{"id":10308,"date":"2019-12-18T10:09:19","date_gmt":"2019-12-18T15:09:19","guid":{"rendered":"https:\/\/blog.brainstation.io\/?p=10308"},"modified":"2020-05-07T12:41:18","modified_gmt":"2020-05-07T16:41:18","slug":"gdpr-explained-how-businesses-protect-personal-data-in-the-eu","status":"publish","type":"post","link":"https:\/\/brainstation.io\/blog\/gdpr-explained-how-businesses-protect-personal-data-in-the-eu","title":{"rendered":"GDPR Explained: How Businesses Protect Personal Data in the EU"},"content":{"rendered":"

When the European Union\u2019s General Data Protection Regulation (GDPR) came into full force in May 2018, it was hot on the heels of the Facebook-Cambridge Analytica data scandal. The data breach heard around the world made consumers suddenly <\/span>very<\/span><\/i> aware of how their personal data could be collected and manipulated without their consent. It\u2019s a pressing conversation that continues to evolve alongside rapid advances in technology to this day. <\/span><\/p>\n

As the internet became increasingly data-driven over the years, the European Union (EU) recognized that the privacy standards they\u2019d had in place since 1995, the European Data Protection Directive, needed updating. In April 2016, the European Parliament adopted the GDPR and asked that all businesses be compliant by 2018. The GDPR embodies the EU\u2019s firm stance on data protection and privacy and applies uniformly to all EU member states (unlike the former directive). <\/span><\/p>\n

Does GDPR Apply to You? <\/b><\/h2>\n

Firstly, it\u2019s important to note that the GDPR has implications outside of the EU. If you\u2019re wondering if this applies to you, ask yourself these 2 simple questions: <\/span><\/p>\n

    \n
  1. Do you offer goods or services in the EU?<\/span><\/li>\n
  2. Are you collecting or processing the personal data of EU citizens or residents for commercial purposes?<\/span><\/li>\n<\/ol>\n

    If you answered yes to either or both of these questions, then you need to comply with GDPR. This actually means that the majority of companies with global reach need to have a data strategy in place to avoid penalties of up to tens of millions of euros. <\/span><\/p>\n

    If you decide how and why personal data is being used, you\u2019re likely what the GDPR calls the \u201cData Controller.\u201d This can be a business owner or simply a member of the data team. <\/span><\/p>\n

    Alternatively, if you\u2019re someone who processes data on behalf of a third party, you\u2019re called a \u201cData Processor.\u201d The GDPR has special regulations for processors.  <\/span><\/p>\n

    What\u2019s Considered Personal Data? <\/b><\/h2>\n

    For a law that\u2019s all about protecting personal data, it\u2019s crucial to understand what kinds of data are included in the equation. <\/span><\/p>\n

    According to the <\/span>European Commission<\/span><\/a>, personal data is any piece of information that can identify a living individual. This includes, but isn\u2019t limited to, information such as names and surnames, personal email addresses, home addresses, biometric data and location data. <\/span><\/p>\n

    Information that\u2019s completely anonymous (and can\u2019t be reversed in any way) is not considered personal data. This includes email addresses that are generic (support@company.com) or a company registration number. <\/span><\/p>\n

    The GDPR is technology agnostic, which means personal data must be protected regardless of how it\u2019s being collected, organized, structured, used or deleted. <\/span><\/p>\n

    7 Principles for Data Protection<\/b><\/h2>\n

    There isn\u2019t a one-size-fits-all approach to data protection and many parts of the law leave room for interpretation. The GDPR does lay out some guiding principles for processing personal data.<\/span><\/p>\n

      \n
    1. Process the data you collect lawfully, fairly, and transparently.<\/span><\/span> <\/li>\n
    2. Collect data for a specific and explicit purpose and only process that data as it relates to that purpose. The only exception is if the data is being used for research, statistical, or scientific purposes for the good of the public.<\/span><\/span> <\/li>\n
    3. Minimize the amount of personal data you collect. Don\u2019t collect more than is needed for the intended purpose.<\/span><\/span> <\/li>\n
    4. Keep the data you collect up-to-date. If you\u2019re unable to do this, then you must make a reasonable effort to update or delete it quickly.<\/span><\/span> <\/li>\n
    5. Personal data can be kept in a form that allows you to identify individuals only for as long as it takes to fulfill your intended purpose. Again, there are exceptions for research, statistical, or scientific purposes.<\/span><\/span> <\/li>\n
    6. Have measures in place to process data in a way that safeguards it from unauthorized processing or altering, loss, or damage.<\/span><\/li>\n
    7. The data controller is ultimately held accountable and must be able to prove compliance. <\/span><\/li>\n<\/ol>\n

      When is it Okay to Process Personal Data? <\/b><\/h2>\n

      Certain conditions must be met for your data processing to be considered \u201clawful\u201d. Like other regulations of its kind, consent plays a leading role. <\/span><\/p>\n

      There are a few situations where you\u2019d be able to process personal data without consent, including:<\/span><\/p>\n