The EU’s General Data Protection Regulation (GDPR)
Your guide to GDPR data collection and security requirements – from individual rights and protections, to enforcement and compliance
The far-reaching scope of the European Union’s (EU) GDPR means that organizations must generally adapt their data collection and processing practices if they wish to process the personal data of individuals in EU member states. Stay up to date on U.S. and international privacy and data security laws with trusted news, expert analysis, Practical Guidance, and time-saving practice tools – all part of Bloomberg Law’s comprehensive research solution.
Data privacy law topics
Consumer Data Privacy Laws
Virginia Consumer Data Privacy Act (VCDPA)
California Consumer Protection Laws
Navigate GDPR data privacy requirements with confidence
Provide sound counsel to your clients or stakeholders on GDPR compliance with the latest news and analysis, Practical Guidance, and more from Bloomberg Law.
What is the GDPR?
The General Data Protection Regulation (GDPR) is one of the world’s strictest consumer privacy and data security laws, requiring organizations – regardless of their location – that process the personal data of anyone in the EU to comply with data protection standards and privacy rights. GDPR violators are subject to sanctions or harsh fines, with a maximum penalty up to €20 million or 4% of global revenue, whichever is higher.
The GDPR builds on the EU’s 1995 Data Protection Directive, a patchwork of early data protection legislation. As technology advanced in the early 2000s and data breaches became more common, the EU recognized the need for a comprehensive data protection law. On May 25, 2018, the EU implemented the GDPR.
The goal of the GDPR is to give data subjects – individuals whose data is collected – more protection in how their data is used, processed, stored, and erased by organizations. Organizations don’t need to be based in the EU for the GDPR to apply. The GDPR applies to any company that offers goods or services to individuals in the EU and processes their personal data.
Data protected by the GDPR
The GDPR protects the personal data of individuals in the EU. Personal data is defined as: “any information relating to an identified or identifiable natural person (‘data subject’).” An identifiable person is one who can be identified, directly or indirectly, through an identifier such as:
- Name
- Identification number
- Location data
- Online identifier
- Physical, physiological, genetic, mental, economic, cultural, or social identity
Information collected from a data subject can constitute personal data regardless of whether the business collecting it uses the data to identify individual users. The GDPR identifies additional special categorizations of personal data that must be collected and processed in compliance with the law: sensitive personal data, personally identifiable information (PII), and pseudonymized data.
Generally, the stricter requirements on the processing of these special categories of personal data can be satisfied in instances where the data subject has given consent, or when the data processing is necessary for carrying out legal obligations, matters of law, or the public interest, or for protecting the vital interests of the data subject. For example, a health or pharmaceutical company would need to provide statutory justification before using a data subject’s health data for a medical diagnosis or preventive care.
Sensitive personal data
Under the GDPR, certain personal data is considered “sensitive” and is subject to specific processing conditions. Examples of sensitive personal data include:
- Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
- Genetic data
- Biometric data processed for the purpose of identifying a person
- Health-related data
- Data concerning a person’s sex life or sexual orientation
Personally identifiable information (PII)
Also protected under the GDPR, PII can overlap with sensitive personal data. However, this kind of data might not always be sensitive by nature, such as a person’s postal code or birthday.
Pseudonymized data
Although pseudonymized data is meant to conceal identity, it is considered personal data and is protected under the GDPR since the process can be reversed and information can be traced back to a data subject.
GDPR’s seven principles of data usage
Companies collecting or processing data of individuals in the EU must follow the GDPR’s seven main data protection principles:
1. Lawfulness, fairness, and transparency
Personal data must be processed in a lawful, fair, and transparent manner.
2. Purpose limitation
Personal data must be used for legitimate purposes that are explicitly spelled out to a data subject when their information is collected.
3. Data minimization
Personal data collection should be limited to what is necessary.
4. Accuracy
Personal data must be updated and accurately kept.
5. Storage limitation
Personal data can be stored only for no longer than necessary.
6. Integrity and confidentiality
Personal data must be processed using security measures, like encryption, to ensure integrity and confidentiality.
7. Accountability
The person in charge of processing personal data must be held accountable for complying with GDPR.
GDPR rights of data subjects
A key difference between the GDPR and many other consumer data privacy laws around the world is that it gives data subjects specific, legally enforceable rights concerning their personal data:
Right to be informed
Data subjects have the right to receive certain information about the collection and processing of their personal data.
Right to access
Data subjects have the right to obtain and review personal data that has been collected and generally do so free of charge.
Right to rectify
Data subjects have the right to correct any incorrect information about them swiftly, clearly, and without undue delay.
Right to erasure or be forgotten
Data subjects have the right to delete personal data (subject to certain exceptions) if, for example, holding data is no longer necessary to the purpose for which it was collected, data has been unlawfully processed, or the data subject is exercising their right to object to processing.
Right to object
Data subjects have the right to object to the use of personal data for direct marketing use, scientific research, or historical research.
Right to restrict processing
Data subjects have the right to stop the processing of personal data and to require a notice lifting the restriction and permission for any future use of that data.
Right to data portability
Data subjects have the right to obtain their personal data for the purpose of sharing it from one service provider to another through a safe and secure transfer process.
Who must comply with the GDPR?
The GDPR applies to organizations that process the personal data of individuals in the EU, even if the organization operates from an establishment outside of the EU. For example, a U.S.-based web developer that targets businesses in the EU must comply with the GDPR.
However, there are exceptions:
- If an EU citizen is living abroad in a non-EU country, then their data rights are governed by the laws of the country where they are located.
- The regulation doesn’t apply to the “processing of personal data for purely personal or household activity.” As an example, if a person collects emails for a personal book club, encryption isn’t needed as it would be under typical GDPR requirements for commercial data collection purposes.
- If an organization has fewer than 250 employees and their processing of user data isn’t a risk to the data subject, GDPR requirements don’t apply.
GDPR compliance measures
The GDPR lists several technical and organizational measures that may be appropriate for helping organizations comply with the law’s data security requirements. These include:
- The pseudonymization and encryption of personal data
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
GDPR data protection impact assessments
The GDPR requires organizations to conduct a data protection impact assessment (DPIA) before processing data that poses a high risk to individual rights and freedoms. For example, a DPIA is required when a company is engaged in the following:
- Conducting automated decision making, such as profiling, which may lead to the exclusion of or discrimination against individuals.
- Processing sensitive personal data on a large scale.
- Systematically monitoring a publicly accessible area on a large scale.
- When data processing involves the use of new technologies or the novel application of existing technologies.
A DPIA isn’t a one-time exercise. Rather, DPIAs should be conducted regularly and whenever a new processing activity – especially one involving a new technology – is introduced.
What should be included in a data protection impact assessment?
According to Article 35 of the GDPR, a DPIA should include at least four essential aspects:
- A description of and the purpose for the processing.
- An assessment of the processing in relation to the purpose.
- Consideration of the risks to the rights and freedoms of the data subjects, as well as the measures planned to address the risks.
- Whether the measures include safeguards, security measures, and other mechanisms to protect personal data.
How should data breaches be handled and reported under the GDPR?
A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. When a personal data breach occurs, organizations must notify the relevant EU member state’s data protection authority, and in some cases the data subjects. Notifications to the data protection authority must be made without undue delay and, where feasible, no later than 72 hours after being made aware of the breach, provided the breach likely involves risks to individuals’ rights and freedoms. If a personal data breach is not reported within 72 hours, the controller must provide a reasoned justification for the delay upon notifying the data protection officer.
What happens if you violate GDPR requirements?
Penalties for noncompliance with the GDPR are imposed by EU data protection authorities. If a business infringes on multiple provisions of the GDPR, it will be fined according to the most serious offense, as opposed to being penalized for each provision.
Businesses that violate the law can be fined up to €20 million, or 4% of their worldwide annual revenue for the prior financial year, whichever is higher. Member state data protection authorities also can issue sanctions, such as bans on data processing or public reprimands. The public sector isn’t exempt.
Track the latest GDPR developments with Bloomberg Law
The changing landscape of consumer data privacy laws and regulations across the globe can make it difficult to stay compliant across multiple jurisdictions. Save valuable time when you trust Bloomberg Law to tackle complex legal research and manage compliance risks with ease.
Want to learn more? Watch the on-demand replay of our latest In-House Forum for insights into the most critical data privacy and security challenges facing corporate legal teams, including how to structure commercial transactions to safeguard your business.
Ready to get started? Request a demo to take a tour of Bloomberg Law and see our consumer data privacy resources in action.