What is GDPR?
By now, you’ve likely heard of the General Data Protection Regulation (GDPR), but you may not understand all of its implications, especially if your company operates outside of the EU. The GDPR is often referred to as the biggest and most significant change in data privacy regulation in 20 years. Its goal is to transform how organizations in every sector handle consumer data, putting consumers in the driver’s seat. For the first time, people have a say over who collects their personal data, when it’s collected, and how it’s used.
With this regulation, companies can’t just clean up the mess and say sorry after a data breach. They can’t collect and use consumer data without oversight or plainly-worded disclosures. They have to prove they are following the GDPR’s requirements to protect that data on day one. Transparency is the name of the game, a new notion to many organizations that have traditionally put data privacy on the back burner, much less tell consumers how they handle their data.
While the GDPR changes may seem overwhelming right now, the long-term results are expected to be better customer experiences and greater trust between consumers and companies.
12 Facts about GDPR
Plenty is riding on compliance. At least one global survey found 85 percent of U.S. companies believe the GDPR compliance regulations put them at a disadvantage with their European competitors, yet the same survey discovered the U.S. is the least trusted country for respecting privacy rights. Even more, 67 percent of U.S. consumers agree the U.S. should do more to protect their data privacy. Compliance with the GDPR could do much to improve these negative perceptions.
To help you understand the rumors swirling about GDPR, we put together this list of important facts that you need to know.
1. The GDPR May Be An EU Mandate, But It Impacts Every Country
The EU Parliament approved the GDPR in 2016 to replace a data protection initiative from 1995, but the changes weren’t enforced until May 25, 2018. There’s a misconception across the pond that U.S. companies that don’t do business with European companies are exempt. Not so fast.
The GDPR changes apply as much to organizations in other countries as they do to those within the EU. If any organization, EU or otherwise, offers goods or services to or monitors the behavior of EU data subjects, they’re on the hook.
2. It Applies to Virtually All Kinds of Data
The GDPR governs almost every data point an organization would collect, across every conceivable online platform, especially if it’s used to uniquely identify a person. It also includes data routinely requested by websites, such as IP addresses, email addresses, and physical device information. Here’s a list of the types of data protected under the GDPR.
- Basic identity information (including name, address, email address, etc.)
- Web data such as location, IP address, cookie data, and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
- Any information that relates to an identified or identifiable living individual
As you can imagine, “basic identity information” is a broad category. It includes user-generated data, such as social media posts, personal images uploaded to websites, medical records, and other uniquely personal information commonly transmitted online. Yes, that means organizations must protect your tweets and Facebook statuses.