legal grounds to process certain personal data, they are still obligated to protect the individuals whose data they possess. Specifically, companies must:
Provide individuals with information on who is processing their data and why;
Provide individuals with access to their personal data when requested;
Erase an individual's personal data when requested (under certain circumstances); and
Correct incorrect information or complete incomplete information when necessary or stop processing that data if the individual objects.
Data controllers are also required to ensure that any data processor they use offers sufficient privacy and data protection guarantees through a written contract between the controller and processor. This contract must specify, among other things, that the data processor will only process data as directed by the controller.
Ultimately, this regulation is aimed at allowing EU data subjects more rights and control over their personal data in an increasingly technological world. Keep in mind, though, that this regulation is much more detailed and complex than what we can summarily provide in this FAQ. The potential fines and costs associated with noncompliance of this regulation can be significant, up to twenty million euros or 4 percent of an entity's worldwide revenue (in addition to any court proceedings or damage to an entity's reputation). As such, companies that feel they might be subject to the GDPR should work with legal counsel to review and assess compliance with the regulation.
About the GDPR >>
GDPR Fact Sheet >>