The digital age has compelled companies to collect data on customers so they can provide a more customized experience. However, businesses are required to follow specific requirements to maintain the privacy of their customers during the data collection process.
One of the most extensive regulations governing data collection is GDPR.
What is GDPR?
The General Data Protection Regulation, or GDPR, is a strict set of data privacy laws for businesses that collect data on EU citizens.
Under GDPR, businesses are responsible for safeguarding numerous types of personal information, including the customer's IP address, cookie data, home address, and Social Security number.
The complete GDPR manual includes hundreds of laws promoting individuals’ right to digital privacy, which is an integral component of the 1950 European Convention on Human Rights. GDPR replaces the Data Protection Directive of 1995 and addresses the current digital privacy concerns of people who live in the EU.
Does GDPR impact US companies?
As the GDPR’s primary objective is to protect user data of residents of the EU, the regulations are applicable for all businesses, even if they aren’t based in the European Union. This information is covered in Article 3 of GDPR, which discusses the territorial scope of the legislation.
In other words, any company that collects data or provides a service to residents of Europe must comply with GDPR. Specifically, it applies to companies situated and registered outside of the EU that:
- Are located in the US but target EU customers (for instance, presenting prices in Euros or running location-specific ads).
- Engage in “professional or commercial activity.” This includes collecting funds from friends and family to finance a side business project.
- Use digital tools to track cookies or IP addresses of users visiting the website from EU countries.
What types of personal data does GDPR cover?
GDPR covers all types of personal user data, including (but not limited to):
- Personal ID information, such as names, addresses, contact numbers, or email addresses of users visiting the website
- Personal information, such as political opinions, ethnic origins, sexual orientation, and religious ideologies
- Health data, such as the patient’s genetic history, name, test results, emails, and audio recordings or physician notes about a patient
- Biometric data, such as fingerprints, facial patterns, voice, or typing cadence of users
- Web data, such as IP addresses, browsing activity, names, emails, and credit card information
Complying with GDPR requirements is extremely important for companies, regardless of their location. Let's look at some GDPR statistics to understand why it's important.
GDPR enforcement: types of violations and fines
According to DLA Piper, GDPR regulators issued nearly $1.2 billion in fines since January 2021 — almost seven times 2020’s total.
As of February 2022, there have been around 1,000 fines, broken down into a few main types of violations:
- 224 firms were fined for not complying with GDPR.
- 87 companies were fined for insufficient fulfillment of GDPR.
- 350 firms were penalized for having an insufficient legal basis for data processing.
- 202 fines were given to firms that inadequately implemented technical and organizational measures to safeguard user privacy.
- 97 companies were penalized for their inability to comply with data subjects rights.
- 6 penalties were due to the company's failure to comply with the data processing agreement.
- 12 firms were penalized for not hiring a data protection officer.
- 41 fines were due to ineffective collaboration with a supervisory authority.
- 6 penalties were made for undisclosed reasons.
How Persona helps businesses with GDPR compliance
When you use Persona for your identity processes, you can focus on growing your business and leave the secure PII storage up to us. Not having PII in your system means you don’t carry the liability of potential breaches or leaked customer data, yet you have easy and reliable access to it whenever you need it. We meet the highest security standards, so you can know that your data is safe with us and that you’re complying with GDPR and other data regulations, such as CPRA, from the start.
If an individual requests their PII, it’s easy to retrieve from Persona because all information about that user is stored under that user’s account. And if you have compliance or legal requirements for how long you can keep PII, you can set up automated PII removal on the cadence of your choosing.
Interested in learning more about how we store PII? Get in touch and we’d be happy to share more.