Security Big Data

EU General Data Protection Regulation (GDPR): The smart person's guide

Enforcement of the GDPR goes into effect May 25, 2018, and will be applicable to any company that transacts with EU citizens, regardless of the location of the business.

Video: How the GDPR will affect cloud data security

Through the power of information technology, any enterprise that sells products or provides services via the internet is technically a global business. Regardless of whether your organization is a one-person operation selling novelty T-shirts or a Fortune 100 company providing sophisticated cloud computing solutions, you are likely to have customers residing outside your country of origin. In general, this is considered a good thing.

However, with that global reach comes certain responsibilities, some of which are codified in laws and regulations with specific, and potentially costly, consequences. For example, the European Union (EU) is about to begin enforcing a new set of regulations designed to protect the data security and the privacy of its citizens. Enforcement of the General Data Protection Regulation (GDPR) goes into effect May 25, 2018, and will be applicable to every citizen of the EU and any business entity that transacts with them, regardless of the location of the business.

Put simply, if you have a customer from an EU country and you collect any data from that customer as a result of a business transaction, you are subject to the rules and regulations of the GDPR. There are no exceptions for enterprise size or scope, which means any business with an internet presence is potentially subject to this law.

This smart person's guide explains what the GDPR is and how its provisions impact enterprises and their IT infrastructure.

SEE: All of TechRepublic's smart person's guides

Executive summary

  • What is the GDPR? The GDPR codifies and unifies data privacy laws across all EU member countries.
  • Why does the GDPR matter? Penalties for non-compliance with the provisions of the GDPR regarding collecting and using personal data are potentially devastating.
  • Who does the GDPR affect? The GDPR is applicable to any business collecting personal data from a citizen of the EU.
  • When does the GDPR go into effect? Enforcement of the GDPR goes into effect May 25, 2018.
  • How can I learn more about the GDPR? The provisions of the GDPR are publicly viewable from the EU.

SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)

Image: Boris Zerwann, Getty Images/iStockphoto

What is the GDPR?

The EU GDPR replaces the Data Protection Directive 95/46/EC. The GDPR codifies and unifies the data privacy laws across all the EU member countries and is applicable to any citizen of the EU and, most importantly, for any company doing business with a citizen of the EU. Specifically, the extended jurisdiction of the GDPR states clearly that it applies to all companies processing the personal data of subjects residing in the Union, regardless of the company's location.

The provisions of the GDPR for keeping the personal data of customers secure and regarding the legal collection and use of that data by businesses is straightforward and basic common sense, but the penalties laid out for violations are significant. Enterprises found to be in violation of the provisions of the GDPR can be fined up to 4% of annual global turnover or 20 Million Euros, whichever is greater.

SEE: The Big Data Bundle (TechRepublic Academy)

Under the GDPR, before processing any personal data, a business must ask for explicit permission from the subject. The request must use clear language. The provisions of the regulation specifically outlaw the use of long documents filled with legalese, so hiding permissions within a tome called Terms and Conditions or Privacy Policy will not suffice. The consent must be given for a specific purpose and must be requested separately from other documents and policy statements.

Additional resources:

Why does the GDPR matter?

Any enterprise that collects data from customers is potentially subject to the provisions of the GDPR, and therefore is also subject to the penalties associated with non-compliance. The penalties for non-compliance can be steep, so every enterprise should know and incorporate strict compliance with the GDPR into their business practices and procedures before enforcement becomes active.

Additional resources:

Who does the GDPR affect?

Collecting and accepting personal information from any citizen of the EU will invoke the GDPR, regardless of your enterprise's country of origin. For all intents and purposes, if your enterprise has a presence on the internet in the form of a website and if your enterprise collects personal data from customers regardless of where those customers are located, it is subject to the provisions of the GDPR. As a hedge against liability, this essentially means the GDPR applies to every public-facing enterprise.

Additional resources:

When will the GDPR take effect?

Technically speaking, the GDPR has been ratified and is currently in effect; however, the EU granted a two-year grace period before beginning enforcement of the provisions in the law. Enforcement goes into effect May 25, 2018.

Additional resources:

How can I learn more about the GDPR?

A complete version of the EU General Data Protection Regulation, formatted for easy reading, is available, and every enterprise that collects personal data from customers should become familiar with its provisions.

Additional resources:

Visit TechRepublic