What is the General Data Protection Regulation (GDPR)?
Illustration showing two people standing on platforms, with one person looking at a map display and the other regarding a security shield
What is GDPR?

The General Data Protection Regulation, or GDPR, is a European Union (EU) law that governs how organizations within and outside the EU handle the personal data of EU residents. GDPR was adopted by the European Parliament and Council of the EU in 2016 and took effect on 25 May 2018.

Specifically, GDPR

  • defines legally approved ways to transfer and process personal data;

  • details how organizations must protect personal data at rest and in transit; and

  • establishes EU residents' rights over personal data collection, use and possession.

GDPR defines personal data as any information relating to an identifiable human being, including direct and indirect identifiers. Direct identifiers are a person's unique data points, like their name or credit card number. Indirect identifiers include non-unique traits that can still identify a person, like physical characteristics and dates of birth.  

In GDPR parlance, a data subject is the person a piece of data is about. For example, if a company collects email addresses, the owners of those addresses would be the data subjects. 

While GDPR is a European law, it has a global reach. It applies to any organization anywhere that collects or uses the personal data of EU residents.

The Need for Data Compliance in Today's Cloud Era.
IBM Cloud and GDPR

To help organizations meet GDPR requirements, IBM is enhancing its ongoing commitment to data privacy by design. IBM is working to embed data protection principles even more deeply into its business processes. This work also strengthens existing safeguards to limit access to personal data, including mobile applications that prevent the sharing of personal data by default.

As part of this effort, many IBM Cloud offerings and services have European Union Cloud Code of Conduct (EU Cloud CoC) Certification (link resides outside ibm.com). EU Cloud CoC requirements provide a framework for Cloud Service Providers (CSPs) to demonstrate their capability to comply with GDPR. For more information on the specific IBM Cloud offerings and services that have obtained EU Cloud CoC Certification, visit our EU Cloud CoC page or read our Verification of Declaration of Adherence (link resides outside ibm.com). 

For more information on IBM Security and Privacy please visit the IBM Trust Center.

For more information on IBM’s Data Privacy Contractual Terms please review them at IBM Terms, under Data Protection.

For data privacy related questions, contact the IBM privacy team directly at at chiefprivacyoffice@ca.ibm.com.

Who must comply with GDPR?
Businesses based in the European Economic Area (EEA)

GDPR's data handling rules and principles apply to all data controllers and processors active in the EEA, which includes all 27 EU member states plus Iceland, Liechtenstein and Norway.

data controller (controller) is any organization, public authority or other group or person that collects personal data and determines how it is used. For example, a social media site that keeps databases on its users would be a controller.  

data processor (processor) is any organization that acts on personal data in some way, such as by analyzing, storing or altering it. A company can be both a controller and a processor. Processors can also be third-party organizations that process data on a controller's behalf, like a cloud service provider that offers data storage and analytics.

All controllers and processors based in the EEA are bound by GDPR, even if they store and process data outside the EEA. 

Businesses based outside the EEA

A business based outside of the EEA is bound by GDPR if any of the following conditions apply:

  • The company regularly offers goods and services to EEA residents, even if no money changes hands.

  • The company regularly monitors the activity of EEA residents, such as by using tracking cookies.

  • The company processes data on behalf of controllers based in the EEA. 

The only data processing activities exempt from GDPR are national security or law enforcement activities and purely personal uses of data.

GDPR principles

GDPR sets several principles that controllers and processors must follow when handling personal data. In broad terms, these principles state that all processing activities must be clearly defined, transparent and fair.

Under the principle of purpose limitation, companies must have a specific, lawful purpose in mind for any data they collect. They must convey that purpose to users and only collect the minimum amount of data required for that purpose.

Companies must use data fairly. They must keep users informed about the processing of personal data and follow data protection rules. Under the principle of storage limitation, a company should only keep personal data until its purpose is fulfilled. Data should be deleted once it is no longer needed.

Legal bases for processing data

GDPR defines the legal bases companies can use to process personal data. At least one of these conditions must be met, or else the processing is illegal.

The data subject consents to having their data processed. Companies can process a person's data if they consent to it. Consent is only valid if it is informed, affirmative and freely given. 

For consent to be informed, the company must clearly explain what it collects and how it will use that data. For consent to be affirmative, the user must take intentional action to show their consent, such as by signing a statement or checking a box. Consent cannot be the default option, so things like pre-checked boxes violate GDPR. For consent to be freely given, the company cannot influence or coerce the subject in any way. The company cannot require consent to use a service unless the processing is necessary for the service to work. For example, a company may need a person's credit card number to sell them something, but it probably doesn't need their IP address.   

The company cannot bundle consents if the data is being processed for multiple purposes. The subject must be able to accept or reject each processing activity individually. Organizations must keep records of consent. Subjects can withdraw their consent at any time. If they do, processing must stop. 

The data must be processed to execute a contract with the data subject or on the subject's behalf. For example, if someone applies for a loan, the bank may need to process their financial data and employment history. 

The controller has a legal obligation to process the data. For example, some healthcare regulations require hospitals to keep patient data on file. 

The data must be processed to protect the vital interests of the subject or another person. This refers to situations where data must be processed to save a person's life or prevent harm.   

The data must be processed to carry out a task that is in the public interest or part of the controller's official authority. Journalism is a classic example of a public-interest reason for processing personal data. Government agencies can process personal data to exercise their official functions.   

The data must be processed to pursue a legitimate interest of the controller or a third party. A legitimate interest is a benefit a company could gain through data processing. Examples include doing background checks on employees or tracking IP addresses on a corporate network for cybersecurity purposes. The processing must be necessary to count as a legitimate interest. A company cannot claim a legitimate interest if it can achieve the task without the data in question. Data subjects must also reasonably expect the processing. If subjects would be surprised to hear that their data is being used a certain way, the company likely doesn't have legitimate interest grounds. The rights of data subjects generally trump a company's legitimate interests.

Organizations must establish and document their bases before collecting data. They must communicate these bases to users. Companies cannot change their bases after the fact without the subject's consent.  

Special categories of personal data

GDPR considers some types of data especially sensitive. These special categories include information on a person's race or ethnicity, religious beliefs, political opinions and biometric data, among other things.

Companies can only process special category data under very specific circumstances. These include, but are not limited to: 

  • The subject has granted explicit consent.

  • The processing is necessary for scientific or historical research.

  • Data on criminal convictions can only be controlled by official authorities and processed at their direction.  

Other GDPR requirements

In addition to following the processing principles and establishing a legal basis for all processing activities, organizations must follow a few other rules to be GDPR-compliant.

Data protection impact assessments

If a company wants to process data in a way that poses a significant risk to data subjects, it must first conduct a data protection impact assessment. Situations that could trigger an assessment may include any automated processing or any large-scale processing of sensitive data.

The assessment must describe the processing, explain why it is necessary, evaluate the risks and look at ways to mitigate them. If the assessment shows that significant unmitigated risk exists, the company must consult the relevant data protection authority before moving forward.  

Data protection officers (DPOs)

Under GDPR, some companies must appoint data protection officers (DPOs). The DPO is an independent corporate officer in charge of GDPR compliance. Companies cannot retaliate against a DPO for carrying out their duties.  

The DPO's responsibilities include advising organizations on GDPR and other data protection laws, overseeing data protection impact assessments and acting as the point of contact for government regulators and data subjects.  

All public authorities must appoint DPOs. Private companies must appoint DPOs if they monitor data subjects on a large scale or process special category data as a core activity. Additionally, companies outside of Europe must designate representatives within the EEA if they regularly process EEA residents' data or particularly sensitive data.

Data transfer safeguards and procedures

Data controllers are responsible for any data they share with processors and third parties. Controllers and processors often enter into formal data processing agreements to comply with GDPR. These binding contracts outline details like the kinds of processing a processor can do and the types of security measures they must employ.

Third-party processors can only process data under the controller's direction. They cannot use a controller's data for their own purposes.   

Controllers in the EEA can only transfer data to processors in so-called "third countries" outside the EEA under certain conditions. They can freely transfer data to any third country that the European Commission deems to have adequate data privacy laws. Controllers can also transfer data to individual processors whose safeguards the Commission considers sufficient. If neither the country nor the processor has Commission approval, the transfer may still be allowed if the controller can ensure the data will be protected.   

Information security controls

Controllers and processors must put both organizational and technical security measures in place for the protection of personal data.  

Organizational measures include processes like training employees on GDPR rules and implementing formal data governance policies.

Technical security controls include software, hardware and other technology tools. For example, encryption and other pseudonymization techniques can make it hard for hackers to intercept personal data. For example:

GDPR directs companies to adopt the principle of data protection by design and by default. In other words, organizations should make data security a key factor in every process, product and system they design or deploy. Data protection principles should be foundational to everything the company does rather than tacked on as an afterthought.  

Data breach notification

Controllers must report most personal data breaches to a supervisory authority within 72 hours. If a breach poses risks to data subjects—such as monetary or identity theft—the company must notify the affected subjects.  

Breach notifications must be sent directly to the victims. A public announcement is not sufficient unless direct communication would be unreasonable. Notifications should include details about the kinds of data stolen, the risks to subjects and how the company is addressing the situation. The notification must also tell subjects how to contact the DPO or another representative with concerns. The company does not need to notify subjects if a breach is unlikely to pose any real risk to them. For example, notification is not required if the stolen data is heavily encrypted and unusable to hackers. 

Rights under GDPR

The GDPR establishes a number of rights for data subjects in its jursidiction.

Right to be informed about data collection and processing

Data subjects have a right to know who has their data, how they got it and what they're doing with it.

Right of access

Data subjects have the right to access any of their data that a company has.

Right to rectification

Data subjects have the right to correct inaccurate or outdated personal data.

Right to erasure

Sometimes called "the right to be forgotten," this refers to a subject's right to ask companies to delete their data. Companies must comply unless their interest in the data (e.g., a legal obligation to maintain certain records) outweighs this right.

Right to restriction of processing

If a subject believes their data is inaccurate, used unlawfully or no longer necessary for the company's purpose, they can ask the company to limit how their data is used. The company must comply unless it can prove it has an overriding interest in processing the data.

Right to data portability

Subjects have the right to move their data from one company to another. Companies must facilitate the transfer of personal data by storing data in a shareable format or sending it to a third party at the subject's request.   

Right to object

Data subjects can object to the processing of their data at any time. The company must stop processing unless and until it can prove that it has legitimate, overriding grounds to do so.

Rights related to automated decision making and profiling

GDPR defines profiling as the use of automated processing to evaluate some aspect of a person, such as predicting their work performance or web browsing behavior. Companies cannot use automated processing to make significant decisions without the consent of the people affected. Subjects have the right to contest decisions made on the sole basis of automated processing. They can offer input on the decision and demand the company appoint a human employee to review the decision.   

Enforcement and non-compliance penalties

GDPR is enforced by public regulatory bodies called data protection authorities (DPAs), also known as supervisory authorities. Each member state has its own DPA, which has jurisdiction over companies based in that state. Supervisory authorities can audit companies, hear complaints from data subjects and investigate violations. If a potential violation concerns subjects from multiple states, the investigation is led by the supervisory authority in the state where the company or its representative is based. 

In the event of non-compliance, supervisory authorities can issue fines and compel organizations to make specific changes. They can force companies to honor data subjects' requests and terminate illicit data processing activities.  

The European Data Protection Board (EDPB) facilitates coordination between the DPAs and ensures consistent application of GDPR rules throughout the EEA.  

Fines for non-compliance can be substantial. Minor infringements, like processing a child's data without parental consent, can result in fines of up to EUR 10,000,000 or 2% of the organization's worldwide revenue in the previous year, whichever amount is higher.

Major infringements, such as processing data for an unlawful purpose, can result in fines of up to EUR 20,000,000 or 4% of the organization's worldwide revenue in the previous year—again, whichever is higher.

Related solutions
IBM Security® Guardium® Insights

Protect critical data and simplify compliance workflows. Guardium Insights strengthens data security with robust capabilities that help uncover shadow data, protect sensitive information, provide central visibility across hybrid-clouds and automate compliance policy enforcement.

Learn more about Guardium Insights Schedule a live demo
IBM Cloud solutions

Build secure, scalable infrastructure at a lower cost. Deploy new applications instantly, and scale mission-critical and sensitive workloads based on demand—all within a security-rich platform.

Explore the solutions
Resources Cost of a Data Breach 2023

Be better prepared for breaches by understanding their causes and the factors that increase or reduce costs. Learn from the experiences of more than 550 organizations that were hit by a data breach.

What is personally identifiable information (PII)?

PII is any information that can be used to uncover that individual's identity, such as their social security number, full name, or email address.

How to stay ahead of ever-evolving data privacy regulations

The journey starts with a multimodal data governance framework, underpinned by a robust data architecture like data fabric.

Take the next step

Questions about a compliance program? Need a protected compliance report? We can help.

See more compliance programs