The European Union (EU) General Data Protection Regulation (GDPR) turns five this year. While the law spawned many imitators, most notably the California Consumer Privacy Act (CCPA), the GDPR remains the world’s most comprehensive, far-reaching data privacy law to date. It gave European citizens a wide swath of new data privacy rights, while placing significant new data governance responsibilities on organizations.
Although the GDPR is a European law, it applies to all organizations that sell goods and services in the EU or track the online activities of individuals located in the EU, regardless of whether the organization has a physical presence there. Even if an organization serves only one customer located in the EU, they must comply with the GDPR.
Despite the GDPR having been in force for nearly half a decade, many organizations are still confused about their responsibilities under this law and the consequences if they don’t comply.
Consumer Data Privacy Rights Under the GDPR
The GDPR granted EU citizens – which the law refers to as “data subjects” – a wealth of data privacy rights, including:
- The right to know what personal data organizations are collecting on them, how it is being used, and who is using it.
- The right to request and receive a copy of their personal data in a “commonly used and machine readable format”.
- The right to insist that organizations delete their personal data and/or stop sharing it with third parties. This is commonly referred to as the “right to be forgotten.”
Organizations’ Responsibilities Under the GDPR
The GDPR also requires organizations to adopt certain data security and governance controls, for example:
- Organizations must obtain voluntary and clear consent to collect, store and use EU data subjects’ personal data. They can only collect data that is necessary to fulfill a transaction or contract that the data subject initiated, and they must clearly explain how the data will be used.
- In the event of a data breach, organizations must notify both EU data protection authorities and affected customers within 72 hours.
- Organizations are required to provide “reasonable” levels of data privacy and protection to EU customers.
- Public authorities, as well as organizations that “engage in large scale systematic monitoring” or “engage in large scale processing of sensitive personal data,” must hire or appoint a data protection officer (DPO) to oversee GDPR compliance and overall data security.
Consequences for non-compliance can be quite severe. EU data protection authorities can fine organizations up to 4% of their global annual turnover or €20 million, whichever is higher, based on the seriousness of the breach and damages incurred. In 2022, the EU levied a record €1.65 billion in GDPR fines against non-compliant organizations – a 50% increase from 2021.
Download Our FREE White Paper on GDPR Compliance
The GDPR forced many organizations to fundamentally alter their data security, governance and compliance processes. To cut through the noise, Keeper has put together a FREE white paper, GDPR: What it Means for Your Business and How Keeper Enterprise Can Help Your Organization. Download your copy today!
Keeper is GDPR compliant, and committed to ensuring our business processes and products continue to maintain and simplify GDPR compliance for our customers in the European Union and beyond. Interested in making GDPR compliance easier and less time-consuming? Take advantage of Keeper’s 14-day free business trial.