GDPR and the importance of protecting data privacy

We live in a world driven by data. Every consumer and citizen leaves a data trail as they go about their daily lives, from the websites they visit to the online transactions they make. As life becomes increasingly digital, more and more of this personal information is shared with organizations, leading to elevated fears about privacy and security.

To meet these concerns and to return control over their personal data to citizens, the European Union introduced the General Data Protection Regulation (GDPR), which became law in 2018. Since then many other countries and states have enacted, or are planning, similar legislation to protect personal information.

This makes understanding the underlying principles behind the GDPR vital for organizations across the globe. Even if you are currently not subject to GDPR-style legislation, being compliant is good practice and should be at the heart of your data strategies and data governance projects, helping deliver reassurance to citizens, consumers and partners.

The GDPR aims to make organizations responsible for the processing and security of the personal data they collect. It is built on seven core principles:

1. Lawfulness, fairness and transparency — Processing of personal data must be lawful, fair, and transparent to the data subject (the citizen or consumer).
2. Purpose limitation — Organizations must only process data for legitimate purposes that have been specifically agreed to by the data subject when the data was collected.
3. Data minimization — Organizations should only collect and process as much data as absolutely necessary for agreed purposes.
4. Accuracy — Organizations must keep personal data accurate and up to date.
5. Storage limitation — Organizations can only store personally identifying data for as long as necessary for the specified purpose.
6. Integrity and confidentiality — Data processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
7. Accountability — The organization is responsible for being able to demonstrate GDPR compliance with all of these principles.

Essentially, the GDPR strengthens the rights of citizens and consumers when it comes to data. These rights include:

• The need for individuals to give clear consent to having their personal data collected
• Easier access to any personal data stored by an organization
• Rights to correct this data, and to have it erased if desired
• The right to object to the use of personal data for profiling individuals
• The right to be able to move personal data from one service provider to another

If organizations are not compliant with the GDPR, they face a range of potential sanctions, rising to fines of €20 million (approximately $21 million) or 4% of global turnover – whichever is higher. The GDPR covers any organization processing the data of EU citizens – so if a consumer in France accesses a US website, GDPR applies.

To learn more about the details of the GDPR, read our in-depth glossary entry on the legislation.

As the first, and most comprehensive, data privacy legislation in the world, the GDPR has had a major impact outside the European Union. In particular, several US states have mandated their own regulations that are based on the principles outlined in the GDPR:

California

The California Consumer Privacy Act (CCPA) came into force in 2018 and was then updated with the California Privacy Rights Act in 2020. The CCPA gives California residents greater control over their personal information, including rights to know what data is being collected from them, notification if personal information is shared or sold, and the right to prevent their data being sold.

Colorado

The Colorado Privacy Act introduces consumers’ rights to privacy, companies’ responsibility to protect personal data, and authorizes enforcement for violations. It will become effective on July 1, 2023.

Connecticut

This establishes a framework for controlling and processing personal data, outlines responsibilities and grants consumer rights around how data is used. It will again become effective on July 1 2023.

Utah

The Utah Consumer Privacy Act provides consumers with the right to know what personal data a business collects and requires specified businesses to safeguard personal data. It will become effective on December 31, 2023.

Virginia

The law outlines responsibilities and privacy protection standards for certain organizations, and introduces consumer rights around their data. It came into effect on January 1, 2023.

Alongside these five states, legislation is currently being debated in a further 18, meaning a large proportion of the US population could be protected through data privacy legislation if all regulations are passed.

The principles behind the GDPR put security, confidentiality and consent at the heart of how organizations use data. Integrating them into your data strategy therefore delivers key benefits:

• It increases trust with consumers and citizens by demonstrating that you value and respect their rights and personal information
• It helps drive data democratization as citizens are more willing to share their information with you
• It protects reputation by putting in place strict security standards, reducing vulnerabilities to malicious attacks and hacks
• It drives more comprehensive data governance programs, enabling organizations to better understand the data that they have available
• It unlocks new use cases for data sharing inside and outside the organization

As an organization founded in Europe, Opendatasoft has deep experience of the GDPR and assisting its clients to protect the personal data of their citizens and customers. For example:

• Our data democratization platform is fully-secure and is designed to make it easy to anonymize personal information
• Our data governance features enable organizations to track their data as it moves between systems and is enriched and shared
• We fully comply with the GDPR in terms of processing personal information of clients, staff and prospects, including having a Data Protection Officer
• Our SaaS-based platform is hosted on compliant cloud providers, located in the US, EU and other countries

For citizens, individuals and employees to fully embrace data democratization and to benefit from data sharing, they need to trust that organizations respect their personal information, are using it responsibly, and are protecting it through high levels of security. Basing your data protection strategy on the GDPR therefore provides assurance to citizens and consumers and future-proofs your data strategy, however legislation evolves.