The General Data Protection Regulation, commonly referred to as GDPR, is an EU regulation concerning data protection and privacy in the European Union (EU) and the European Economic Area (EEA).
The GDPR grants and enhances the rights and controls of individuals over personal data processing and simplifies the international business regulatory environment. The regulation applies to any enterprise that processes personal data inside the EEA, regardless of where a business is located or the citizenship or place of residence of data subjects.
What is the GDPR in simple terms?
GDPR protects eight rights of data subjects. These include:
- The right to be informed
- The right of access to personal data
- The right of rectification of incorrect or incomplete data, and of erasure
- The right to restrict processing
- The right to data portability
- The right to object and halt processing
- Rights relate to automated decision-making and profiling
To protect these rights, GDPR sets data protection and accountability requirements for enterprises. It also details processes for the execution and enforcement of those requirements.
Data protection requirements are based on seven principles for data collection and processing:
- Processing must be lawful, fair, and transparent
- Data must be only for specifically stated, legitimate purposes
- Only the minimum data necessary may be collected
- Personal data must be kept accurate and up to date
- Data may only be stored as long as necessary
- Processing must ensure data security, integrity, and confidentiality
- Data controllers must be able to demonstrate GDPR compliance
The regulation explains the legal basis for data use. Data must be collected with the explicit, informed consent of individuals, meaning consent that is specific, freely given, plainly worded, and unambiguously affirmed. Data subjects must be free to withdraw consent, and doing so must be no harder than opting in.
The law details other protections, such as data protection standards, assignment of data protection officers, handling of data breaches, pseudonymization, and record-keeping. Punishment for violation may include sanctions, audits, and fines, of which there have been over 800 as of July 2021.
Read more on how GDPR impacts businesses that handle PII at TechnologyAdvice.
Impact of GDPR on companies
EU companies and international companies doing business in the EU had to invest heavily in IT infrastructure, staff (IT, legal, marketing, and data protection officers), software debugging, and procedural changes to become compliant with GDPR. Although the law primarily targets large, international tech firms, the costs of compliance may be prohibitive to smaller businesses and startups.
Many businesses outside the EU terminated EU business lines, EU user access, and behavioral advertising due to increased costs. Large, multinational corporations have been the targets of civil suits for breach of GDPR.
While the European Commission found that GDPR resulted in changes in consumer decision-making, the law has been criticized for inconsistent enforcement and lack of enforceability.