What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation that governs data protection and privacy in the European Union and the European Economic Area. It was developed to update and unify data protection law across the EU, replacing the Data Protection Directive of 1995. The regulation was passed in 2016 and went into effect on May 25, 2018.
GDPR is the strictest, most far-reaching privacy legislation in effect to date. The consequences of GDPR noncompliance can be severe, including bans on collecting private data, huge fines and consumer lawsuits.
What Type of Data is Protected by GDPR?
GDPR defines private data as any information related to the data subject that someone can use to identify that person. This includes personally identifiable information (PII) and protected health information (PHI), such as:
- Basic identity information such as name, address and ID numbers
- Biometric data
- Health and genetic data
- Political opinions
- Racial or ethnic data
- Sexual orientation
- Web data such as location, IP address, cookie data and RFID tags
What Companies Must Adhere to GDPR?
Although GDPR was passed by the European Union (EU), it applies to any company that collects and processes data on citizens and residents of the EU, even if the organization does not have a physical presence in Europe. A small business website that tracks European site visitors is as accountable as a large global corporation.
Since it was passed, GDPR has been widely adopted by online companies across the globe, both those that actively market to European consumers and those that want to avoid the risk of accidentally storing data on European citizens.
GDPR inspired subsequent privacy regulations in the U.S. including the California Privacy Rights Act (CPRA) and the California Consumer Privacy Act (CCPA) — and it is expected that similar data privacy laws will follow. Because of this, many companies in the U.S. have adopted GDPR to get ahead of the curve and give site visitors confidence that their data is secure.
What Does GDPR Compliance Mean?
Organizations are GDPR compliant if they adhere to the regulation, as determined by the European Commission. There are seven key principles that organizations must follow:
- Lawfulness, fairness and transparency: Disclose how you are planning to collect, process and use the data.
- Purpose limitation: Data should only be collected for specified, explicit and legitimate purposes, and cannot be used for other means than what was initially disclosed.
- Data minimization: Collect the least amount of data necessary for your purpose.
- Accuracy: Ensure data is accurate and up-to-date.
- Storage limitation: Establish a justified length of time that data is stored and ensure it is properly destroyed after the period is up.
- Integrity and confidentiality: Keep all stored data secure, with strict access controls.
- Accountability: Have processes in place to maintain compliance and be prepared to produce records that prove this.
To achieve this, GDPR outlines a number of rules that must be followed. Example include:
- Companies cannot use any data they already store on their website to market to data subjects unless they have already agreed to it explicitly.
- Checkboxes for opting into communications must remain unchecked, and the user must check them manually.
- Sites must offer users a choice of cookies to approve, rather than enforcing a cookie wall that requires users to accept all cookies.
- Sites can't block users who don't agree to all cookies.
- Organizations must notify affected users within 72 hours if their data is breached.
The full text of GDPR outlines all the rules and defines criteria for maintaining compliance.
What Are the Business Implications of GDPR?
GDPR holds organizations accountable for the data they collect, process and store. This has implications not only for internal and external business processes, but how those processes are recorded and enforced as well.
There are some best practices that organizations can follow to ensure GDPR compliance:
- Encrypt all user data
- Enforce strict access controls for employees and third-party vendors
- Monitor and record access events
- Continuously evaluate and fix network and software vulnerabilities
- Keep systems up-to-date
- Ensure your third-party vendors are doing the same
How Does GDPR Affect Third-party Partnerships?
Third-party code vendors often state in their legal agreements that they aren’t responsible for what data gets grabbed by their systems. If they do get access to sensitive data, they are free from liability because the onus was on the website to not grant access in the first place.
If consumer data is exposed on your site because of an attack on a third-party vendor, you are no longer compliant with GDPR and liable for any damages that result. It is critical to continuously audit third-party code and implement a zero trust security posture.
How Does Client-side Code Threaten GDPR Compliance?
- Lack of visibility at runtime - Client-side code runs on users’ browsers rather than the central web server. It can be difficult to detect changes in scripts that load dynamically at runtime. This includes malicious code injections or modifications, such as adding a token to identify a visitor or another desired dynamic function.
- Frequent code changes - Third-party libraries are continually being changed and updated. Even if a script is reviewed when it is first added to a site, it does not mean that subsequent modifications are secure. Over 50% of website owners state that the third-party scripts running on their web properties change four or more times every year.
- Insufficient security reviews - Developers rely on third-party code to quickly bring capabilities to market. They don’t want to be slowed down by internal processes and may introduce code to an application without going through the appropriate security reviews. Even if an initial review is conducted, it does not account for future code changes.
By leveraging vulnerabilities in client-side code, cybercriminals can conduct digital skimming and PII harvesting attacks. If consumer data is exposed due to an attack on your site, you could be forced to pay a hefty GDPR fine.
What Happens if a Business is not Compliant?
Noncompliance with GDPR can result in warnings, bans on processing personal data, fines and lawsuits.
The EU can fine organizations up to 4% of their global annual revenue or €20 million for violations of the basic principles of GDPR privacy rights and the right for data subjects to have their data deleted. For lesser offenses, the EU can fine an enterprise up to 2% of its global annual revenue or €10 million.
In addition, data subjects have the right to sue organizations for damages when they are negatively impacted by a site’s failure to comply with GDPR. Bans, fines and lawsuits can lead to significant financial losses, damage to brand reputation and loss of consumer trust.
Many well-known brands have been heavily fined for GDPR violations.
- Ticketmaster paid a £1.25 million GDPR fine for exposing the PII and PCI data of up to 9 million customers via form field access by a third party chat bot on the checkout page.
- British Airways paid £20 million — one of the largest GDPR fines in history — in addition to settling a private class action lawsuit for allowing the sensitive data of 420,000 customers to be compromised via website form field access.
How Can PerimeterX Help Ensure GDPR Compliance?