GDPR
The General Data Protection Regulation (GDPR) is a European Union (EU) law that governs how organizations collect, use, store, and protect citizens’ personal data and defines individuals’ rights over their personal information.
What is GDPR?
The GDPR is a data privacy and security law that covers the collection, processing, storage, and transfer of EU citizens’ and residents’ personal data. It requires that such personal data is processed securely and allows for fines and penalties for organizations that do not comply with the requirements of the law.
What made GDPR initially unique (it became law in 2018) is that it applies to EU citizens and residents even if the company or organization processing their personal data is not located in the EU. If an organization offers goods and/or services to EU citizens and residents, it is bound by GDPR.
Penalties for GDPR violations can reach €20 million or 4% of the organization’s annual global revenue, whichever is higher.
Key GDPR roles and definitions
The GDPR has several important terms that are crucial to its enforcement and how organizations comply with the law.
Data subject is the individual whose data is collected or processed.
Personal data is any information that can directly or indirectly identify the individual. A name and email address are obvious examples, but GDPR also considers data like web cookies, gender, location, ethnicity, and religious beliefs as personal data.
Data controllers determine how and why personal data is collected and processed. This is typically the business selling to or collecting data from people.
Data processors perform manual or automated actions on personal data on behalf of a data controller. This includes third-party organizations providing cloud storage, email, and data analytics services. Processing includes data collection and storage and extends to actions like organizing data, erasing data, using data, and more.
The GDPR also compels some data controllers and data processors to appoint a data protection officer (DPO) if the organization is a public authority, has core activities that require monitoring data subjects regularly on a large scale, and those core activities are large-scale processing of a specific subset of data types such as ethnic origin, political opinions, and genetic data.
Understanding the 7 key principles of GDPR
The GDPR rests on fundamental data privacy principles to guide data handling. These seven data protection and accountability principles are as follows:
Lawfulness, fairness, and transparency: Data must be processed lawfully, fairly, and in a manner that is transparent to the data subject.
Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes, which must be communicated to the data subject.
Data minimization: Data collected should be adequate, relevant, and limited to what is necessary for the process required.
Accuracy: Data must be accurate and kept up to date.
Storage limitation: Data must not be kept for longer than necessary.
Integrity and confidentiality: Data must be processed securely, such as encryption for stored data.
Accountability: Data controllers are responsible for demonstrating compliance with all aspects of GDPR.
Understanding these seven principles is essential for any organization handling personal data under the GDPR. By aligning data practices with these core guidelines, businesses can not only maintain compliance but also build trust with customers and stakeholders.
Your GDPR rights: Empowerment for data subjects
Any person using the internet qualifies as a data subject. With data privacy and security as the goal, the GDPR gives individuals more control over their personal data. Organizations collecting and processing data must then give data subjects control over their personal data as defined by GDPR’s privacy rights as follows.
Right to be informed of how personal data is being collected and used.
Right of access to access personal data.
Right to rectification for correcting inaccurate or incomplete personal data.
Right to erasure so data subjects can request deletion of personal data under certain circumstances (this is similar to, but distinct from the right to be forgotten, which is more focused on empowering people to mitigate reputational damage via search engine results).
Right to restrict processing to limit how personal data is processed.
Right to data portability to receive personal data in a portable format.
Right to object to automated processing of personal data in certain situations.
In a world where individuals are asked to share personal information countless times a day—from signing up for services to accepting cookies—there’s a growing expectation that they should have a say in how their data is used. The GDPR recognizes this need by enshrining clear, actionable rights for data subjects, empowering people to take control of their personal information in an increasingly digital world.
GDPR compliance and data intelligence
For most midsize and larger organizations, assigning a DPO is a requirement for GDPR compliance. However, this role is crucial to complying with GDPR’s principles and structuring and applying broad and impactful data protection policies and processes that improve data privacy, risk, and compliance.
Frequently working alongside DPOs are data stewards who manage specific data sets and have a deeper understanding of particular data. Data stewards can assist with GDPR compliance and work with data consumers and users across an organization to improve data-driven insights and enhance a data culture. This formal ownership of data assets also adds accountability across the data lifecycle.
Of course, complying with GDPR requires organizations to understand what data is being collected from data subjects, where the data is stored, and how and by what organizations it is processed. Individual data stewards may know this information for a few data assets, but organizations must facilitate this compliance at scale for effective and efficient GDPR compliance and responsible data practices.
Common data intelligence capabilities used in GDPR compliance efforts include:
Data search and discovery for finding decentralized data from across cloud and on-premises locations.
Data catalog for classifying and categorizing data and providing centralized access.
Data lineage to understand how data moves and is processed across an organization.
Data quality to automate, prioritize, monitor, and improve data quality.
Data governance to ensure compliance with evolving laws and regulations as well as internal and industry standards and policies.
Alation streamlines GDPR compliance
GDPR may be the regulation that compels many organizations to act, but it can also be viewed as a catalyst for improving data practices nearly universally. Standardizing (and scaling) data management best practices is daunting task that can be eased with Alation.
Alation provides data privacy, risk, and compliance solutions to automatically discover and classify sensitive personal data covered by GDPR and other regulations. Alation also guides data users across the enterprise in properly using data and alerts them to potential compliance issues before they happen.
Key features include:
Balance data visibility with accountability by surfacing policies and applying role-based access to sensitive data naturally within users’ workflow.
Create, organize, and manage data policies easily and then scale with context, ownership, and transparency.
Mask sensitive data from view based on role and use TrustFlags to signal which data is subject to which policies.
Next steps: Learn more about GDPR
Explore GDPR and related regulations using the following resources