GDPR Guide

The General Data Protection Regulation (GDPR) is one of the most stringent global privacy and security laws. It became fully enforceable on May 25, 2018, and has subsequently changed the way digital privacy is handled.

In this useful article, you will learn everything you need to know about GDPR including what it is, who it applies to, and how to comply with the law.

What is the GDPR?

The GDPR is considered the gold standard of privacy laws. It was introduced to address the challenges of protecting personal information and digital security in the EU.

The main goal of the GDPR is to give EU residents full control over their personal information. To do this, it requires businesses to follow strict rules, such as:

  • Improving data security
  • Getting clear permission before collecting certain types of data
  • Being open about how they use personal data

Key Definitions and Terms

To ensure you comply with GDPR rules, it is essential to understand its key definitions and terms.

Let's break down the main terminologies used in GDPR:

Personal Data

Personal data is defined by Article 4 (1) of the GDPR as:

GDPR Article 4 1

This broad definition includes various types of information including, but not limited to:

  • Names
  • Phone numbers
  • Mailing addresses
  • Identification card numbers
  • email addresses
  • Videos/images
  • Social media handles
  • Online identifiers like web cookies and IP addresses
  • Financial details

Basically, any type of information that can identify a real person is classified as personal data.

Sensitive Data

Sensitive data refers to more delicate types of personal data. Due to its sensitive nature, the GDPR imposes stricter responsibilities on businesses handling this type of information.

The following data is classified as sensitive data:

  • Genetic information
  • Biometric data
  • Racial/ethnic origin
  • Political views
  • Philosophical/religious beliefs
  • Health information
  • Sexual orientation

The processing restrictions can be found in Article 9 of the legislation.

Processing

Processing is defined in Article 4 (2) as:

GDPR Article 4 2

The term is used more than 630 times in the GDPR regulation. It refers to practically everything you can do with data, such as how it is collected, used, made available, and erased.

Data Controller

The data controller is the individual or organization that determines the purposes and means of processing personal data. Controllers are responsible for making decisions about data processing and ensuring that the rights of data subjects are protected.

Data Processor

A data processor is an individual or organization that processes personal data on behalf of the data controller. Processors follow the controller's instructions and handle the data according to their directions. This role often includes third-party service providers and external agencies.

To better explain the differences between a data processor and data controller, here are some examples:

  • E-commerce Business Using a Marketing Platform

    If your online boutique uses a service like Mailchimp to send promotional emails to your customers, your boutique is the data controller. You decide what data to collect and how to use it for marketing. Mailchimp, which sends the emails based on your instructions, is the data processor.

  • Fitness App Collecting User Data

    If your fitness app collects users' health data, like exercise routines and dietary preferences, to offer personalized fitness plans, your app company is the data controller. You determine the purposes and means of processing this data. If you use a cloud service to store this information, that service acts as the data processor.

  • Travel Agency Using a Booking System

    If your travel agency gathers clients' personal information to book flights and accommodations through a third-party booking system, your agency is the data controller. The third-party booking system, which processes the bookings according to your specifications, is the data processor.

  • Healthcare Provider Using Electronic Health Records (EHR)

    If your clinic collects patient information to manage medical records and treatment plans, your clinic is the data controller. If you employ an EHR software company to maintain these records, that company is the data processor.

These scenarios illustrate that the data controller is the entity that makes key decisions about data collection and use, ensuring compliance with GDPR by managing how personal data is processed.

Who Does GDPR Apply To?

While GDPR largely applies to businesses that process data within the EU, there are circumstances where it applies to non-EU businesses too.

To determine if your non-EU business needs to adhere to GDPR rules, let's break down the main criteria:

Offering products or services to EU citizens

In Recital 23 of the GDPR, it states that simply making a product or service available to EU individuals does not necessarily mean you are offering it to them:

GDPR Recital 23

So, if you intentionally target individuals in the EU to offer them products or services, whether paid or free, GDPR rules apply. The key aspect to consider here is the intentional "offer."

If you do not intentionally target EU residents with your products or services, the GDPR does not apply.

Here are some examples of intentional offers to EU residents:

  • A Subscription Service: A streaming service that supports payments in EU currencies like Euros or Swedish Krona
  • A Website with EU-Specific Domains: A website using domain codes from EU countries such as .de (Germany), .fr (France), or .es (Spain)
  • Localized Advertising: An online store that displays ads in EU languages such as Spanish, Dutch, or Polish
  • EU Contact Details: A business with a dedicated phone number or address specifically for customers in the EU
  • International Shipping: A company that offers delivery options to EU countries

These examples clearly demonstrate that these businesses are targeting individuals in the EU, and thus, they must comply with the GDPR.

Now let's look at some examples of unintentional offers:

  • Global Website Without Localization: A U.S.-based blog or e-commerce site that is only available in English and does not use any EU-specific domains or languages
  • Currency Limitations: An online store that only accepts payments in U.S. dollars or other non-EU currencies, without offering any options for EU residents
  • General Advertising: An app that advertises in a generic way, without targeting specific EU languages or demographics
  • Non-EU Contact Information: A business that provides customer support with phone numbers and addresses only within its non-EU country of operation

These scenarios show that the businesses are not intentionally targeting EU residents. As such, they may not be required to comply with GDPR, provided they do not actively process or collect data from individuals in the EU.

Monitoring the behavior of EU citizens

The GDPR applies if you are monitoring the activities of individuals in the EU.

Let's look at some examples of what monitoring behavior includes:

  • Analyzing User Data: Using data analysis to understand and predict a person's behavior
  • Tracking Technologies: Implementing tracking pixels or similar technologies on a website
  • Targeted Marketing: Delivering personalized advertisements based on an individual's online behavior
  • Video Monitoring: Using surveillance cameras in public spaces

These activities indicate that you are observing and analyzing the behavior of EU residents.

Collecting and processing data of EU citizens

GDPR will apply to your business if you collect or process personal data from EU residents. If the data you collect and process is classed as sensitive data, you will need to follow stricter requirements set out in Recital 51.

To sum up, if you collect personal data, target EU residents, and monitor their behavior, the GDPR definitely applies to your business.

Exemptions to Who the GDPR Applies To

While the GDPR has a wide-ranging impact, there are exceptions for certain businesses, types of data, and specific conditions.

If your business is outside the EU and does not specifically target EU residents for offering products, services, or tracking their behavior, GDPR does not apply. Other exemptions include:

  • Personal or household activities: If you're handling personal data for private purposes, like keeping a contact list or managing family photos, GDPR doesn't apply.
  • Law enforcement and national security: Activities related to law enforcement, national security, and defense are exempt. These are typically governed by other specific laws.
  • Small and medium enterprises (SMEs): SMEs with fewer than 250 employees may be exempt from some GDPR rules. For example, they don't need to keep records of processing activities unless the processing is regular, risky, or involves sensitive data.
  • Journalistic, artistic, and literary expression: Activities in journalism, art, and literature have certain exemptions to balance data protection with freedom of expression.

Some businesses, even when not required, opt to implement additional safeguards as a precaution to ensure they do not inadvertently engage with EU residents.

What Does the GDPR Require?

The GDPR sets out several key requirements to protect and manage personal data. These rules ensure people have more control over their personal information and strict data protection practices are in place.

Here are the main requirements of the GDPR:

  • Organizations must have a lawful basis for processing data
  • In certain circumstances, consent must be granted by the individual
  • Data subject rights must be followed
  • Apply data protection by design and by default
  • Provide timely data breach notifications
  • If needed, appoint a Data Protection Officer (DPO)
  • Accountability and record-keeping

How to Comply with GDPR

Navigating GDPR compliance can seem daunting but breaking it down into manageable steps makes it more approachable.

Here we will guide you through the essential actions your business needs to take to align with GDPR regulations.

Understand the Lawful Basis for Processing under the GDPR

Article 6 of the GDPR states that all data processing must be carried out in accordance with six lawful bases. These include:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests

Consent

Obtaining consent where it is necessary is one of the most important aspects of GDPR compliance.

Article 6 (a) states:

GDPR Article 6 a

Further clarification is provided in Article 7 of the GDPR that consent must be:

  • Freely provided
  • Given via an affirmative, clear act
  • Easy to withdraw

You cannot pressure or force data subjects into giving consent. This means users should not face negative repercussions if they choose not to provide consent, such as being denied access to your services.

For consent to be valid under GDPR, individuals must actively indicate their agreement to your data processing activities. Passive agreements like "By using this site, you agree to our terms" are not compliant. Similarly, using pre-ticked boxes is not acceptable.

Users need to explicitly opt in to your data processing activities. This can be done through clear actions, such as ticking an empty checkbox labeled "I Agree" or clicking an "I Accept" button.

You should also keep records of the consent given and ensure that users can withdraw their consent just as easily as they provided it.

An example of this can be found via Stripe. It provides an easy unsubscribe link in their sign-up form:

Stripe email sign-up with unsubscribe highlighted

Another thing you will need to get consent for is non-essential Cookies. Make sure to use the Clickwrap method for this purpose.

Contract

Section B of Article 6 states:

GDPR Article 6 b

The GDPR allows organizations to process personal data without explicit consent when it is necessary to fulfill a contractual obligation.

Under this lawful basis, one of the following scenarios may apply:

  • Existing Contract: You have a contract with an individual and need to process their personal data to meet your contractual responsibilities. For instance, a delivery service needs to retain customer information to ensure timely and accurate deliveries.
  • Pre-Contractual Steps: You are about to enter a contract with someone and need to process their personal data to decide whether to proceed. For example, a company may need to collect personal information to perform a credit check before offering a loan to a potential client.

In both cases, processing personal data is necessary to either fulfill or prepare for a contractual agreement.

Legal Obligation

Legal Obligation is highlighted in Article 6, Section C:

GDPR Article 6 c

In certain situations, you may need to process personal data to adhere to legal or statutory requirements.

Example: A financial institution must retain customer transaction records to comply with anti-money laundering laws. This means they are legally obligated to process and store specific data to meet regulatory requirements.

Vital Interests

Article 6 (d) states:

GDPR Article 6 d

The GDPR permits processing personal data if it is crucial for saving a life, whether the individual's or someone else's.

This basis for data processing should be used only as a last resort. According to Recital 46 of the GDPR, this means you should only rely on this basis when no other lawful bases are applicable:

GDPR Recital 46

In practice, this legal basis is typically only relevant in emergency medical situations.

Public Task

Article 6 (e) states:

GDPR Article 6 e

Put simply, if you are a public institution or an organization acting on behalf of one, you are allowed to process personal data to carry out a task in the public interest or under official authority.

For example, a government agency may need to access personal data to administer social welfare programs effectively.

Legitimate Interests

According to Article 6 (f), if you have a genuine and reasonable purpose that does not override the fundamental rights and freedoms of the data subjects, you can process personal data.

The Legitimate Interests lawful basis is defined as:

GDPR Article 6 f

You must clearly demonstrate that your data processing addresses a specific need or provides a meaningful service to your customers.

To determine if legitimate interests apply, businesses need to assess if the data is necessary, and whether the benefits of processing outweigh potential risks to the individual's rights.

If the answer to both of the above is no, you cannot use Legitimate Interests as your lawful basis for processing data.

Apply Privacy By Design

Organizations must incorporate data protection principles from the outset, known as "Data Protection by Design." This means considering privacy and data protection issues at the initial stages of any project and throughout its lifecycle.

or example, when developing a new product, service, or business process, data protection should be an integral part of the planning and implementation phases. This proactive approach ensures that privacy measures are built into the system from the ground up.

"Data Protection by Default" means that organizations should only process the data that is necessary for each specific purpose, and nothing more. This principle minimizes the amount of personal data collected and limits its accessibility to only those who need it to perform their tasks.

For example, default settings should favor privacy, and users should be given the option to adjust their data-sharing preferences. Ensuring that privacy settings are set to the highest level by default protects user data without requiring them to change their settings proactively. This approach not only complies with GDPR, but also builds trust with users.

Provide Timely Data Breach Notifications

Even with stringent security measures in place, your business may still fall victim to a data breach.

If there is a data breach, GDPR regulations state that organizations must notify the relevant supervisory authority within 72 hours. They also need to inform affected individuals promptly if the breach poses a high risk to their rights and freedoms.

Appoint a Data Protection Officer if Needed

A Data Protection Officer (DPO) oversees an organization's data protection strategy and ensures compliance with the GDPR. While appointing a DPO is mandatory in certain situations, it's a beneficial practice for all organizations.

You are required to appoint a DPO if:

  • Your organization is a public authority (excluding courts)
  • You conduct regular and systematic monitoring of data subjects on a large scale
  • You process significant volumes of sensitive personal data or data related to criminal convictions

Even if your organization doesn't meet these criteria, having a DPO can still be advantageous. They are responsible for:

  • Educating and advising data controllers and processors on their GDPR obligations
  • Monitoring the organization's compliance with GDPR
  • Providing guidance on Data Protection Impact Assessments (DPIAs)
  • Acting as the main point of contact for data subjects and supervisory authorities

It's essential to make your DPO's name and contact information easily accessible, especially in your Privacy Policy and other visible areas on your platform. This ensures transparency and accessibility for all stakeholders involved.

Check That Third Party Suppliers are GDPR Compliant

You need to determine whether the services or companies your business uses are GDPR-compliant. It's crucial to understand the Privacy Policies of any third-party service or company you work with, directly or indirectly.

If these third parties handle data on your behalf, ensure they align with your privacy policy and adhere to GDPR standards.

Keep Detailed Records

Keep detailed records of your data processing activities, data protection measures, and compliance efforts. This documentation is crucial for demonstrating accountability and responding to audits or inquiries from supervisory authorities.

Penalties for Not Complying with the GDPR

Non-compliance with GDPR can result in severe financial and reputational damage.

Fines and Legal Action

GDPR enforces a tiered system of fines based on the severity and nature of the violation.

For tier 1 violations, fines can be up to 2% of annual revenue or €10 million, whichever is higher.

With tier 2 violations, fines can reach up to 4% of annual revenue or €20 million, whichever is higher.

Tier 1 fines can be given for:

  • Collecting personal data from children without obtaining parental consent
  • Failing to appoint a Data Protection Officer or properly assigning their tasks
  • Using third-party involvement in privacy policies without compliance
  • Not following privacy by design protocols
  • Not notifying the supervisory authority and users about a data breach
  • Performing a data protection impact assessment inadequately
  • Collecting, storing, or processing unnecessary user information
  • Sharing personal data with other joint organizations (controllers) improperly
  • Establishing certification mechanisms insufficiently
  • Failing to keep records of personal information collected from users

Tier 2 fines can be given for:

  • Violating the lawful basis for processing personal data, including improper consent
  • Disregarding GDPR rights of EU citizens
  • Ignoring orders authorized by a GDPR supervisory authority
  • Mishandling cross-border personal data transfers
  • Not complying with laws adopted by Member States

Not all GDPR violations result in financial penalties. Depending on the specifics, GDPR authorities may decide on other actions. These may include banning processing activities, ordering the deletion of data, or restricting cross-border data transfers.

In addition to regulatory fines, organizations may face legal consequences, such as lawsuits from those affected by the breach. Individuals have the right to seek compensation for material or non-material damages resulting from a GDPR infringement.

Reputational Damage

Alongside financial penalties, non-compliance with GDPR can lead to significant reputational damage. Public awareness of a data breach or regulatory action can destroy customer trust and damage your brand.

This loss of trust can have long-term consequences, including loss of business and a competitive disadvantage.

Conclusion

If your business handles and stores the data of EU citizens, you will need to comply with GDPR.

The main steps you can take as a business to ensure compliance are:

  • Appoint a Data Protection Officer (DPO), if applicable
  • Implement appropriate safeguards for personal data transfers to third countries
  • Post a GDPR-compliant Privacy Policy
  • Promptly notify appropriate supervisory authorities of data breaches
  • Maintain proper records of processing activities
  • Observe the principles of Privacy by Design (PbD)
  • Follow the GDPR's guidelines for obtaining consent

While this guide provides a comprehensive overview, the regulation itself is extensive, spanning 88 pages.

If your organization is impacted by the GDPR, it's crucial to have someone thoroughly review the full text of the Regulation. Consulting with a legal professional can also help ensure that your practices are fully compliant with GDPR requirements.

This website uses cookies, and also collects some information using Google Analytics. By continuing to use this website, you agree to our Privacy Policy, Terms of Use, and Disclaimer.