Next DLP Blog

What is GDPR? The basics of the EU's General Data Protection Regulation

Written by Dummy Author | Aug 1, 2023 9:47:52 AM

Companies with customers in the European Union (EU) need to understand the measures in place that regulate the use of personal data. The EU takes the privacy of personal information seriously and affords its citizens more protection than in virtually any other area of the world.

In this post, we will answer the question of what is GDPR and cover the basic details that organizations need to know to effectively meet the requirements.

Photo by Anna Shvets via Pexels

What is the GDPR?

GDPR is the acronym for the EU’s General Data Protection Regulation. It is arguably the toughest set of privacy and security regulations in the world. Though it was developed to protect the EU’s citizens, it applies to any organization that collects data related to residents of EU countries.

The regulation went into effect on May 25, 2018. The impetus for its creation is concern for the privacy and security of personal data entrusted to organizations’ IT environments or associated cloud services. It is designed to limit the type of data collected and how it is used as well as provide citizens with rights regarding their personal data.

 

Who needs to comply with the GDPR?

The GDPR does not only apply to companies located in the EU. The regulations apply in the following instances:

  • Any company or entity that processes the personal data of EU citizens — regardless of where the information is processed — needs to comply with GDPR.
  • Companies outside the EU that offer goods or services to EU citizens or monitor the behavior of individuals in the EU also need to comply with GDPR.
  • There are some exceptions for companies that do not process personal information as part of their core activities and do not create data privacy risks for EU citizens.

The GDPR’s 7 data protection and accountability principles

The foundation of the GDPR is built around seven data protection and accountability principles that need to be followed when processing personal data.

  • Lawfulness, fairness, and transparency - All processing must be lawful, fair, and transparent to the data subject. GDPR specifies six reasons personal data can be processed, and at least one must be met to be compliant with the regulations. We will outline these reasons below.
  • Purpose limitation - Data subjects are entitled to know the purpose for which personal information is being collected and can decide if they want to provide information to the data collector.
  • Data minimization - The minimal amount of data should be collected for the specified purpose.
  • Accuracy - Personal data must be accurate and kept updated.
  • Storage limitation - Personally identifying data can only be stored for the time necessary for the specified purpose.
  • Integrity and confidentiality - Data processing must be conducted using methods that ensure its security, integrity, and confidentiality.
  • Accountability - The data controller is accountable and responsible for demonstrating GDPR compliance.

Reasons personal data can be collected and processed

Six lawful reasons personal data can be collected and processed are defined in the GDPR. They are as follows:

  • Data subjects have given unambiguous consent to have their data processed. They must opt in rather than opt out of default data collection.
  • Processing is required to fulfill or prepare a contract that involves the data subject.
  • The data is required to comply with legal obligations.
  • The data needs to be processed to save someone’s life.
  • Data processing is necessary to perform a task in the public interest or an official function.
  • The collector has a legitimate interest in processing someone’s personal data. This is a rather flexible lawful reason that needs to consider the right of the data subject.
Collecting data for any other reason is a violation of the regulations.

Photo by Vlada Karpovich via Pexels

Rights of data subjects

Data subjects have rights related to the collection of their personal data. EU citizens have the right to:

  • Be informed of the purpose and extent of data collection
  • Access collected data
  • Rectify inaccuracies with collected data
  • Request collected data to be erased
  • Restrict the processing of collected data
  • Data portability so information can be used by different services
  • Object to the processing of their personal data
  • Object to data being used for automated decision-making or profiling

What are the penalties for non-compliance with GDPR?

Substantial penalties can be imposed for non-compliance with GDPR. Penalties for severe violations can total up to 20 million euros or 4% of a company’s total global turnover from the previous year, whichever is greater. Less severe violations can cost up to 10 million euros or 2% of global turnover. In addition, a violation will result in reduced customer trust and may lead to lost business.

How does data loss prevention support GDPR compliance?

A data loss prevention (DLP) solution can help maintain GDPR compliance by enforcing a company’s data handling policies throughout the organization. A reliable DLP platform can ensure that sensitive data covered by GDPR is not accessed by unauthorized users or transmitted insecurely.

The Reveal Platform by Next provides customers with an advanced, cloud-based DLP solution that deploys next-gen endpoint agents powered by machine learning technology. The agents protect data without a connection to a separate analysis engine.

Reveal also supplies user training at the point of risk and helps increase the organization’s security IQ.

Get in touch with Next and book a demo to see this advanced DLP solution in action and learn how Reveal can help you comply with GDPR standards.

Photo by Erik Mclean via Pexels

Frequently asked questions

Are Americans citizens protected by GDPR?

No, American citizens are not protected by GDPR. The protections outlined in GDPR only apply to citizens of the European Union (EU). However, American companies can be subjected to penalties for non-compliance and not properly handling the personal data of EU citizens.

What is the largest fine imposed for GDPR Non-Compliance?

The largest fine to date for GDPR compliance was levied against Meta in May, 20203 by the Irish Data Protection Authority. The fine of 1.2 billion euros was issued following an inquiry into Meta’s handling of personal data in its Facebook service. The specific violation is related to the transfer of personal data to the U.S.

What are GDPR Data Protection Authorities (DPAs)?

Each country in the European Union has a Data Protection Authority. A DPA is an independent public authority that administers the application of GDPR, protects the rights of individuals related to the processing of personal data, and manages breach reports. The DPA handles complaints regarding violations of the GDPR and provides advice to organizations and individuals on data protection topics.