The General Data Protection Regulation (GDPR) is one of the most stringent global privacy and security laws. It became fully enforceable on May 25, 2018, and has subsequently changed the way digital privacy is handled.
In this useful article, you will learn everything you need to know about GDPR including what it is, who it applies to, and how to comply with the law.
The GDPR is considered the gold standard of privacy laws. It was introduced to address the challenges of protecting personal information and digital security in the EU.
The main goal of the GDPR is to give EU residents full control over their personal information. To do this, it requires businesses to follow strict rules, such as:
To ensure you comply with GDPR rules, it is essential to understand its key definitions and terms.
Let's break down the main terminologies used in GDPR:
Personal data is defined by Article 4 (1) of the GDPR as:
This broad definition includes various types of information including, but not limited to:
Basically, any type of information that can identify a real person is classified as personal data.
Sensitive data refers to more delicate types of personal data. Due to its sensitive nature, the GDPR imposes stricter responsibilities on businesses handling this type of information.
The following data is classified as sensitive data:
The processing restrictions can be found in Article 9 of the legislation.
Processing is defined in Article 4 (2) as:
The term is used more than 630 times in the GDPR regulation. It refers to practically everything you can do with data, such as how it is collected, used, made available, and erased.
The data controller is the individual or organization that determines the purposes and means of processing personal data. Controllers are responsible for making decisions about data processing and ensuring that the rights of data subjects are protected.
A data processor is an individual or organization that processes personal data on behalf of the data controller. Processors follow the controller's instructions and handle the data according to their directions. This role often includes third-party service providers and external agencies.
To better explain the differences between a data processor and data controller, here are some examples:
E-commerce Business Using a Marketing Platform
If your online boutique uses a service like Mailchimp to send promotional emails to your customers, your boutique is the data controller. You decide what data to collect and how to use it for marketing. Mailchimp, which sends the emails based on your instructions, is the data processor.
Fitness App Collecting User Data
If your fitness app collects users' health data, like exercise routines and dietary preferences, to offer personalized fitness plans, your app company is the data controller. You determine the purposes and means of processing this data. If you use a cloud service to store this information, that service acts as the data processor.
Travel Agency Using a Booking System
If your travel agency gathers clients' personal information to book flights and accommodations through a third-party booking system, your agency is the data controller. The third-party booking system, which processes the bookings according to your specifications, is the data processor.
Healthcare Provider Using Electronic Health Records (EHR)
If your clinic collects patient information to manage medical records and treatment plans, your clinic is the data controller. If you employ an EHR software company to maintain these records, that company is the data processor.
These scenarios illustrate that the data controller is the entity that makes key decisions about data collection and use, ensuring compliance with GDPR by managing how personal data is processed.
While GDPR largely applies to businesses that process data within the EU, there are circumstances where it applies to non-EU businesses too.
To determine if your non-EU business needs to adhere to GDPR rules, let's break down the main criteria:
In Recital 23 of the GDPR, it states that simply making a product or service available to EU individuals does not necessarily mean you are offering it to them:
So, if you intentionally target individuals in the EU to offer them products or services, whether paid or free, GDPR rules apply. The key aspect to consider here is the intentional "offer."
If you do not intentionally target EU residents with your products or services, the GDPR does not apply.
Here are some examples of intentional offers to EU residents:
These examples clearly demonstrate that these businesses are targeting individuals in the EU, and thus, they must comply with the GDPR.
Now let's look at some examples of unintentional offers:
These scenarios show that the businesses are not intentionally targeting EU residents. As such, they may not be required to comply with GDPR, provided they do not actively process or collect data from individuals in the EU.
The GDPR applies if you are monitoring the activities of individuals in the EU.
Let's look at some examples of what monitoring behavior includes:
These activities indicate that you are observing and analyzing the behavior of EU residents.
GDPR will apply to your business if you collect or process personal data from EU residents. If the data you collect and process is classed as sensitive data, you will need to follow stricter requirements set out in Recital 51.
To sum up, if you collect personal data, target EU residents, and monitor their behavior, the GDPR definitely applies to your business.
While the GDPR has a wide-ranging impact, there are exceptions for certain businesses, types of data, and specific conditions.
If your business is outside the EU and does not specifically target EU residents for offering products, services, or tracking their behavior, GDPR does not apply. Other exemptions include:
Some businesses, even when not required, opt to implement additional safeguards as a precaution to ensure they do not inadvertently engage with EU residents.
The GDPR sets out several key requirements to protect and manage personal data. These rules ensure people have more control over their personal information and strict data protection practices are in place.
Here are the main requirements of the GDPR:
Navigating GDPR compliance can seem daunting but breaking it down into manageable steps makes it more approachable.
Here we will guide you through the essential actions your business needs to take to align with GDPR regulations.
Article 6 of the GDPR states that all data processing must be carried out in accordance with six lawful bases. These include:
Obtaining consent where it is necessary is one of the most important aspects of GDPR compliance.
Article 6 (a) states:
Further clarification is provided in Article 7 of the GDPR that consent must be:
You cannot pressure or force data subjects into giving consent. This means users should not face negative repercussions if they choose not to provide consent, such as being denied access to your services.
For consent to be valid under GDPR, individuals must actively indicate their agreement to your data processing activities. Passive agreements like "By using this site, you agree to our terms" are not compliant. Similarly, using pre-ticked boxes is not acceptable.
Users need to explicitly opt in to your data processing activities. This can be done through clear actions, such as ticking an empty checkbox labeled "I Agree" or clicking an "I Accept" button.
You should also keep records of the consent given and ensure that users can withdraw their consent just as easily as they provided it.
An example of this can be found via Stripe. It provides an easy unsubscribe link in their sign-up form:
Another thing you will need to get consent for is non-essential Cookies. Make sure to use the Clickwrap method for this purpose.
Section B of Article 6 states:
The GDPR allows organizations to process personal data without explicit consent when it is necessary to fulfill a contractual obligation.
Under this lawful basis, one of the following scenarios may apply:
In both cases, processing personal data is necessary to either fulfill or prepare for a contractual agreement.
Legal Obligation is highlighted in Article 6, Section C:
In certain situations, you may need to process personal data to adhere to legal or statutory requirements.
Example: A financial institution must retain customer transaction records to comply with anti-money laundering laws. This means they are legally obligated to process and store specific data to meet regulatory requirements.
Article 6 (d) states:
The GDPR permits processing personal data if it is crucial for saving a life, whether the individual's or someone else's.
This basis for data processing should be used only as a last resort. According to Recital 46 of the GDPR, this means you should only rely on this basis when no other lawful bases are applicable:
In practice, this legal basis is typically only relevant in emergency medical situations.
Article 6 (e) states:
Put simply, if you are a public institution or an organization acting on behalf of one, you are allowed to process personal data to carry out a task in the public interest or under official authority.
For example, a government agency may need to access personal data to administer social welfare programs effectively.
According to Article 6 (f), if you have a genuine and reasonable purpose that does not override the fundamental rights and freedoms of the data subjects, you can process personal data.
The Legitimate Interests lawful basis is defined as:
You must clearly demonstrate that your data processing addresses a specific need or provides a meaningful service to your customers.
To determine if legitimate interests apply, businesses need to assess if the data is necessary, and whether the benefits of processing outweigh potential risks to the individual's rights.
If the answer to both of the above is no, you cannot use Legitimate Interests as your lawful basis for processing data.
Organizations must incorporate data protection principles from the outset, known as "Data Protection by Design." This means considering privacy and data protection issues at the initial stages of any project and throughout its lifecycle.
or example, when developing a new product, service, or business process, data protection should be an integral part of the planning and implementation phases. This proactive approach ensures that privacy measures are built into the system from the ground up.
"Data Protection by Default" means that organizations should only process the data that is necessary for each specific purpose, and nothing more. This principle minimizes the amount of personal data collected and limits its accessibility to only those who need it to perform their tasks.
For example, default settings should favor privacy, and users should be given the option to adjust their data-sharing preferences. Ensuring that privacy settings are set to the highest level by default protects user data without requiring them to change their settings proactively. This approach not only complies with GDPR, but also builds trust with users.
Even with stringent security measures in place, your business may still fall victim to a data breach.
If there is a data breach, GDPR regulations state that organizations must notify the relevant supervisory authority within 72 hours. They also need to inform affected individuals promptly if the breach poses a high risk to their rights and freedoms.
A Data Protection Officer (DPO) oversees an organization's data protection strategy and ensures compliance with the GDPR. While appointing a DPO is mandatory in certain situations, it's a beneficial practice for all organizations.
You are required to appoint a DPO if:
Even if your organization doesn't meet these criteria, having a DPO can still be advantageous. They are responsible for:
It's essential to make your DPO's name and contact information easily accessible, especially in your Privacy Policy and other visible areas on your platform. This ensures transparency and accessibility for all stakeholders involved.
You need to determine whether the services or companies your business uses are GDPR-compliant. It's crucial to understand the Privacy Policies of any third-party service or company you work with, directly or indirectly.
If these third parties handle data on your behalf, ensure they align with your privacy policy and adhere to GDPR standards.
Keep detailed records of your data processing activities, data protection measures, and compliance efforts. This documentation is crucial for demonstrating accountability and responding to audits or inquiries from supervisory authorities.
Non-compliance with GDPR can result in severe financial and reputational damage.
GDPR enforces a tiered system of fines based on the severity and nature of the violation.
For tier 1 violations, fines can be up to 2% of annual revenue or €10 million, whichever is higher.
With tier 2 violations, fines can reach up to 4% of annual revenue or €20 million, whichever is higher.
Tier 1 fines can be given for:
Tier 2 fines can be given for:
Not all GDPR violations result in financial penalties. Depending on the specifics, GDPR authorities may decide on other actions. These may include banning processing activities, ordering the deletion of data, or restricting cross-border data transfers.
In addition to regulatory fines, organizations may face legal consequences, such as lawsuits from those affected by the breach. Individuals have the right to seek compensation for material or non-material damages resulting from a GDPR infringement.
Alongside financial penalties, non-compliance with GDPR can lead to significant reputational damage. Public awareness of a data breach or regulatory action can destroy customer trust and damage your brand.
This loss of trust can have long-term consequences, including loss of business and a competitive disadvantage.
If your business handles and stores the data of EU citizens, you will need to comply with GDPR.
The main steps you can take as a business to ensure compliance are:
While this guide provides a comprehensive overview, the regulation itself is extensive, spanning 88 pages.
If your organization is impacted by the GDPR, it's crucial to have someone thoroughly review the full text of the Regulation. Consulting with a legal professional can also help ensure that your practices are fully compliant with GDPR requirements.