The General Data Protection Regulation (GDPR) is a regulation that governs data protection and privacy in the European Union and the European Economic Area. It was developed to update and unify data protection law across the EU, replacing the Data Protection Directive of 1995. The regulation was passed in 2016 and went into effect on May 25, 2018.
The GDPR is the strictest, most far-reaching privacy legislation in effect to date. Penalties for GDPR noncompliance are sometimes severe, including bans on collecting private data, huge fines and consumer lawsuits.
The GDPR defines private data as any information related to the data subject that someone can use to identify that person. This includes personally identifiable information (PII) and protected health information (PHI), such as:
Although GDPR was passed by the European Union (EU), it applies to any company that collects and processes data on citizens and residents of the EU, even if the organization does not have a physical presence in Europe. A small business website that tracks European site visitors is as accountable as a large global corporation.
Since it was passed, the GDPR has been widely adopted by online companies across the globe, both those that actively market to European consumers and those that want to avoid the risk of accidentally storing data on European citizens.
The GDPR inspired subsequent privacy regulations in the U.S. state of California — the California Privacy Rights Act (CPRA) and the California Consumer Privacy Act (CCPA) — and it is expected that similar data privacy laws will follow in other states. Because of this, many companies in the U.S. have adopted GDPR to get ahead of the curve and give site visitors confidence that their data is secure.
Organizations are GDPR compliant if they adhere to the regulation, as determined by the European Commission. There are seven key principles that organizations must follow:
To achieve this, GDPR outlines a number of rules that must be followed. Example include:
The full text of the GDPR outlines all the rules and defines criteria for maintaining compliance.
GDPR holds organizations accountable for the data they collect, process and store. This has implications not only for internal and external business processes, but how those processes are recorded and enforced as well.
There are some best practices that organizations can follow to ensure GDPR compliance:
Website owners are still responsible for the security of data collected by third-party vendors on their site. Such vendors often provide JavaScript code snippets, including social media pixels, chatbots tracking scripts, payment iframes.
Third-party code vendors often state in their legal agreements that they aren’t responsible for what data gets grabbed by their systems. And if they do get access to sensitive data, they are free from liability because the onus was on you to not grant access in the first place.
If consumer data is exposed on your site because of an attack on a third-party vendor, you are no longer compliant with GDPR and liable for any damages that result. It is critical to continuously audit third-party code and implement a zero trust security posture.
Using client-side JavaScript leaves websites at risk of a supply chain attack that exposes protected data. Here’s why:
By leveraging vulnerabilities in client-side code, cybercriminals can conduct digital skimming and PII harvesting attacks. If consumer data is exposed due to an attack on your site, you could be forced to pay a hefty GDPR fine.
Noncompliance with the GDPR can result in warnings, bans on processing personal data, fines and lawsuits.
The EU can fine organizations up to 4% of their global annual revenue or €20 million for violations of the basic principles of GDPR privacy rights and the right for data subjects to have their data deleted. For lesser offenses, the EU can fine an enterprise up to 2% of its global annual revenue or €10 million.
In addition, data subjects have the right to sue organizations for damages when they are negatively impacted by a site’s failure to comply with GDPR. Bans, fines and lawsuits can lead to significant financial losses, damage to brand reputation and loss of consumer trust.
Many well-known brands have been heavily fined for GDPR violations. British Airways paid £20 million — one of the largest GDPR fines in history — in addition to settling a private class action lawsuit for allowing the sensitive data of 420,000 customers to be compromised via form field access.
HUMAN Client-Side Defense provides real-time visibility and granular control into the client-side supply chain attack surface. The solution identifies vulnerabilities and anomalous behavior, and proactively mitigates risk using a combination of Content Security Policy (CSP), granular JavaScript blocking, and comprehensive client-side mitigation. This allows website owners to prevent known malicious scripts from loading and transmitting personal data, as well as to block third-party JavaScript from accessing sensitive form fields, without disabling the entire script. Client-Side Defense safeguards users’ PII against unauthorized exposure, ensuring GDPR compliance.
What is CCPA? | Requirements & How to Comply
What is PCI DSS Compliance? | Requirements & How to Comply
What is Personally Identifiable Information (PII) Harvesting?
What is Digital Skimming and How Does It Work?
Supply Chain Attacks | What They are & How to Prevent Them