On May 25, 2018, the European Union’s landmark General Data Protection Regulation (GDPR) fundamentally changed the relationship between businesses and their customers. Customers now have the right to control how businesses collect, process and store their personal data, and businesses are bound by rules and regulations designed to ensure that they do not violate those rights. To comply with GDPR, many businesses have had to make extensive changes to business models, organizational procedures, technology systems and working practices.
And this isn’t happening only in Europe — U.S. companies that do business in Europe often choose to comply everywhere, and other jurisdictions have or are in the process of introducing similar data protection legislation.
What will the world’s new focus on privacy and security mean for businesses, and how can they best navigate this unfamiliar landscape?
What Is General Data Protection Regulation (GDPR)?
GDPR is a European Union (EU) law that establishes privacy and ownership rights over personal data for all EU and European Economic Area (EEA) residents. GDPR defines the rules that businesses and other organizations worldwide must follow to ensure that those rights are protected. It came into force in May 2018, replacing older data protection laws that were not designed for today’s global digital economy. GDPR is widely regarded as the toughest data privacy and security regime in the world.
GDPR is extensive and comprehensive, with a legal text running to 88 pages. It’s no wonder GDPR’s rules can seem complicated and confusing for businesses. This article lays them out simply and clearly.
Key Takeaways
- GDPR is EU legislation that establishes data privacy and security rights for all residents of the EU and EEA, and regulates how businesses collect, process and store people’s personal data.
- Businesses that offer goods or services to residents of the EU and EEA, or regularly monitor the activities of those people, must comply with GDPR rules even if the business is based outside those jurisdictions.
- Businesses must be able to show they are GDPR-compliant before they process any personal data. If they cannot show they are compliant, they are not compliant.
- Penalties for breaking GDPR rules are very severe. Fines can be up to 4% of a business’s annual revenue or 20 million euros, whichever is larger.
- Many countries around the world are using GDPR as inspiration for new data protection legislation. Harmonization of laws and regulations may eventually enable data to flow as freely outside the EU as it now does within it.
GDPR Explained
Most businesses collect and process personal data. For some, it may be as simple as a list of customer names and addresses. But many companies now collect a wider range of personal data to help them target products to the right customers. And some companies generate profits by selling personal data to advertisers. When done in the right way, this can be beneficial to both the companies and their customers. But misusing or leaking personal data, or failing to keep it secure, can cause serious harm to the people concerned and undermine responsible businesses. GDPR aims to ensure that businesses and organizations that collect, process and store personal data do so in a way that respects people’s privacy and security.
GDPR gives people in the EU and the EEA the right to access, correct, amend, restrict and delete their personal data, and to copy, move or transfer it to another location. These rights apply to anyone physically located in the EU or EEA, regardless of their nationality or citizenship. They apply only to flesh-and-blood individuals — corporations and other legal entities are not “persons” for the purposes of GDPR.
To ensure that these rights are protected, GDPR regulates how businesses and organizations collect, store and process personal data. Any business or organization that holds and/or processes the personal data of people located in the EU or EEA must comply with GDPR rules, regardless of its own location in the world. So, obviously, all EU and EEA businesses must comply with GDPR rules, but so, too, must U.S. businesses that offer goods and services to people in the EU or EEA. For example, a business based in Colorado that has retail customers in Germany must comply with GDPR rules for those customers.
What is Personal Data Under GDPR?
What exactly is personal data? GDPR defines personal data as any information relating to a natural person that enables that person to be directly or indirectly identified. This is an extremely broad definition whose scope is still not entirely clear. For example, the European Court of Justice recently ruled that information in a press release about a scientist suspected of fraud was personal data even though it was insufficient by itself to identify her.
Personal data includes names, addresses, telephone numbers, email addresses, identification numbers (such as Social Security and driving license numbers) and personal financial data, such as credit card and bank account numbers. It also includes pseudonymous online data, such as social media account names, if the individual can be identified from these. Internet cookies, which record people’s online activities, are personal data.
Personal data also includes broader information, such as work patterns (for example, the time at which someone arrives at work and how many breaks they take); responses to exam questions or tests; examiners’ comments if the individual is theoretically identifiable from them; work performance assessments; and personal credit scores. Educational achievements and work history are personal data.
Genetic, biometric and health information about an individual is considered sensitive or “special” data, as is information on the person’s gender, race or ethnicity, sex life and sexual orientation, religious or philosophical beliefs, trade union membership and political views. Processing this special data is generally prohibited under GDPR Article 9 (1). But it is permitted if the individual has given explicit consent for their data to be processed and/or the organization can show it has legitimate reasons for processing the data, such as being the person’s employer or healthcare provider.
Given the broad scope of personal data in GDPR and the fact that its definition is still to some extent a work in progress, it is wise for businesses to assume that all data they hold or process for people located in the EU and EEA is personal and therefore subject to GDPR requirements.
GDPR defines personal data processing broadly to mean any operation or set of operations performed on personal data, such as storing, collecting, retrieving, using, combining, erasing or destroying it. Processing can be automated or manual, online or offline.
What are Data Controllers Under GDPR?
GDPR calls businesses and organizations that process people’s personal data “data controllers,” and the people whose data they process “data subjects.” So, the hypothetical retail business in Colorado mentioned above is a data controller and its German customers are data subjects. Data controllers are responsible for ensuring that all personal data processing complies with GDPR rules, even if the processing is done by third parties. Third parties that process personal data on behalf of data controllers are “data processors.”
Data controllers must have transparent and compliant privacy policies that clearly explain what data they are processing and why they are processing it. They must also have technical and organizational procedures to ensure that personal data is securely held and free from leaks. These policies and procedures must be in place before any personal data is collected or processed.
What Led to GDPR?
The origin of GDPR lies in the 1950 European Convention on Human Rights. Article 8 states: “Everyone has the right to respect for his private and family life, his home and his correspondence.” This right is often summarized as the right to privacy and security.
From the 1990s onward, as the “information economy” grew, ensuring people’s right to privacy and security required increasingly wide-ranging regulation to prevent companies from misusing personal data. In 1995, the EU passed the European Data Protection Directive, which established minimum data privacy and security standards upon which member states were expected to build their own legislation. But as global ecommerce and social media proliferated and international technology giants grew, this fragmented approach proved inadequate. In 2011, after a Google user sued the company for scanning her emails, the EU decided to replace individual member state regulations with a comprehensive, integrated set of regulations covering the whole of the EU/EEA. GDPR was born.
GDPR passed into law in 2016 and came into force for all businesses and organizations on May 25, 2018.
Key Provisions and Compliance Requirements of GDPR
The underlying principle of GDPR is that people’s data belongs to them, not to businesses or organizations that hold or process it. People have the right to control who accesses their data and the purposes for which they can use it. This is a fundamental change from earlier views of data ownership and has far-reaching implications for business strategy, organization, technology and marketing. Therefore, businesses need to understand how GDPR’s legal requirements apply to them. This section outlines the key provisions and compliance requirements of GDPR as they are laid out in the legislation, and discusses their implications for businesses.
-
Data Protection Principles
The seven principles of data protection as laid out in Article 5 of GDPR are:
- Lawfulness, fairness and transparency: Businesses must
process
people’s
personal data lawfully, fairly and in a manner that is transparent to the
people
concerned (the data subjects). “Lawful” specifically means the processing
complies
with
one or more of the following conditions:
- The data subject has consented to the processing.
- The processing is a necessary part of, or prelude to, a contract between the business and the data subject.
- The processing is necessary to comply with a legal obligation.
- The processing is necessary to protect the data subject’s “vital interests” or those of another person (for example, to save someone’s life).
- The processing is necessary for reasons of public interest or to comply with the instructions of a governing authority.
- The processing is necessary for business purposes (though this can’t override the right of the data subject to privacy).
- Purpose limitation: Businesses must only collect and process personal data if it is specifically needed for legitimate and explicitly stated purposes as outlined above. They must not divert that data to other purposes, except for statistical, historical or scientific research.
- Data minimization: Businesses must not collect and process more personal data than is strictly necessary to perform legitimate functions as outlined above.
- Accuracy: Businesses must ensure that all personal data is accurate and kept up-to-date. If businesses detect inaccuracies during processing, they should try to correct them as quickly as possible.
- Storage limitations: Businesses must not keep identifiable personal data any longer than strictly necessary for the purposes for which it was collected. However, archives of personal data can be kept for public interest or statistical, historical or scientific research purposes, provided that they are securely stored and not freely available to the public.
- Integrity and confidentiality: Personal data is valuable. Like all valuables, it must be protected from unauthorized or unlawful use and from accidental loss, destruction or damage.
- Accountability: Businesses that handle people’s personal data must be able to show they are GDPR-compliant. If they can’t show they are compliant, they are not compliant. If a business in Colorado developed a website that could be accessed by people in the EU but did not examine its systems and organizational procedures to ensure that they were compliant with GDPR, it would be in breach of GDPR even if not a single EU/EEA resident visited the site.
- Lawfulness, fairness and transparency: Businesses must
process
people’s
personal data lawfully, fairly and in a manner that is transparent to the
people
concerned (the data subjects). “Lawful” specifically means the processing
complies
with
one or more of the following conditions:
-
Rights of Data Subjects
The fundamental human right underpinning GDPR is the right to privacy and security enshrined in Article 8 of the European Convention on Human Rights. GDPR breaks this down into six specific enforceable rights for anyone whose personal data is being collected, processed and/or stored by businesses and organizations.
- Right to access: Data subjects have the right to know
whether a
business or organization is using their personal data. If it is, they have
the right
to
obtain access to that data and to be given information on the purposes for
which the
data is being used; the categories of personal data collected; the intended
recipients
of the processed data (especially those outside the EU/EEA in “third
countries” or
international organizations); the period for which the data will be held,
or, if
that is
not known, the criteria that will be used to determine that period; and
whether the
data
will be used for automated decision-making or profiling. All categories of
data are
covered, including paper records and informal notes.
To obtain access to their data, individuals can make a Data Subject Access Request (DSAR). The data controller is obliged to respond within 30 days unless the data is unusually complex or there are multiple requests, in which case the time limit can be extended to 90 days. A DSAR response typically comprises a bundle of records with supporting documents, organized in chronological order. Information can be excluded from a DSAR response if, for example, it might prejudice the investigation of a suspected crime.
The first copy of the data provided under a DSAR is free, but businesses and organizations can charge fees for additional copies.
The other rights of data subjects all depend on the right to access. - Right to rectification: Data subjects have the right to ask for any mistakes or omissions in their personal data to be rectified. Data controllers must make corrections and complete any omissions “without undue delay.”
- Right to erasure (“right to be forgotten”): Data subjects
have the
right to ask for their data to be erased. If the data processing is current
and
lawful,
then the individual must first either withdraw consent for the data to be
processed,
if
they gave it, or object to the processing, and there must be no overriding
reason
for
the business or organization to continue processing the data (see the list
under
“Lawfulness” above). If the data is no longer needed or the processing was
unlawful,
then these steps are unnecessary. The data controller is legally obliged to
remove
the
data “without undue delay.”
Issuing a GDPR notice of erasure is an effective way of forcing websites to remove unauthorized personal images or other harmful content, like issuing a notice under the U.S.’s Digital Millennium Copyright Act (DMCA). - Right to restrict processing: Data subjects can request
that the
data
controller temporarily restrict processing of their personal data, provided
that one
of
the following conditions is met:
- The data subject has raised accuracy concerns with the data controller to which the data controller needs time to respond.
- The processing is unlawful, but the data subject prefers to restrict processing rather than erase data.
- The data controller no longer needs to process the data, but the data subject needs it to remain for legal reasons.
- The data subject has objected to processing (see below) but is awaiting a decision as to whether the data controller’s legitimate reasons for processing override the rights of the data subject. Once a processing restriction is in place, processing can only lawfully proceed with the explicit consent of the data subject, unless it is required to comply with a legal obligation. Lifting a processing restriction also requires the explicit consent of the data subject.
- Right to data portability: Data subjects have the right to ask data controllers to transfer their data to another business or organization. The transfer must be done if it is technically feasible. This right only applies to online data and only if the data subject has explicitly given consent for processing.
- Right to object: This right enables data subjects to force data controllers to stop processing their data. Once an objection has been lodged, data controllers must not process any more of that person’s data unless they can show that they have a compelling justification that overrides the rights of the data subject, or unless the processing is essential to comply with legal obligations. This is a powerful right, which can be used, for example, to stop companies from using personal data to “profile” actual or potential customers for direct marketing purposes.
- Right to access: Data subjects have the right to know
whether a
business or organization is using their personal data. If it is, they have
the right
to
obtain access to that data and to be given information on the purposes for
which the
data is being used; the categories of personal data collected; the intended
recipients
of the processed data (especially those outside the EU/EEA in “third
countries” or
international organizations); the period for which the data will be held,
or, if
that is
not known, the criteria that will be used to determine that period; and
whether the
data
will be used for automated decision-making or profiling. All categories of
data are
covered, including paper records and informal notes.
-
Consent Management
Consent is fundamental to GDPR. It is one of the six criteria required for data processing to be lawful. Article 4 (11) defines consent as a “freely given, specific, informed and unambiguous indication of the data subject’s wishes.” It can take the form of a statement or a “clear affirmative action.”
- Explicit consent: Unless there is a compelling reason to
process
data
without consent, businesses must obtain data subjects’ explicit consent
before
collecting and processing their data. Requests for consent must be “clearly
distinguishable from other matters, in an intelligible and easily accessible
form,
using
clear and plain language” (Article 7). Perhaps the most familiar example of
a
request
for consent to process personal data is the ubiquitous “consent to accept
cookies”
banner on websites. The user must explicitly check boxes to accept or refuse
internet
cookies.
Businesses cannot assume consent has been given if an individual does not respond to a request for permission, and they must not circumvent the need for clear affirmation, for example, by pre-filling check boxes. Children under 13 cannot give explicit consent without the permission of their parents or legal guardians. Businesses must keep documentary evidence that consent has been explicitly given. - Withdrawal of consent: Article 7 of GDPR says that data subjects have the right to withdraw consent at any time, and that withdrawing consent must be as easy as granting it. Withdrawing consent must not invalidate any data processing that took place before consent was withdrawn. Businesses must not circumvent withdrawal of consent by using another of the “lawfulness” criteria to justify continuing to process the data. Before people give their consent, businesses must inform them of their right to withdraw it.
- Explicit consent: Unless there is a compelling reason to
process
data
without consent, businesses must obtain data subjects’ explicit consent
before
collecting and processing their data. Requests for consent must be “clearly
distinguishable from other matters, in an intelligible and easily accessible
form,
using
clear and plain language” (Article 7). Perhaps the most familiar example of
a
request
for consent to process personal data is the ubiquitous “consent to accept
cookies”
banner on websites. The user must explicitly check boxes to accept or refuse
internet
cookies.
-
Organizational Measures
GDPR has far-reaching implications for business organization and procedures. Here are three of the most impactful aspects.
- Data protection officer (DPO): GDPR requires certain types
of
organizations to appoint a DPO, including public authorities (other than
courts
acting
in a judicial capacity); businesses whose core functions involve continually
monitoring
the activities of large numbers of people, such as large technology
companies
delivering
services enhanced by artificial intelligence, like Facebook and Google; and
businesses
or other organizations whose core activities involve large-scale processing
of the
special data types listed in Article 9 or data relating to criminal
convictions and
offenses (Article 10).
For other businesses and organizations, appointing a DPO is optional. However, it can be beneficial to have a designated individual whose job is to understand the GDPR’s impact on the business, advise on the design and implementation of GDPR-compliant systems and procedures, conduct training and monitor compliance. Even without a DPO, businesses must appoint a named individual to act as point of contact for the GDPR supervisory authority and data subjects, and must ensure that GDPR regulations are fully understood, implemented and enforced throughout the business. - Privacy by design (PbD): The principle of Privacy by Design
(PbD)
says
that privacy and security should be fundamental to the design of systems and
business
processes/procedures, rather than added on as an afterthought. It was first
proposed
as
a universal framework in the 1990s by Ann Cavoukian, former Privacy
Commissioner of
Ontario, and is now widely accepted as a best practice in systems design.
GDPR makes PbD not merely a best practice but a legal requirement. Article 25 of GDPR requires data controllers to implement appropriate technical and organizational measures “at the time of the determination of the means for processing” — which means at the design stage of systems and procedures development. For example, a business that is developing a new product must identify what personal data the product might collect, consider ways of minimizing this data and identify the best technology for securing the data. Article 25 also requires that systems and procedures “by default” minimize processing of personal data and ensure that it is not made widely available without consent. - Data Protection Impact Assessments (DPIA): Article 35 of GDPR requires data controllers to conduct DPIAs for any type of processing but especially new technology that could present a high risk to people’s rights and liberties. DPIAs must be completed before the processing is implemented. If the DPIA concludes that the risk to people’s rights and liberties is too high to continue with the planned strategy, the business must recast the strategy to mitigate the risk.
- Data protection officer (DPO): GDPR requires certain types
of
organizations to appoint a DPO, including public authorities (other than
courts
acting
in a judicial capacity); businesses whose core functions involve continually
monitoring
the activities of large numbers of people, such as large technology
companies
delivering
services enhanced by artificial intelligence, like Facebook and Google; and
businesses
or other organizations whose core activities involve large-scale processing
of the
special data types listed in Article 9 or data relating to criminal
convictions and
offenses (Article 10).
-
Data Breach Notification
Businesses must do everything they possibly can to minimize the risk of data breaches. However, even with the best-laid plans, mistakes can still happen, and fast-moving technological developments can enable criminals to breach the security of well-managed businesses. So, businesses need to have procedures in place to manage data breaches. Articles 33 and 34 of GDPR specify what businesses must do in the event of a data breach.
- Notification requirements: Businesses must notify their supervisory authority — each EU member state must establish one — within 72 hours of a data breach, unless the breach presents no risk to the privacy and security of the data subjects (for example, if all the compromised data is securely encrypted). The notification must describe the nature of the data breach (for example hacking, ransomware, human error) and, as far as possible, the number of people affected and the types of data that have been compromised, what the likely consequences of the data breach will be and what the business plans to do about it.
- Notify individuals: If a data breach presents a high risk to the people affected — for example, if unencrypted credit card or bank account details have been leaked — the business must notify those people individually as quickly as possible. If that is operationally impossible (for example, if millions of people are affected), the business must undertake a public information campaign designed to achieve the same effect as individual notification. Notification must explain in clear and plain language what has happened, what the likely consequences will be and what the business plans to do about it. It must also include contact details for the business’s DPO or other responsible person.
-
Data Transfers
GDPR data transfer principles aim to ensure that transferring people’s personal data from one country to another doesn’t compromise their rights under GDPR. Since all countries in the EU/EEA are covered by GDPR, people’s rights are automatically protected in data transfers between those countries. But for transfer of data outside the EU, additional measures are needed. Data transfers outside the EU/EEA (“restricted transfers”) cannot legally be made unless adequate additional measures are in place. This includes data transfers between entities in the same corporate group, if personal data is being transferred.
For some countries, data transfers are covered by an EU “adequacy decision” that, in effect, says the country’s data protection regulation is equivalent to GDPR. Data transfers to these countries are treated as GDPR transfers. Countries that have adequacy decisions in place include Argentina, Canada, Israel, Japan, New Zealand, South Korea, Switzerland, the U.K. (since Brexit) and Uruguay. The U.S. does not have a countrywide adequacy decision, but corporate members of the EU-U.S. Data Protection Framework are covered by an adequacy decision.
If there is no adequacy decision for a proposed data transfer, the transfer may not take place unless there are GDPR-compliant safeguards to protect people’s rights. Article 46 lists the acceptable safeguards:
- A legally binding and enforceable agreement between public authorities or bodies.
- Binding corporate rules as specified in Article 47.
- Standard data clauses adopted by the EU Commission or by an EU supervisory authority and approved by the EU Commission.
- Certification under an approved certification mechanism together with binding and enforceable commitments from the recipient of the data outside the EU/EEA.
- Contractual clauses authorized by an EU supervisory authority.
- Administrative arrangements between public authorities or bodies that include enforceable and effective rights for the people whose data is transferred and which have been approved by an EU supervisory authority.
Without an adequacy decision or GDPR-compliant safeguards, data transfers can still take place if they are covered by one or more of the exceptions listed in Article 49:
- The data subjects explicitly consent to the data transfer.
- The transfer is essential to the performance of an existing or potential contract between the data controller and the data subject(s).
- It is essential to the performance of an existing or potential contract that benefits another individual.
- It is necessary for reasons of public interest.
- It is necessary to establish the existence of a legal claim, to make such a claim or to defend a claim.
- It is necessary to protect the vital interests of another individual who is physically or legally incapable of consenting.
- It is from a public register.
- The data controller is making a one-off transfer in their own compelling legitimate interests.
Establishing whether data transfers outside the EU/EEA are legal under GDPR can be something of a minefield for global businesses. However, it is unwise to ignore or circumvent them, since penalties for illegal transfers can be very high. In 2023, Meta Platforms received a 1.2 billion-euro ($1.12 billion)fine for illegally transferring user data to the U.S., the largest fine to date for a GDPR breach.
-
Penalties
Penalties for GDPR breaches are severe. Organizations can face fines of up to 4% of annual global revenue or 20 million euros ($18.6 million), whichever is greater. Fines are levied by the national regulators of EU countries.
Although most fines are only a few thousand euros, the size of penalties is increasing. The largest fines to date have been levied by Ireland’s Data Protection Authority (IE DPA). It was the IE DPA that imposed the record fine noted above on Meta Platforms, owner of Facebook, Instagram and WhatsApp, for illegally transferring EU users’ data to the U.S. It also levied further fines totaling 390 million euros ($362.7 million) on Facebook and Instagram for circumventing consent regulations. In 2022, IE DPA fined Instagram 405 million euros ($376.65 million) for violating children’s privacy and, in 2021, it fined WhatsApp 225 million euros ($209.25 million) for failing to include “legitimate interests” for data processing in its company privacy policy.
But Ireland is not the only country imposing large fines. In 2021, Luxembourg’s National Commission for Data Protection fined Amazon 746 million euros ($693.78 million) for consent breaches and, in 2023, France’s Data Protection Authority fined the French advertising technology company Criteo 40 million euros ($37.2 million) for GDPR breaches related to targeted advertising.
In addition to heavy fines, companies that breach GDPR can face civil claims from affected individuals.
-
Records and Supervision
Recordkeeping and supervision of what are often automated data processing activities may seem like afterthoughts, but they are fundamental to GDPR. Businesses need to pay close attention to them to be fully compliant.
- Records of processing activities: Article 30 requires data controllers to maintain records of all data processing for which they are responsible, and data processors to maintain records of all data processing carried out on behalf of a data controller, including transfers outside the EU/EEA. Records must be maintained in writing, which includes electronic form. In addition to recording actual data processing, data controllers must record the purposes of the data processing, the categories of data subjects and personal data, the categories of data recipient (especially in third countries or intergovernmental organizations), time limits for data processing if available and, if possible, a general description of technical and organizational security measures taken to protect the data.
- Supervisory authorities: GDPR supervisory authorities are
public
bodies
of EU/EEA member states that are appointed by those countries’ governments
but are
legally and functionally independent of them. There can be more than one
supervisory
authority in a member state, but if there is, one will be designated the
“lead”
authority. Supervisory authorities have wide-ranging tasks and powers. Their
tasks,
which are set out in Article 57, can be broadly summed up as encompassing
the
authorities’ responsibility for ensuring that GDPR is understood by
individuals and
adopted by businesses and organizations, that it is enforced when necessary
and that
the
authorities address any people’s complaints. Powers, laid out in Article 58,
include
the
power to investigate GDPR breaches and issue corrective action, including
regulatory
fines and suspensions. Supervisory authorities have a particularly crucial
role to
play
in data transfers outside the EU/EEA. They are responsible for approving
many of the
safeguards that must be put in place to enable such transfers.
Businesses need to deal with only one supervisory authority. Usually, this is the supervisor of the country in which their European operations are headquartered or in which they do most of their European business. This is a major change from the pre-GDPR regime, where businesses had to deal with multiple supervisors. It is intended to streamline supervision and reduce the burden on both businesses and supervisors. The European Data Protection Board (EDPB) is the supervisors’ supervisor, providing guidance to supervisory authorities and facilitating communication among them. It exists to ensure that GDPR is applied consistently and enforced rigorously, and that supervisory authorities cooperate.
GDPR’s Impact on Businesses
When GDPR first came into force, the impact on businesses was considerable. Many businesses had to make far-reaching changes to their business model and organizational practices. However, the level of disruption is now falling. Businesses are adapting to the new regulatory landscape and discovering that better data protection for customers can bring opportunities for them.
Here are some of the areas where GDPR’s impact has been particularly prominent.
-
Increased Compliance Costs
Businesses have always had to comply with data protection regulations. But GDPR’s rules are wider-ranging and more intrusive for businesses. Information storage standards are higher, rules around data collection and processing are stricter — for example, the requirement to obtain meaningful consent for most data uses — and monitoring and reporting are more onerous. DSARs are particularly challenging, since they require companies to produce the original records, not merely report what they said or showed. GDPR has thus raised compliance costs for businesses compared with previous data protection regulations.
-
Operational Changes
GDPR requires businesses to give higher priority to people’s privacy and security than to business advantage. This is a fundamental shift in the traditional approach to doing business, particularly for businesses whose profit-generating strategy relies on capturing, processing and/or selling personal data. For many businesses, implementing GDPR means making major changes to their entire operational landscape.
The need for extensive operational changes to comply with GDPR rules should lessen over time as businesses embed GDPR principles in the way they work. However, for some businesses, embedding GDPR may mean reduced revenue and/or profits over the longer term.
-
Legal and Regulatory Challenges
Although GDPR was intended to create a level regulatory playing field for all businesses with customers in Europe, the field has turned out to be rather bumpy due to inconsistencies between supervisory authorities and divergence between local laws and GDPR. Courts and legislators bear responsibility for smoothing out these bumps, but the process is likely to take a very long time. Businesses may have to learn to live with unclear legislation and regulatory uncertainty.
-
Enhanced Consumer Rights
GDPR establishes data protection as a fundamental principle of business. People’s personal data belongs to them even when it is held by businesses or organizations, and they have the right to decide who should access it and who can use it. Businesses must not generally collect or use people’s data without their consent, and cannot transfer it to another jurisdiction unless there are guarantees in place that people’s rights will be protected. There are particularly strong safeguards around sensitive data, such as race and ethnicity, sexual orientation, religion, beliefs and political views. There are severe penalties for misusing people’s data or failing to comply with regulations. All of this adds up to a substantial enhancement of consumer rights.
-
Impact on Marketing Strategies
GDPR requires businesses to be open and transparent about their use of personal data for marketing purposes. This has forced some companies to rethink their marketing strategies and redesign key parts of the consumer interface, such as websites.
On the plus side, businesses are now looking for ways of using data protection to improve customer engagement and generate sales. For example, advertising campaigns highlighting a company’s use of advanced personal data protection technology help reassure consumers that any data they provide will be safe. Some businesses are starting to use data protection as a marketing strategy.
-
Sector-Specific Impacts
GDPR affects almost all business sectors, but the extent of changes varies considerably. Here are some of the most significantly affected sectors:
- Tech companies, particularly those that rely heavily on user data for advertising and product development, have had to make significant adjustments to comply with GDPR.
- Small- and medium-sized businesses often struggle with the resources required for full compliance, potentially putting them at a disadvantage compared with larger corporations with more resources.
- The automotive industry has had to redesign processes to incorporate GDPR principles into the manufacture of “smart” vehicles. GDPR’s “purpose limitation” principle is particularly problematic for smart vehicle manufacturers, since using the data collected by smart vehicles for purposes other than vehicle functionality or road safety raises issues of consent, access and control of the data.
- Healthcare clinics in the EU/EEA (and the U.K., which adopted GDPR as its own legislation when it left the EU) must now give patients who issue DSARs their full medical records. Often, these records are on paper and parts are handwritten. Organizing this data into a form that can be issued to patients is a considerable administrative cost.
Global Influence of GDPR
GDPR’s influence extends far beyond the boundaries of the EU/EEA. It is not only businesses with customers in Europe that are affected, but global trade in general. Other jurisdictions are now updating their data protection laws in light of GDPR, and there are moves to improve international relations so that data can flow more freely while keeping consumers safe. Below is a discussion of the wider international implications of GDPR.
-
Inspiration for Other Jurisdictions
GDPR is groundbreaking legislation that has become a benchmark for data protection in countries all over the world. For example, the South American countries Brazil, Chile and Argentina have all introduced data protection legislation based on GDPR. Many countries in the Middle East and North Africa, including Qatar, the United Arab Emirates and Egypt, have adopted data protection legislation similar to GDPR, and several sub-Saharan African countries have enhanced their existing data protection legislation to make it more like GDPR. In 2022, Tanzania and Eswatini introduced new data protection regulations based on GDPR. Although few Asian countries use GDPR as a model, it has nonetheless influenced their attitude toward privacy and security. Almost all Asian countries have strengthened their data protection legislation in the last few years.
In the U.S., California’s Consumer Privacy Act (CCPA) was signed into law in June 2018. Based on GDPR, it provides data privacy and security protections for all California residents and affects businesses both within and beyond California.
Many companies based in jurisdictions whose data protection legislation is incompatible with GDPR are choosing to adopt GDPR rules themselves. For example, in Hong Kong, companies are applying GDPR principles to data collection and processing for non-EU customers, such as Hong Kong residents. This may be because it is simpler to apply a single set of regulations to all customers or it may reflect consumer demand for better data protection.
-
Harmonization of Data Protection Laws
GDPR was designed to harmonize data protection laws within Europe. Although there are still conflicts with local laws in certain member states, it has largely succeeded. Personal data can now flow freely within the EU/EEA without compromising the privacy and security of residents.
But outside the EU/EEA, it’s a different matter. Harmonizing data protection laws around the world would do much to improve both global information flows and data protections, to the benefit of businesses and customers alike. GDPR, the global benchmark for data protection legislation, would be the obvious template for such harmonization. Some jurisdictions are already examining how their existing legislation can be brought into line with GDPR or are contemplating new legislation based on GDPR.
However, legislation can take a long time to create and enact, and many jurisdictions prefer a “homegrown” approach. Data protection standards may be converging, but full harmonization seems a long way off.
One way of harmonizing data protection standards (though not laws) globally might be for businesses and organizations to adopt GDPR on a co-regulatory basis. For example, the EU-U.S. Data Privacy Framework (also known as the Privacy Shield) — which provides a legal mechanism for the transfer of personal data from the EU to the U.S. that is consistent with GDPR — and its equivalents for the U.K. and Switzerland are initiated and administered by the U.S. government and its counterparts but are not supported by federal legislation. Some analysts have called for developing countries to adopt similar co-regulatory initiatives.
-
Compliance Requirements for Non-EU Companies
One of the most disruptive aspects of GDPR is its imposition of EU/EEA data protection standards on companies based outside of Europe. In many jurisdictions, data protection legislation imposes requirements on businesses based within its borders but not on businesses trading from outside its borders. But under GDPR, any business that offers goods or services to people in the EU/EEA or regularly monitors their activities must comply with GDPR, regardless of where in the world it is based.
For non-EU businesses, this creates two classes of customer: those that are covered by GDPR rules and those that are not. Businesses must know where their customers are located and ensure that they apply GDPR rules to any that are in the EU/EEA. Failing to comply with this requirement can be extremely expensive; mislocating EU/EEA customers, or not recording their locations, is a GDPR data breach attracting heavy fines. Some companies opt to apply GDPR rules to all customers irrespective of their location rather than attempt to manage multiple sets of data protection rules.
Fortunately, non-EU businesses operating in Europe need to deal with only one GDPR supervisory authority, usually that of the country in which their European activities are headquartered or where they do the majority of their consumer-facing business. This is known as the “one-stop-shop.” It has come in for criticism because of inconsistencies between supervisory authorities and the desire of some companies to choose their supervisor. But for non-EU businesses trying to navigate the complexities of GDPR, having a single supervisory authority is a boon.
-
Cross-Border Data Transfer Restrictions
GDPR’s cross-border data transfer restrictions aim to ensure that data privacy and security for EU/EEA residents are protected even when the data is processed outside the EU/EEA. But for businesses in jurisdictions that have no EU “advocacy decision” permitting unimpeded data transfers, dealing with these restrictions is complex, time-consuming and costly. Some question whether data protection rules that impede business activity can really be justified if the people they aim to protect suffer economically as a result.
Advocates of GDPR, however, argue that the solution is for jurisdictions to bring their data protection laws in line with GDPR.
-
Consumer Awareness and Expectations
GDPR has raised consumer awareness of data privacy issues. In 2019, one year after GDPR came into force, the EU conducted a survey that showed EU consumers were overwhelmingly aware of GDPR and the implications for them. More recently, mainstream media reporting of data crime, such as hacking and phishing, and numerous high-profile data breaches (especially during the COVID-19 pandemic), have raised people’s awareness of the risks to their personal data and the actions they can take to protect it. Infosecurity Magazine reported in 2023 that consumers are now more willing to terminate relationships with businesses that they feel don’t respect their privacy and security; for example, Facebook’s user base has declined since a series of high-profile privacy scandals. However, many businesses today, particularly large tech companies, depend on a large customer base. Complying with GDPR or other data protection legislation may be more than just a cost of doing business — it may be vital for business survival.
-
Business Practices
With data privacy taking front stage among customers and regulators, and GDPR demanding that businesses put data protection at the core of their business model, companies are having to make radical changes to their practices. Technology, as ever, will be key to the privacy-oriented businesses of the future, delivering secure data storage, efficient data organization and streamlined data management. But privacy will also dominate the customer relationship. Website designers are already adapting designs to combat “consent fatigue” and encourage customers to pay more attention to protecting their data from malicious actors. Data protection is set to become a source of competitive advantage — in the future, businesses will compete to deliver excellence in data protection.
-
International Cooperation
Removing the obstacles that GDPR introduces into global data flows and the impediments it creates for international business demands international cooperation. Just as countries enter into mutual trade agreements to enable them to trade freely with each other, so countries need to enter into mutual data protection agreements to enable personal data to flow freely between them. The EU’s advocacy decisions are one-sided rather than mutual, but they do enable data to flow freely from the EU to certain countries. However, the EU is also now including data protection clauses in its trade agreements. This appears to be a promising approach that could be adopted by other countries.
-
Standard-Setting
Although GDPR sets standards for all businesses with customers in Europe, it cannot set global standards. But if data protection is to be maintained without compromising international data flows and global trade, countries need to work toward common standards and respect the rights of each other’s residents. The Global Privacy Assembly, a confederation of data protection and privacy authorities from many countries, has established a working group to promote the development of common standards, shared understanding of core data protection terms and the protection of personal data anywhere in the world.
-
Conflict of Laws
Because GDPR operates beyond the borders of Europe, it can come into conflict with the laws of other jurisdictions. One area of particular concern to U.S. businesses is the conflict between GDPR and U.S. discovery rules. U.S. courts have wide powers to order the disclosure of information, including personal data. Several defendants have tried to invoke GDPR to prevent a discovery ruling, but, so far, U.S. courts have always ruled that discovery takes priority over data protection. This can present companies with a stark dilemma: As the International Association of Privacy Professionals put it, they may have to choose between violating a U.S. court order and violating GDPR.
-
Cost and Complexity
For international businesses, complying with GDPR can be costly. GDPR divides customers into two different groups, depending on their location: GDPR rules apply to one group, but customers in the other group are subject to the rules of their own jurisdiction. This generates complexity in customer relationships and inefficiency in organizational procedures, leading to extra cost and waste. To reduce this, some technology giants apply GDPR rules to all customers, including those outside Europe.
GDPR also creates extra cost and delays in international data transfers because of its insistence that data transfers outside the EU/EEA can take place only if there is no risk to the data privacy and security rights of European customers. Ensuring that the necessary agreements, safeguards or exemptions are in place is time-consuming and expensive.
However, by harmonizing data protection regulations, GDPR has eliminated delays and reduced the cost of data transfers across almost the whole of Europe. And as other jurisdictions bring their legislation into line with GDPR, delays and costs for international transactions will start to fall.
-
Global Development Standards
As more and more countries look to GDPR as inspiration for their own data protection legislation, many are asking if there should be a global privacy standard based on GDPR. But inspiration does not equate to adoption. There are significant differences between the data protection rules of different jurisdictions, reflecting their history, culture and legal frameworks. If a global privacy standard were to be adopted, it might be so watered down that it becomes no more than a basic framework on which states could build their own legislation. This would be more like the EU’s 1995 Data Protection Directive than the highly prescriptive GDPR.
A basic privacy standard underpinning a multitude of local laws could result in a very fragmented regulatory landscape and a great deal of complexity and cost for businesses. Perhaps a better way forward might be regulatory harmonization and cooperation, and promotion of mutual trust and understanding between countries.
-
Data Protection in Trade Agreements
In 2018, the EU Commission endorsed “horizontal provisions for cross-border trade flows and personal data protection in trade negotiations.” Previous trade deals, such as that between the EU and Japan, had not included agreements on cross-border trade flows because of difficulty ensuring the protection of personal data. The horizontal provisions link together a mutual agreement to allow the free flow of data with a mutual agreement to respect privacy rights. They have now been implemented in several bilateral trade deals, including the one between EU and Japan, though not in the Trade and Cooperation Agreement (TCA) with the U.K. that formed the basis of Brexit.
GDPR Challenges and Criticisms
Since its introduction, GDPR has come in for a lot of criticism, not least because it is very much a work in progress and creates an enormous amount of uncertainty for businesses. Although the uncertainty is now diminishing, GDPR still poses huge challenges.
- High compliance costs: Complying with GDPR can be very expensive for
businesses that must change their operating models and practices (see the discussion
above under “Increased Compliance Costs”) — but GDPR breaches are costlier. Even minor
breaches, such as unclear wording in a company’s privacy policy, can result in heavy
fines. Both the size and frequency of regulatory fines are rising sharply as supervisory
authorities flex their muscles. For small businesses, even a GDPR fine of a few thousand
euros can stress cash flow and significantly dent profits. Additionally, smaller
organizations find it more difficult and costly to comply with GDPR than giant
corporations and are thus more likely to be fined for breaches.
GDPR fines are intentionally painful to prevent businesses from treating them superficially. However, very large fines can have perverse effects: The ransomware organization Lockbit encouraged one of its corporate targets to pay its ransom instead of reporting the underlying data breach, on the grounds that the ransom was cheaper than the GDPR fine. Lockbit was shut down by European crime agencies in early 2024, but other criminal organizations might view offering such “protection” against GDPR fines as a business opportunity. - Vague definitions: Despite its length and complexity, GDPR is not a complete statement of the law. Many definitions are vague or unclear. For example, in several places it says action must be taken “without undue delay” but never defines what “undue delay” means. This inevitably leads to conflicts between businesses and supervisory authorities over whether there has been a GDPR breach. Some of these conflicts can be resolved through negotiation, but many end up in the courts. The cost of resolving these ambiguities is considerable. Over time, the situation will improve as case law establishes clear definitions and pushback from businesses and organizations results in better supervisory guidance. However, there are growing calls for the legislation to be amended to firm up definitions and eliminate ambiguities.
- Interpretation differences: The lack of clarity in GDPR legislation leads to differences in interpretation. Lawyers differ over the proper interpretation of certain clauses, leading to conflicts between corporate lawyers and member state judiciaries. Resolving these differences can require a judgment from the European Court of Justice. Supervisory bodies also differ in their interpretation of GDPR regulations, which can result in inconsistent treatment of companies with similar businesses that operate in different countries.
- Operational disruptions: The introduction of GDPR was costly and disruptive for businesses, particularly those with marketing and production systems in several countries or where information was scattered across multiple IT systems and paper records. Gathering personal data and securing it involved IT upgrades and organizational changes, and other systems and procedures also had to be changed or redesigned to comply with GDPR rules. Many businesses have recruited data protection specialists to advise on IT and procedural changes, train staff and monitor compliance with GDPR.
- Enforcement inconsistencies: Although GDPR covers the whole of the EU
and EEA, enforcement is at the national level. Each member state has its own supervisory
authority tasked with enforcing GDPR for businesses headquartered in that country or
with significant operations there. Supervisory authorities are expected to cooperate
with each other, and the EDPB provides guidance to supervisors to promote consistency in
applying GDPR rules. However, the interpretation of GDPR in individual cases is left to
the national supervisory authority’s discretion. Local regulations, domestic
considerations or simple differences of opinion result in inconsistencies between
supervisory authorities that have led to calls for the EU to establish a single
supervisory authority for the entire GDPR area.
The workload of supervisory authorities is also an issue. Businesses are unevenly spread across the EU/EEA. Some countries have a disproportionately high percentage of very large corporations, while others have a much higher proportion of small businesses. For example, Ireland’s supervisory authority has been criticized for being slow to act compared with other supervisory authorities. But Ireland hosts several global tech companies, and investigating them for GDPR breaches takes years.
Supervisory authorities also differ in the level of fines they impose. Ireland’s supervisory authority has issued more very large fines than any other authority. Luxembourg, France and Italy have also issued very large fines. This reflects the number of global corporations that these countries host, but some argue that it also indicates a more draconian attitude among their supervisory authorities. - Global data flow impediments: GDPR’s restrictions on data transfers outside Europe impede the global flow of information. Data can flow freely within the EU/EEA, but moving data outside that area is hampered by the need to obtain supervisory approvals, establish safeguards and/or identify exemptions from GDPR rules. This situation has worsened significantly since 2020, when the European Court of Justice issued a landmark judgment widely interpreted as meaning that in the absence of an advocacy decision, data exporters must examine the laws of the country to which they intend to transfer data to ensure compatibility with GDPR.
- Barriers to international business: When it was first introduced,
GDPR
instantly created significant barriers to international business. Research by the
London-based think tank Centre for Policy Research showed that website traffic, from
both within and outside the EU, dropped sharply when GDPR came into force and took
up to
two years to return to its previous level. Other changes suggested online businesses
“re-shored” key activities. For example, third-party cookie requests fell
dramatically
but were largely replaced by first-party requests (where the cookies are placed by
the
website itself). There was also a move from smaller technology providers to large
companies such as Google, suggesting that GDPR may have benefited larger companies
at
the expense of smaller ones.
Over time, website traffic has recovered and re-shoring has diminished. But the preference for large technology providers remains, perhaps because these companies have sufficient resources to not only comply with GDPR, but, if necessary, also force changes through litigation. For smaller companies, the cost of GDPR compliance both for themselves and others seems to have created permanent barriers to international business. - Conflict of laws: GDPR can conflict with laws in other jurisdictions, as noted previously. When this happens, local laws are likely to override GDPR, as several U.S. courts have decided. In Europe, GDPR rules override local laws — at least in theory. In practice, national supervisory authorities often try to reach some kind of compromise, which leads to accusations of inconsistency among supervisory authorities. The present inconsistency between GDPR and laws in other jurisdictions increases costs and risks for businesses and impedes international trade.
- Consent fatigue: This refers to the exhaustion and indifference felt by people who are constantly bombarded with requests for consent to use their data. For example, people who have to respond to cookie requests on every website tend to stop thinking about the answer they are giving and simply select the same option each time. Automatically responding to a consent request without thinking defeats the purpose of the request and could be regarded as not giving meaningful consent. And if the response is always “no,” then businesses lose access to data that could help them target products and marketing more effectively. Consent fatigue emerged in Europe in the wake of GDPR. Companies are adjusting cookie banners to make them more user-friendly and to encourage consumers to engage with the request. There are also calls for regulatory action to ensure that cookie requests are standardized and comprehensible, and for better education of consumers.
- Reduced customer experience: GDPR’s rules can make accessing the internet and participating in ecommerce something of a drag. Constant demands for consent to cookies can be annoying, and, for some people, limited access to certain websites because of cross-border data transfer restrictions can seriously interfere with their desire to live their lives as they see fit. However, businesses can respond to customer irritation by upping their game on customer engagement, building trusted relationships and offering excellent customer service.
- Legal overreach complaints: The fact that GDPR affects businesses and organizations outside Europe has led to complaints of legal overreach. Some have called the GDPR’s long arm an example of the “Brussels effect,” the ability of the EU to act as a de facto global regulator by setting rules and regulations that have global impact and using its market power to force other jurisdictions to adopt them. One possible consequence posited by The Economist magazine is that other powerful countries might create competing data protection legislation that forces GDPR back behind its borders. In such a case, the world could fragment into data protection blocs, or what the author, Thierry Breton, calls “logical continents.”
- Digital rights management (DRM): DRM is a technological solution to data security, control and privacy issues. By using DRM, people can control access to personal, sensitive or copyrighted data. For businesses grappling with the demands of GDPR, DRM may prove a useful technological aid. However, supervisory bodies are unlikely to regard software as an alternative to good governance, customer service and security management. GDPR is as much concerned with the behavior of people as it is with technology.
Manage Data Compliance With NetSuite
Secure data storage and an efficient means of accessing the right data at the right time are key to GDPR compliance. NetSuite’s data management policies and infrastructure can give businesses the confidence that customer data is completely secure, backed up and available whenever it is needed. Retrieving data is straightforward — no need for searches across multiple platforms or intensive manual collation efforts. With NetSuite, complying with GDPR data protection rules needn’t be a headache.
GDPR requires businesses to put data protection at the heart of their business operations and to prioritize customer privacy and security ahead of profit generation. The daunting array of rules and regulations and the harsh penalties for breaches are intended to enforce this change in priorities. And it isn’t limited to people in Europe. GDPR-style legislation is now proliferating around the world. Thus, data protection as a business priority is here to stay and businesses have little choice but to embrace it. In the future, data protection is likely to become an important source of business advantage. The most successful businesses will use advanced technology to offer customers best-in-class data protection and excellent customer service.
#1 Cloud
Planning Software
GDPR FAQs
What is GDPR in simple terms?
GDPR stands for General Data Protection Regulation, a European Union (EU) law that came into force in May 2018. GDPR establishes privacy and ownership rights over personal data for all EU residents and defines the rules that businesses and organizations worldwide must follow to ensure that those rights are protected. GDPR is widely regarded as the toughest data privacy and security regime in the world.
What are the 7 main principles of GDPR?
The seven main principles of GDPR as set out in Article 5 are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
What are the basic rules of GDPR?
The basic rules of GDPR say that people’s data must be used lawfully, fairly and transparently; must only be used for explicitly stated purposes; must be used in a way that is adequate, relevant and limited to what is strictly needed; must be accurate and kept up to date; must not be held for longer than necessary; and must be handled in a way that ensures security, including protection against unauthorized or unlawful use, loss, damage or destruction.
Is there a GDPR in the US?
There’s no federal-level equivalent of GDPR in the U.S. However, California’s Consumer Privacy Act tracks the EU’s GDPR. It affects all businesses that offer goods and services to California residents or handle the personal data of California residents.
What is GDPR for?
GDPR exists to protect the right of everyone in the European Union and European Economic Area to privacy and security. It provides a regulatory level playing field for people and businesses in the EU/EEA and aims to eliminate data protection inconsistencies between member states, though this may not be fully achieved in practice.