The far-reaching scope of the European Union’s (EU) GDPR means that organizations must generally adapt their data collection and processing practices if they wish to process the personal data of individuals in EU member states. Stay up to date on U.S. and international privacy and data security laws with trusted news, expert analysis, Practical Guidance, and time-saving practice tools – all part of Bloomberg Law’s comprehensive research solution.
Data privacy law topics
Provide sound counsel to your clients or stakeholders on GDPR compliance with the latest news and analysis, Practical Guidance, and more from Bloomberg Law.
Download this informative look at the consumer data privacy laws changing business practices in the U.S.
Watch our latest In-House Forum to hear important legislative and regulatory updates and insights for evaluating new technology and consumer data policies.
Follow these 10 steps to establish and maintain a GDPR compliance program and avoid costly penalties.
The General Data Protection Regulation (GDPR) is one of the world’s strictest consumer privacy and data security laws, requiring organizations – regardless of their location – that process the personal data of anyone in the EU to comply with data protection standards and privacy rights. GDPR violators are subject to sanctions or harsh fines, with a maximum penalty up to €20 million or 4% of global revenue, whichever is higher.
The GDPR builds on the EU’s 1995 Data Protection Directive, a patchwork of early data protection legislation. As technology advanced in the early 2000s and data breaches became more common, the EU recognized the need for a comprehensive data protection law. On May 25, 2018, the EU implemented the GDPR.
The goal of the GDPR is to give data subjects – individuals whose data is collected – more protection in how their data is used, processed, stored, and erased by organizations. Organizations don’t need to be based in the EU for the GDPR to apply. The GDPR applies to any company that offers goods or services to individuals in the EU and processes their personal data.
The GDPR protects the personal data of individuals in the EU. Personal data is defined as: “any information relating to an identified or identifiable natural person (‘data subject’).” An identifiable person is one who can be identified, directly or indirectly, through an identifier such as:
Information collected from a data subject can constitute personal data regardless of whether the business collecting it uses the data to identify individual users. The GDPR identifies additional special categorizations of personal data that must be collected and processed in compliance with the law: sensitive personal data, personally identifiable information (PII), and pseudonymized data.
Generally, the stricter requirements on the processing of these special categories of personal data can be satisfied in instances where the data subject has given consent, or when the data processing is necessary for carrying out legal obligations, matters of law, or the public interest, or for protecting the vital interests of the data subject. For example, a health or pharmaceutical company would need to provide statutory justification before using a data subject’s health data for a medical diagnosis or preventive care.
Under the GDPR, certain personal data is considered “sensitive” and is subject to specific processing conditions. Examples of sensitive personal data include:
Also protected under the GDPR, PII can overlap with sensitive personal data. However, this kind of data might not always be sensitive by nature, such as a person’s postal code or birthday.
Although pseudonymized data is meant to conceal identity, it is considered personal data and is protected under the GDPR since the process can be reversed and information can be traced back to a data subject.
Companies collecting or processing data of individuals in the EU must follow the GDPR’s seven main data protection principles:
Personal data must be processed in a lawful, fair, and transparent manner.
Personal data must be used for legitimate purposes that are explicitly spelled out to a data subject when their information is collected.
Personal data collection should be limited to what is necessary.
Personal data must be updated and accurately kept.
Personal data can be stored only for no longer than necessary.
Personal data must be processed using security measures, like encryption, to ensure integrity and confidentiality.
The person in charge of processing personal data must be held accountable for complying with GDPR.
A key difference between the GDPR and many other consumer data privacy laws around the world is that it gives data subjects specific, legally enforceable rights concerning their personal data:
Data subjects have the right to receive certain information about the collection and processing of their personal data.
Data subjects have the right to obtain and review personal data that has been collected and generally do so free of charge.
Data subjects have the right to correct any incorrect information about them swiftly, clearly, and without undue delay.
Data subjects have the right to delete personal data (subject to certain exceptions) if, for example, holding data is no longer necessary to the purpose for which it was collected, data has been unlawfully processed, or the data subject is exercising their right to object to processing.
Data subjects have the right to object to the use of personal data for direct marketing use, scientific research, or historical research.
Data subjects have the right to stop the processing of personal data and to require a notice lifting the restriction and permission for any future use of that data.
Data subjects have the right to obtain their personal data for the purpose of sharing it from one service provider to another through a safe and secure transfer process.
The GDPR applies to organizations that process the personal data of individuals in the EU, even if the organization operates from an establishment outside of the EU. For example, a U.S.-based web developer that targets businesses in the EU must comply with the GDPR.
However, there are exceptions:
The GDPR lists several technical and organizational measures that may be appropriate for helping organizations comply with the law’s data security requirements. These include:
The GDPR requires organizations to conduct a data protection impact assessment (DPIA) before processing data that poses a high risk to individual rights and freedoms. For example, a DPIA is required when a company is engaged in the following:
A DPIA isn’t a one-time exercise. Rather, DPIAs should be conducted regularly and whenever a new processing activity – especially one involving a new technology – is introduced.
According to Article 35 of the GDPR, a DPIA should include at least four essential aspects:
A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. When a personal data breach occurs, organizations must notify the relevant EU member state’s data protection authority, and in some cases the data subjects. Notifications to the data protection authority must be made without undue delay and, where feasible, no later than 72 hours after being made aware of the breach, provided the breach likely involves risks to individuals’ rights and freedoms. If a personal data breach is not reported within 72 hours, the controller must provide a reasoned justification for the delay upon notifying the data protection officer.
Penalties for noncompliance with the GDPR are imposed by EU data protection authorities. If a business infringes on multiple provisions of the GDPR, it will be fined according to the most serious offense, as opposed to being penalized for each provision.
Businesses that violate the law can be fined up to €20 million, or 4% of their worldwide annual revenue for the prior financial year, whichever is higher. Member state data protection authorities also can issue sanctions, such as bans on data processing or public reprimands. The public sector isn’t exempt.
The changing landscape of consumer data privacy laws and regulations across the globe can make it difficult to stay compliant across multiple jurisdictions. Save valuable time when you trust Bloomberg Law to tackle complex legal research and manage compliance risks with ease.
Watch the on-demand replay of our latest In-House Forum, Global Privacy Dynamics: Navigating Data Laws and AI Challenges, to hear important privacy issues facing in-house legal teams with legislative and regulatory updates and insights for evaluating new technology and consumer data policies.
Ready to get started? Request a demo to take a tour of Bloomberg Law and see our consumer data privacy resources in action.