What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, is a comprehensive data privacy law that establishes a framework for the collection, processing, storage, and transfer of personal data. It requires that all personal data be processed in a secure fashion, and it includes fines and penalties for businesses that do not comply with these requirements. It also provides individuals with a number of rights regarding their personal data.
As technology advances and data collection grows more prevalent, data privacy has been put in the spotlight. At the time of its passage, the GDPR was the most comprehensive data privacy regulation. It harmonized separate data protection regulations from across the European Union (EU). It also extended the reach of those regulations to apply to non-EU organizations if they process personal data collected in the EU.
The GDPR applies to any company or organization regardless of geographical location if the company or organization offers goods and services to people in the EU or monitors their behavior within the EU.
How does the GDPR define 'personal data'?
The GDPR broadened the scope of what was considered personal data to include any information related to a natural identifiable person. This includes details that are obviously personal, such as someone's name and address, but also any other information that could be used to identify someone, including their IP address and certain cookie identifiers associated with a web browsing session.
What are the GDPR requirements for data controllers and data processors?
The GDPR defines data controllers as entities that make decisions about the means and purposes for which personal data is collected and processed, and it defines data processors as entities that process personal data, typically on behalf of a data controller.
The GDPR also lays out seven key principles for how data controllers and processors should handle personal data:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
In addition to describing these principles in detail, the GDPR requires several specific actions that data controllers and processors need to take. Some of these include:
- Record keeping: Data processors must keep records of their processing activities.
- Security measures: Data controllers and processors must regularly use and test appropriate security measures to protect the data they collect and process.
- Data breach notification: Data controllers that suffer a personal data breach have to notify appropriate authorities within 72 hours, with some exceptions. Usually, they also have to notify the individuals whose personal data was affected by the breach.
- Data Protection Officer (DPO): Companies that process data may need to hire a Data Protection Officer (DPO). The DPO leads and oversees all GDPR compliance efforts.
The full requirements for data controllers and processors are described in the GDPR.
What rights do data subjects have under the GDPR?
The GDPR defines a data subject as "an identified or identifiable natural person." Data subjects have the following rights:
- Right to be informed: Data subjects must be given easy-to-understand information about how their personal data is collected and processed
- Right to data portability: Data subjects can transfer their data from one data controller to another
- Right of access: Data subjects have the right to obtain a copy of collected personal data
- Right to rectification: Data subjects can correct inaccurate data about themselves
- Right to erasure: Data subjects can request that their data be deleted (also called the right to be forgotten)
- Right to restrict processing: Under certain circumstances, data subjects can limit the way their personal data is being processed
- Right to object: Data subjects have the right to object to the processing of their personal data, and under certain circumstances the data controller or data processor will be obligated to comply with the data subject's objection
- Right to object to automated processing: Data subjects can object to a decision that legally affects them that is based solely on automated data processing
What are the penalties for violating the GDPR?
The GDPR describes the fines that are to be imposed on businesses that violate its policies.
There are two tiers of fines under the GDPR, with each tier corresponding to a different category of violation:
- First tier: A violation results in a maximum fine of either €10 million or 2% of the business's worldwide annual revenue, whichever is higher.
- Second tier: A violation results in a maximum fine of either €20 million or 4% of the business's worldwide annual revenue, whichever is higher.
In addition to these fines, data subjects can seek compensation for damages when a business violates the GDPR.
Cloudflare and data privacy
The Cloudflare mission is to help build a better Internet, and data privacy is core to that mission. Cloudflare builds its products with a "privacy by design" mindset and has released a number of services to increase user privacy (including the Cloudflare Data Localization Suite). Learn about Cloudflare and the GDPR.