What is GDPR?

The General Data Protection Regulation (GDPR) is a landmark piece of legislation introduced by the European Union to protect the privacy and personal data of individuals within its jurisdiction. It applies to all entities, regardless of geographic location, that collect and process the personal data of EU citizens. The regulation affords individuals greater control over their personal data and mandates that companies obtain explicit consent before collecting and processing any such information.

It also requires companies to implement appropriate security measures to safeguard personal data and to report any data breaches to authorities within a strict time frame. Non-compliance with the GDPR can result in significant financial and reputational harm.

GDPR: the causing factors

The GDPR was enacted into law by the European Union to strengthen and unify data protection laws across all EU member states. The regulation was a response to the increasing importance of personal data in the digital age and the need to provide individuals with greater control over their personal data.

The GDPR was influenced by a number of factors, including the growing concern over data breaches and misuse of personal data, as well as the need to update existing data protection laws to reflect advances in technology. The regulation also aims to create a level playing field for businesses operating in the EU by ensuring that all companies are subject to the same data protection standards.

The EU’s commitment to protecting fundamental rights, including the right to privacy and data protection was a key influence in the regulation’s passing. The GDPR was designed to provide individuals with greater transparency, control, and accountability over their personal data, while also promoting innovation and economic growth in the digital sector.

GDPR enforcement

The enforcement of GDPR across borders is the responsibility of the European Data Protection Board (EDPB). The EDPB is an independent body that was established by the GDPR and is made up of representatives from each of the EU member states’ data protection authorities.

The EDPB provides guidance on the interpretation and application of the GDPR, and it works to ensure consistency in the enforcement of the regulation across all EU member states. The EDPB also cooperates with non-EU countries on matters related to cross-border data transfers and international data protection.

Each EU member state has its own national data protection authority that is responsible for enforcing the GDPR within its own jurisdiction. These authorities have the power to investigate complaints and breaches of the GDPR, issue fines and penalties, and take legal action against companies that fail to comply with the regulation.

Streamline GDPR compliance today

Who does GDPR apply to

The GDPR applies to any individual or organization that collects or processes the personal data of individuals located in the European Union, regardless of where the data processing takes place. This means that the regulation applies to:

  • Businesses and organizations that are based in the EU, regardless of their size or industry.
  • Businesses and organizations that are based outside the EU but offer goods or services to individuals located in the EU, or monitor the behavior of individuals located in the EU.
  • Data processors who process personal data on behalf of a data controller.

The GDPR defines personal data as any information that can be used to identify an individual, directly or indirectly, such as a name, address, email address, or IP address. Therefore, any organization that collects or processes this type of data from individuals located in the EU is subject to the GDPR.

Defining personal data

According to GDPR (General Data Protection Regulation), personal data is any information that can be used to directly or indirectly identify a living individual. This includes information such as a person’s name, address, email address, phone number, social security number, passport number, IP address, or any other unique identifier that can be used to identify an individual.

Personal data can also include information about a person’s characteristics, such as their age, gender, race, religion, or any other personal attributes that could be used to identify them.

Under GDPR, personal data is also considered to include sensitive personal data, such as information about a person’s health, sexual orientation, political views, or criminal record. This type of data is subject to stricter rules and additional safeguards to protect the individual’s privacy.

GDPR article 30

GDPR Article 30 requires organizations to maintain a record of their processing activities that involve personal data. This record must include information such as the categories of data processed, the purposes of processing, and the categories of data subjects. The record must be in writing, including in electronic form, and must be made available to supervisory authorities upon request. This requirement is intended to promote transparency and accountability in data processing activities, and to help organizations comply with other GDPR provisions, such as data subject rights and data protection impact assessments.

GDPR Subject Access Rights
Download white paper.

The cost of non-compliance

The fines for non-compliance with GDPR can be significant and are designed to act as a deterrent to prevent organizations from failing to comply with the regulation. The amount of the fine depends on the nature and severity of the violation, as well as the organization’s size and revenue.

There are two tiers of fines under GDPR, with maximum penalties of:

  1. Up to 10 million euros or 2% of the organization’s worldwide annual revenue (whichever is higher), for violations related to record-keeping, data security, data breach notification, data protection impact assessments, and other procedural requirements.
  2. Up to 20 million euros or 4% of the organization’s worldwide annual revenue (whichever is higher), for violations related to the principles of data protection, including failure to obtain valid consent, processing of sensitive data without a lawful basis, and non-compliance with data subjects’ rights.

Consider the stats

The following statistics illustrate the ongoing impact of GDPR on data protection and privacy across Europe, and the challenges faced by organizations in achieving compliance with the regulation:

  1. In 2020, there were over 121,000 data breach notifications reported to European Data Protection Authorities (DPAs) since GDPR was implemented in May 2018. (Source: European Data Protection Board)
  2. The average cost of a data breach in 2020 was $3.86 million, with the highest costs incurred in the healthcare industry. (Source: IBM)
  3. In 2020, France imposed the highest total fines under GDPR, totaling €51 million, followed by Germany with €37 million. (Source: DLA Piper)
  4. According to a survey conducted by Cisco, 59% of organizations reported that GDPR has had a positive impact on their organization, with increased customer trust and enhanced data protection being the most commonly cited benefits.
  5. A survey conducted by TrustArc found that only 28% of organizations believe they are fully GDPR compliant, with 44% reporting that they are mostly compliant, and 28% stating that they are still working on compliance.
  6. The most common type of GDPR violation in 2020 was insufficient technical and organizational measures to ensure data security, accounting for 44% of all fines. (Source: DLA Piper)

Understanding GDPR Purpose Limitation

GDPR’s purpose limitation principle means that personal data should be collected and processed for specified, explicit, and legitimate purposes, and not further processed in a way that is incompatible with those purposes.

In other words, organizations must clearly define and communicate the purposes for which they collect personal data, and they should only collect data that is necessary for those purposes. If an organization wishes to use the data for a different purpose, they must obtain additional consent from the individual, and the new purpose must be compatible with the original purpose.

The purpose limitation principle is designed to protect individuals’ privacy by ensuring that their personal data is only collected and processed for legitimate reasons and is not used for any other purposes without their knowledge and consent. By limiting the use of personal data to specific, defined purposes, the GDPR aims to promote transparency, accountability, and trust between individuals and organizations that collect and process their data.

GDPR data mapping explained

GDPR data mapping is the process of identifying and documenting the personal data that an organization collects, processes, stores, and shares.

The goal of data mapping is to create a comprehensive inventory of all the personal data that an organization holds, and to document how that data is collected, used, and shared throughout the organization. This includes identifying the types of data collected, the purposes for which the data is collected, the individuals whose data is collected, and any third parties that the data is shared with.

Data mapping is an important step in GDPR compliance, as it helps organizations to understand and manage the personal data they hold. By creating a complete inventory of their data, organizations can identify any potential risks or vulnerabilities in their data handling processes, and take steps to address these issues.

Data mapping can also help organizations to meet their GDPR obligations, such as data subject access requests, data protection impact assessments, and breach notification requirements. By understanding the personal data they hold and how it is used, organizations can respond more quickly and effectively to these requests and obligations.

Has GDPR proven to be a success?

While it’s difficult to say for certain whether GDPR has helped reduce data privacy breaches and risks, as it is still a relatively new regulation and its impact is ongoing. However, there is evidence to suggest that the GDPR has had a positive impact on data privacy and security.

One of the main objectives of GDPR is to increase transparency and accountability in data processing, which has led many organizations to review and update their data privacy policies and procedures. This has resulted in greater awareness of data privacy risks and a more proactive approach to data security and breach prevention.

Under GDPR, organizations are required to report any data breaches to regulatory authorities within 72 hours of becoming aware of the breach. This has led to increased reporting of data breaches, which in turn has led to greater awareness of the scale and nature of data privacy risks.

In addition, the GDPR has given individuals greater control over their personal data, including the right to access, correct, and delete their data, as well as the right to object to certain types of data processing. This has led to greater awareness of data privacy risks among individuals and a greater sense of control over how their personal data is used.

Test drive BigID

Streamline GDPR Compliance with BigID

BigID is a data discovery platform for privacy, security, and governance that offers solutions for organizations to easily comply with various privacy regulations like GDPR. BigID’s platform helps organizations identify, classify, and manage their data, with a focus on sensitive and personal data. Here are some ways that BigID promotes GDPR compliance:

Data mapping: BigID’s RoPA App automatically identifies and maps personal data within an organization’s systems and data stores, which is a key requirement under GDPR.

Data discovery and classification: BigID’s Privacy Portal App uses machine learning and natural language processing to identify and classify personal data based on its content and context, making it easier for organizations to identify and manage personal data in compliance with GDPR.

Consent management: BigID’s Consent Governance App manages consent requests and tracks consent status for individual data subjects, which is a key requirement under GDPR.

Data subject access requests: BigID’s Data Deletion App helps organizations respond to data subject access requests within GDPR’s specified timeframes, by locating and extracting personal data associated with an individual data subject.

Data protection impact assessments (DPIAs): BigID’s PIA Automation App can help organizations automate the DPIA process, by identifying and analyzing the risks associated with processing personal data and recommending appropriate mitigation measures.

To see how BigID can implement smarter data-driven GDPR compliance for your organization— schedule a 1:1 demo today.