GDPR - General Data Protection Regulation

General Data Protection Regulation (GDPR) Overview

What is GDPR?

The General Data Protection Regulation (GDPR) is a sweeping law initiated by the European Union (EU) and its legislative European Commission (EC) branch that gives European citizens more protection of personal data with a supervisory authority seeking to clarify rules and responsibilities for online service providers processing of personal data. GDPR standardizes data protection law across all 28 EU countries (member states). It replaces the EU's previous directive governing data protection of personal information passed in 1995, the EU Data Protection Directive, and went into effect on May 25, 2018.

GDPR compliant practices introduce sweeping changes to existing data regulations including:

  • Establishing the rules for how companies should handle the personal data of European citizens
  • Expanding the scope of what's understood to be personal data
  • Clarifying the roles and responsibilities of companies who control data processing
  • Streamlining enforcement authority to one supervisor per member country
  • Compelling companies to notify consumers of a data breach within prescribed timeframes
  • Stepping up penalties for non-compliance

"Personal data" means any information relating to a person who can be identified, directly or indirectly, using an identification number or location specifics; or to one or more other identifying attributes including gender, physical, medical, race, political or socioeconomic data. Examples include an online account holder's name, ID numbers, and location, as well as IP addresses, cookies, and other digital fingerprints.

GDPR applies to all companies holding and processing an EU citizen's personal data, regardless of whether the company is in an EU country or not. If a company offers goods or services to or monitors the behavior of EU residents, it must meet GDPR compliance requirements.

The maximum fine that companies can be hit with for the most serious infringements of the regulation is 4% of their global annual turnover (or €20M, whichever is greater). That is substantial, to say the least, although enforcement entities can impose smaller fines as well depending on the privacy infraction.

Improving Personal Privacy Rights

The data protection reform imposed by GDPR strengthens an EU citizen's right to protecting their online personas, which the EU sees as a fundamental right, ensuring that account holders can trust companies with the transfer of personal data that they deem private as they opt-in to various online services.

The new rules address these concerns by strengthening the existing consumer rights and empowering individuals with more control over their personal data. Most notably, these include:

  • a right to "easier access" to personal data—users have more information on what data is captured and that companies providing the service make this information available to users in a clear and concise way
  • a right to "data portability"—making it easier to transfer a user's personal data between alternative services
  • a "right to be forgotten"—by eliminating any chance that personal data could be somehow used by any third party if a user deletes or deactivates their account
  • a right to know when your data has been hacked—companies must notify the Data Protection Authorities (DPAs) of the EU country without undue delay where a serious data breach affects citizens so that users can take appropriate measures

Enforcement Mechanisms

DPAs are at the heart of enforcing GDPR compliance with responsibility for enforcing data protection laws at a national level and providing guidance on the interpretation of those laws. Each EU member country is required to appoint one or more DPAs as public authorities to implement GDPR and protect the rights and freedoms of individuals. DPAs are empowered to oversee enforcement of the GDPR, investigate events that are not compliant with GDPR policies and initiate legal proceedings where necessary. DPAs are also required to cooperate, with formal legal authority to carry out joint operations across EU member countries.

This process is designed to work across countries that are part of the EU but how can a DPA impose a fine or penalty on a U.S. company? The closest equivalent agency in the U.S. that has jurisdiction over commercial organizations is the Federal Trade Commission (FTC), as well as a state attorney's office, but U.S. regulators are just beginning to look at what to do to regulate privacy policies as evidenced by recent congressional hearings where politicians on this issue questioned Mark Zuckerberg of Facebook.

Many U.S.-based online Internet services and social media companies are updating their privacy policies and terms of service to prepare for the new legislation. European regulators closely scrutinize Facebook's improved information security policies to ensure compliance. The recent Cambridge Analytica data breach is the kind of data security scenario that the EU hopes that GDPR regulations can help to avoid.

As GDPR laws take effect, there will be a period needed to determine how law enforcement practices will be carried out. Nonetheless, companies should make concerted efforts now to comply with the terms of the regulation from its outset, especially given the potential for such stiff penalties in the event of a violation.

ThousandEyes Network Intelligence technology addresses the network visibility challenges associated with companies looking to comply with GDPR data privacy laws. Network privacy in a cloud-based world requires visibility into how application traffic is being transported and where users are connecting to, especially when using cloud-based applications. As a result, network operations and security teams need detailed and accurate network path visibility, along with routing and application layer data to ensure GDPR best practices are implemented and compliance is maintained.