What is GDPR? (General Data Protection Regulation)

The General Data Protection Regulation, or GDPR, is a regulation in EU law intended to protect consumer privacy, and to regulate the ways in which third parties collect, store, use, and trade in consumer personally identifiable information, or PII. Technically a European rule, it applies to any entity that collects, or processes data in the EU, or collects or processes the data of an individual who is, themselves, in the EU. As such, it is almost impossible for any online service to avoid being in some way affected.

What is GDPR and What Principles Does the General Data Protection Regulation Seek to Regulate?

Businesses covered by the GDPR may only process consumer PII under the following six conditions:

  • The data subject has provided express consent to their information being processed

  • The data subject’s information is needed to meet a contractual obligation for or with that individual

  • The data processor has an overriding legal obligation to process that data

  • In order to protect the privacy of the data subject or another specific individual

  • In order to comply with the needs of an official authority, or in the public interest

  • When the data processor can demonstrate that their needs outweigh the right of the data subject to privacy

What Rights to INdividuals Covered by GDPR Acquire?

GDPR entitles all covered individuals to

  • The right to transparency: data collectors and processors must clearly state what they are collecting, why, and provide an opt-in option to permit their activity

  • The right to access: individuals must be able to find out what information is being held, and how it is being used, by any covered entity

  • The right to rectification and erasure: the individual must be able to correct stored errors, and to demand erasure of stored information

  • The right to object: unless the data collector or processor can show a legally-compelling reason to do otherwise, they may not collect or process information if the individual refuses them permission to do so

Penalties Associated with Violations of the General Data Protection Regulation

Organizations that run afoul of GDPR may face penalties ranging from periodic audits to multi-million dollar fines. At the high end of the scale, fines may be levied equal to EUR 20M, or 4% of the prior year’s global revenues, whichever is higher. At the time of writing, the highest fine levied thus far was for EUR18M (approximately $20M) in connection with the sale of personal profiles by the Austria Post.

The General Data Protection Regulation Vs. The California Consumer Privacy Act  Vs.

GDPR came into effect nearly two years prior to CPPA, which had broadly similar goals, but with a greater focus on consumer rights. They differ, however, in a number of ways, not least in that CCPA is still a work in progress (with additional regulations anticipated through 2030), while GDPR is effectively complete as is. Additional considerations include:

  • Both require slightly different data mapping and data flow mapping processes

  • Privacy policies created to meet GDPR requirements will likely require additional updates to meet CCPA parameters

  • Written contracts with services providers that meet GDPR requirements may need updating to include non-discrimination language to comply with CCPA

Both sets of regulations offer relatively short time periods to fix violations, although the CCPA offers a more generous window at 30 days versus the GDPR’s seven days. However, CCPA allows individuals to file suit against companies, to form class action lawsuits, and to access what could, potentially, be significant civil penalties.