The General Data Protection Regulation (GDPR) is Europe’s most recent privacy and security law. It went into effect May 25, 2018, and violations can net tens of millions of euros in fines. Because consumers are entrusting their personal information and data to companies in record numbers, the GDPR aims to mitigate risk for the average person. Consumers are empowered to control their personal information and how it is used.
What’s the Purpose of GDPR?
The goal behind the GDPR is to give EU citizens more control over their own data. The European Commission set out to create the GDPR in January 2012. It took four years to reach an agreement about how to reform data protection rules and ready Europe for the new digital economy.
The GDPR is designed to function in the world we have now. With the advent of the internet, a host of new data protection and privacy considerations were introduced. It is much easier for companies to record data on a global scale, then use it for marketing, product development and more.
Unfortunately, data stores are breached all the time. Banking and credit card information, personal addresses, and browsing history can be accessed by malicious entities. Businesses, governments, banks and other entities need to protect their customers by protecting their data.
The GDPR aims to address competing business and consumer privacy concerns. Ideally, it will protect consumers while making it easy for businesses to comply.
What Are the 7 Principles of GDPR?
There are seven key principles of GDPR:
- Lawfulness, fairness and transparency: Data must be processed lawfully, and used transparently as it relates to individuals. This means that the consumer needs to know how the data is collected and used.
- Purpose limitation: The data must “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” However, companies are allowed to use the archived data for public interest, scientific or historical research purposes.
- Data minimization: Data must only be used for the purpose for which it was collected and processed. In other words, only collect the data you need—and don’t use it in ways about which the consumer was not informed.
- Accuracy: The company must make an effort to collect accurate and up-to-date information. If they find inaccurate data, it should be corrected or purged without delay.
- Storage limitation: The data should be kept in a form that limits how long someone can identify the individual. Once the purpose of the data collection is fulfilled, it can be stored only if there’s a public interest, or a scientific or historical research purpose.
- Integrity and confidentiality (security): The data must be processed in a way that ensures its security. Companies must include “protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”
- Accountability: Finally, the controller must be able to demonstrate compliance with these principles. Every company needs to have GDPR policies in place, so they can prove that they are compliant with the law at any given time.
To stay in compliance with GDPR, each company doing business in the EU must follow these principles. Failing to comply can incur severe financial penalties: for example, Amazon paid $877 million (€746 million) in 2021 for cookie consent issues. The penalties top out at either €20 million ($21,747,900) or four percent of the company’s global revenue, whichever is higher.
What Countries Does the GDPR Apply to?
Currently, GDPR laws apply to: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom. (The United Kingdom was still a part of the EU when the law was passed, and therefore GDPR policies have been absorbed into UK law.)
If you do business in the European Union, it’s your responsibility to create a GDPR policy. Each of the seven principles must be acknowledged and accounted for. From determining what kind of data you plan to store and collect, to deciding who will be your controller, take the time to ensure that your business is compliant with this privacy legislation.
SixFifty’s privacy toolset makes it easy to create GDPR policies that cover all seven principles of the law. Using our proprietary technology, businesses simply answer a few questions. Then our software creates a customized GDPR policy, suitable for use in any of the countries who are subject to GDPR. All your in-house counsel has to do is review and approve—there’s no need for your lawyers to become experts in international privacy law.
If you’re ready to get started or have further questions, schedule a demo with SixFifty today.
Written by Meili Bell
Meili Bell is the Content Manager at SixFifty. She spends her workdays writing, editing, project managing and reading about the intersection of law and technology. Meili comes to SixFifty from Gifted Music School, a nonprofit music school for the most dedicated young musicians in the region, where she was program director of the school’s flagship program for the last ten...
Full Bio and other articles by Meili Bell