What Is GDPR?

Data privacy concerns citizens worldwide, as consumer data privacy violations — such as the Facebook/Cambridge Analytica scandal — alerted users to poor data privacy standards. Trust and data privacy are essential digital life aspects captured in research. For example, a 2020 McKinsey survey into data sharing and consumer behavior found 87% of people would not transact with a company if concerned about its security practices. The survey also found that 71% would walk away from a company if it shared sensitive data without permission.

To address the abuse of consumer privacy, the EU enacted the General Data Protection Regulation (GDPR) on May 25, 2018. The EU GDPR has become synonymous with stringent, consumer-centric privacy regulations protecting EU citizens’ privacy rights.

The right to privacy has been part of EU law since the 1950 European Convention on Human Rights. The GDPR was an update of the 1995 Data Protection Directive 95/46/EC or DPA.(2)e, with the GDPR adopted in 2016; EU member states had two years to implement the law. One of the drivers for this update was to harmonize the privacy laws across the European Union member states. Since law enforcement of the GDPR, companies covered under the regulation have worked to establish GDPR compliance. The GDPR has a remit to ensure that personal data privacy is protected. Under Article 4 of the GDPR, personal data is “any information relating to an identified or identifiable natural person (‘data subject’).” This includes data such as personal information, IP addresses, biometrics, etc. The GDPR also provides data classes, including “special categories” of data that reflect sensitivity levels, with the most sensitive data requiring more robust levels of protection.

Under the GDPR, a covered entity is any organization that uses the personal data of an EU data subject if that entity offers goods or services, or monitors online behavior. Covered entities are viewed as data controllers or processors: A data controller is the main body responsible for consent and governing access; a data processor processes data on behalf of a controller. The jurisdictional scope of GDPR extends to include companies outside of Europe and the EU that sell goods to customers in the EU and collect those customers' personal data. GDPR affects companies of all sizes, as the GDPR law relates to the data handling activities of a company, not its size.

Data protection and data privacy are central to GDPR compliance. Akamai security solutions provide intelligence and end-to-end protection to protect data from breaches and accidental exposure. Akamai helps your security teams to maximize the effectiveness and ROI of your security investments by moving beyond traditional endpoint detection to provide a powerful Zero Trust solution for the security and privacy of data.

Akamai provides:

• A global security platform that enforces Zero Trust security with comprehensive coverage of your IT, IoT, and OT environments
• Deep visibility into assets, access, and network flows
• Granular enforcement of security policy

Data privacy is important to consumers. The GDPR and similar data privacy laws, including the California Consumer Privacy Act (CCPA) in the United States, work to enforce the principles of data privacy for consumers and citizens. Companies that are found noncompliant with GDPR are subject to significant fines; on April 13, 2023, the Irish Data Protection Authority (DPA) issued a fine of 1.2 billion euros to Meta Platforms Ireland Limited (Meta IE), for breaches of GDPR during the transfer of personal data to the United States based on standard contractual clauses (SCCs). 

In addition to the companies covered directly under the GDPR, the following example organizations must comply:

A U.S. business with customers in the EU

The GDPR is extraterritorial in scope. So even if your business is based outside the EU, but you have the potential to do business with EU-based citizens, you must comply with the GDPR. These companies must conduct a GDPR assessment to see which data processing activities they carry out. You will then be required to provide privacy notices that abide by GDPR requirements. In addition, you will need to carry out a data protection impact assessment and determine what protection measures are needed. This will likely include data encryption, robust authentication measures, and organizational-level data protection, such as implementing a Zero Trust security approach. These measures must extend to third-party suppliers.

A small organization with under 250 employees

The GDPR does not exempt smaller organizations from regulation. Even companies of a single individual or charity status will need to abide by the GDPR rules if they handle and process personal data. However, it only requires the levels of documentation on data handling customarily required under the law, if you process data regularly, in large quantities or that could impact rights and freedoms or that reveals race, ethnicity, biometric data, etc. As well as complying with the data privacy requirements, small companies should look for security platforms that can provide robust authentication and encryption to help secure data and avoid a data breach.

GDPR sets out a series of seven core principles that underpin it as a law. These principles relate to the lawfulness, reasons for processing data, and the conditions for consent. The principles cover the following areas:

1. Lawfulness, fairness, and transparency: there must be a good reason for processing the data.
2. Purpose limitation: this is an important concept in the principles of privacy by design and default as reflected in the GDPR. This principal focus is to ensure that data is “collected for specified, explicit, and legitimate purposes.”
3. Data minimization: in line with principle two, any data that is legitimately collected should be done so as a minimum dataset.
4. Accuracy: the covered entity must ensure the accuracy of the data collected.
5. Storage limitation: the covered entity must have a storage limitation policy that is enforceable.
6. Integrity and confidentiality: the security controls must maintain the integrity and confidentiality of the personal data collected; this must include security measures to prevent attacks from internal or external threats.
7. Accountability: measures and documentation must demonstrate the covered entity is compliant with GDPR.

Data subjects are individuals who could be identified using personal data covered under the GDPR. Chapter 3 of the GDPR defines eight data subject rights that must be followed to comply with GDPR:

1. Right to be informed (Articles 12, 13, and 14).
2. Right of access (Article 15).
3. Right to rectification (Article 16).
4. Right to erasure (Article 17).
5. Right to restriction of processing (Article 18).
6. Right to data portability (Article 20).
7. Right to object (Article 21).
8. Right not to be subject to automated decision-making, including profiling (Article 22).

There is also a breach notification rule covered by Article 34, which requires a covered entity to “without undue delay” inform a data subject of a breach if the data breach “is likely to result in a high risk to the rights and freedoms of natural persons.” Supervisory authorities must be notified of data breaches; these are public authorities that monitor the application of the regulation.

The GDPR Enforcement Tracker provides an overview of fines and penalties issued for noncompliance with GDPR. As of May 2023, the cumulative cost of fines was around 2.79 billion euros. The top three reasons for issuing fines, according to the GDPR Enforcement Tracker, are:

1. Noncompliance with general data processing principles.
2. Insufficient legal basis for data processing.
3. Insufficient technical and organizational measures to ensure information security.

The two levels set for fines for noncompliance with GDPR are:

Level 1: Covers data breaches and nonperformance of a data protection impact assessment: 2% of annual global revenue or 10 million euros, whichever is higher.

Level 2: the correct application of the GDPR requirements, e.g., enforcing consent and data subject rights: 4% of annual global revenue or 20 million euros, whichever is higher.

Data security is intrinsically linked to robust data privacy. The GDPR recognizes the importance of preventing data breaches using appropriate technical and organizational measures. Security controls and privacy measures mentioned in the GDPR include encryption and pseudonymization. Other security and privacy measures that should be used to prevent data breaches include identity and access management (IAM) and robust authentication and consent, using a Zero Trust security approach.

Akamai Connected Cloud provides the fine-level controls over data access control and consent to help an organization meet and demonstrate GDPR compliance. These controls include:

• Obtaining and managing consent
• Right to access
• Right to rectification
• Right to erasure
• Encryption

Akamai supports GDPR compliance by providing risk management, reporting, and documentation, delivered using a Zero Trust strategy