After extensive preparation spanning several years, the General Data Protection Regulations (GDPR) took effect in 2018.
As of 2023, the regulations that safeguard the personal data of individuals have been in force throughout Europe for nearly five years, resulting in a complete modernization of the related laws.
To ensure you are compliant with GDPR, it’s imperative to be taking steps to protect a data subject’s privacy – with transparency being the key.
Read on for our top five essential facts about GDPR compliance that you need to be aware of, ranging from time constraints to the types of data that fall under the scope of GDPR.
1. There Are Time Limits for Breach Notifications
In the instance of a data breach that threatens the data privacy rights of a consumer, the company is required to report the incident within 72 hours of when they first became aware of the breach. Customers must be notified immediately, usually by the data protection officer.
In 2017, 143 million Americans were affected by a data breach involving Equifax – and the credit monitoring firm took six weeks to report the breach.
Failing to comply with this time limit can lead to considerable fines. It’s important that businesses take data breaches seriously, and have the right security measures in place to protect consumer data.
2. GDPR Applies to Most Personal Data
You may be surprised to learn that GDPR requirements govern pretty much all data points that organizations collect, across all digital platforms. This is especially the case if data is used to identify a person.
Data that is requested by websites – for example, email addresses, IP addresses, and device information, is also governed by GDPR.
Some examples of personal data that is protected under GDPR include web data such as cookie data, IP addresses, location, and RFID tags.
Likewise, any biometric data, health and genetic data, racial or ethnic data, sexual orientation information, political opinions, or basic identity information is protected under GDPR.
Essentially, any information related to an identifiable (or identified) living person is protected by GDPR. Basic identity information can be a broad category and may include user-generated information such as personal images, medical records, social media information, and pretty much any personal data transmitted online.
This means that organizations are required to protect your social media information, whether it be Facebook statuses or tweets on Twitter.
3. GDPR Affects Countries Outside the EU
Despite being mandated by the EU, GDPR affects every country. If you’re a business based in the U.S., for example, you’re not exempt from GDPR just because you aren’t based in the EU.
GDPR applies to other countries as much as it does to countries in the EU. If you offer goods or services to any subjects in the EU, then you need to be compliant with GDPR.
4. Cloud-Based Storage is Affected by GDPR
Many organizations across the world use cloud-based storage to store data – for example, Google Cloud or Microsoft Azure. However, many businesses will make the mistake of presuming these providers are GDPR compliant – but this is not always the case.
Using cloud-based storage does not take the weight of GDPR compliance off your shoulders – you are still responsible for protecting the data of your consumers. Both the systems used and the cloud provider must abide by regulations to ensure you are GDPR compliant.
5. There Have Been Over €359 Million in GDPR Fines
Data protection agencies in the EU have claimed over €359,200,000 in major GDPR fines since the regulations were implemented – and this isn’t including the minor fines.
In 2018, there were over €424,800 in fines – but this figure dramatically increased to €358,780,500 in 2019.
One of the most notable of these fines was charged to British Airways. The company was fined a staggering £183,000,000 following an attack on its website that led to over 500,000 customer records being compromised.
Many people decide to consult a consent management provider to ensure legislation compliance – not only to avoid regulatory fines but to build trust too.
