What is the GDPR and How Does It Affect Online Security and Privacy?

What companies need to know to comply with the new regulations

These days, data protection is something everyone has to take seriously, and perhaps businesses especially. With serious data breaches now a routine occurrence, companies have to do everything they can to ensure customer information is as secure as possible.

The March scandal involving Facebook’s improper sharing of user information with third parties (plus another, more recent scandal) has also put an immense focus on how companies protect, use, and share the data of customers – and governments are looking for ways to make sure individuals have greater insight into and control over their personal data.

In this regard, the European Union (EU) was ahead of the curve. It was with privacy and security concerns in mind that the General Data Protection Regulation (GDPR) was proposed by the EU in 2012, and put into practice this year.

What is the GDPR exactly?

The GDPR is a set of guidelines for the way companies collect, protect, and use customer data. It went into effect across the EU on May 25 of this year.

Does the GDPR affect American companies?

Yes and no. If your company never handles any data from someone in the EU, you won’t have to worry about GDPR. But regardless of where you are located, if people in the EU buy from you – or provide sensitive data in any transaction – you have to adhere to the regulations.

What are these regulations?

For one thing, businesses are now obligated to inform customers what information they have on them and how they are using it, if customers so desire. There is also a “right to be forgotten” stipulation that enables people to have a company erase all personal data and any processing of it by third parties.

Personal data includes IP addresses, locations, and browsing history. As for data breaches, companies have 72 hours to report one if it could “result in a risk for the rights and freedoms of individuals.” Customers also have to be notified “without undue delay.”

GDPR also has a component called “privacy by design” that new companies especially should know about it. It is now a legal requirement that data protection is included from the beginning when designing a system, as opposed to adding safeguards later on. Part of this includes holding and processing only data that is absolutely necessary, as well as limiting access to this data.

A full list of the requirements can be found at the official website of the European Commission, the EU’s executive arm.

What are the penalties for violations?

This is where companies should really pay attention, because if they violate any of the GDPR rules, they could be facing large fines. For the most serious offenses, a company could be fined 20 million euros – which is about $24 million – or four percent of their yearly revenue, whichever is higher. For example, if Google were found to be in violation, the company would have to pony up a whopping $2.5 billion.

Why doesn’t the U.S. have something like this?

As the Facebook breach proved, data management regulations in the US are behind the efforts of the EU. Currently, a bill called the Social Media Privacy Protection and Consumer Rights Act of 2018 is floating around Congress that could help change that. If passed into law, it would create rules similar to the ones imposed by the GDPR.

What do companies need to know going forward?

Transparency is a key element of the GDPR. Companies need to be open and honest about the data they obtain from people and how it will be used. It is also important that companies get consent from customers for any data they collect. Businesses that haven’t updated their terms of service in a while should make this a priority.


Zero-In has always taken data security very seriously, which is why we welcome the new GDPR guidelines. To learn about our data security and privacy policies, feel free to contact us. You can fill out our online contact form at the bottom-right of the page, or call us at 888-260-7291.