← Back to portfolio

What Is GDPR - And How Does It Apply to You? - Cobalt Blog

Published on

Up to this point, personal data, particularly consumer patterns, has been shared and sold without consumer insight into how such information was being used or accessed. As the privacy of personal information becomes a more common cause for concern, even outside of the cybersecurity realm, governmental leaders are coming around to placing sanctions on how that data can be used. General Data Protection Regulation (GDPR), established in 2018, took strides toward imposing more enforceable restrictions against abuse of personal data and consolidating previous iterations of data security acts into one regulatory set of laws. Most vitally, the restrictions, per the GDPR definition provided by EU regulatory bodies, seek to combat the risk of “free movement” of personal data between entities.

In some states in the US, data privacy regulations are beginning to follow suit, notably California’s pending 2020 implementation of the California Consumer Privacy Act (CCPA). As American leadership understands more about what constitutes personal data rights and breach risks in online platforms, GDPR regulation becomes more and more pertinent as a broadly applicable way to protect personal data.

Despite their common goal, there are some key differences between the CCPA and the GDPR, both with respect to what they protect and how they enforce those protections.

What constitutes personal data?

Before we can dive into what it means to protect personal data through GDPR and the CCPA, it’s important to identify how these laws define personal data.

Predecessors to the GDPR such as the Data Protection Directive (DPD) defined personal data in an intuitive way: identifying information, including but not limited to one’s name, birthdate, contact information, and personal account numbers. The GDPR sought to broaden the view of relevant data to include IP addresses, fingerprints and retina scans used for personal phone security, geolocations, and an assortment of personal identity features such as socioeconomic standing and cultural background. This update takes a valuable look at how technology has transformed what data we leave behind, intentionally or not, with our online activity, and how that data can be harnessed by third parties to alter your internet experience.

The CCPA is not too far off from the GDPR in terms of the data it considers personal and protected. Any information that is not publicly available constitutes personal data under the CCPA. However, it does expand the scope of the data to include information about your household, i.e. your spouse or children, when enforcing its protections.

So what exactly is GDPR?

GDPR was implemented when a need arose for the many legislative protections in the EU regarding privacy and personal data to be compiled into an overarching set of regulations that were fully applicable across technological platforms. Different countries throughout the EU upheld nonidentical policies related to the ownership and sharing of personal data, and by consolidating these legislative practices, the GDPR was able to control data sharing both within the EU and abroad, so long as the individuals whose data was in question were from an EU nation or within the European Economic Area (EEA).

The GDPR focuses on disclosing the uses for consumer data to the consumer, and it requires that every business give the consumer the opportunity to either contribute or decline to contribute their data as they use a business’s online materials or products. It also mandates that when requested, a consumer is guaranteed access to retrieve or remove their personal data. Even with express permission to store and disseminate data, if security concerns or unprotected data appear to its regulatory bodies, an administrative penalty can be applied to the business failing to meet these requirements. Encryption is the most recommended method of maintaining privacy while storing and distributing personal data but is not strictly required by the GDPR.

Should a breach occur, the GDPR requires that regulatory bodies be notified within 72 hours, and all potentially impacted users must be informed of the breach as well. From there, further penalties are imposed, including either 4% of a company’s global turnover or up to 20 million euros, whichever is higher.

Who is subject to regulation?

Both the CCPA and GDPR focus on enforcing businesses’ responsibility to their consumers for transparency. Where the GDPR has set itself apart from its predecessors is in the broad base of businesses subject to these new requirements. Any business that processes personal information from EU citizens is subject to these regulations, regardless of their locality. It is obviously more difficult to enforce these rulings on foreign organizations, but ultimately the goal is that all who handle personal data from the EU apply and will owe the same restitution.

Along the same lines, the pending California privacy reform imposes financial penalties on noncompliant companies. At the same time, the CCPA places the ability to sue companies for breaches of privacy in the hands of the impacted consumer. Unlike the EU GDPR, however, these laws will only be enforced in the event of a breach, rather than imposing penalties for unsecured personal data storage and usage.

The CCPA is also a bit more limited in scope, as it only covers California citizens using services from California-based companies. Regulated companies must also make a revenue of at least $25 million, although if a company’s primary business model is the exchange of personal data, they are automatically included in the regulatory pool.

Why does it matter?

The GDPR is designed to empower consumers’ control over their personal data. It is one of the more broadly sweeping sets of regulations against abuses of personal data by online organizations, and in many states throughout the US, there is clear inspiration drawn from the EU’s regulations to create the same sense of transparency and security for American consumers. California’s new regulatory action is a prime example of this inspiration, and these new standards can easily be expected to continue through more states across the US as consumers develop a better understanding of how their personal data is being used - with or without their consent.