6 Key Articles of the GDPR
The GDPR is the most comprehensive data protection and privacy regulation to date. It establishes precise rules for how personal data is collected, transferred, processed, and stored. The regulation also grants EU citizens certain rights and protections regarding their personal information.
Simply put, the GDPR will have an effect on online businesses around the world, whether or not those businesses are located in the EU.
If you own or operate a website or app that collects and processes personal information of EU citizens, the GDPR applies to you.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
Here are six key articles of the GDPR and their implications on your website and data handling procedures.
1. Rights of Individuals
The GDPR gives considerable rights to consumers with regard to the protection of their personal data. These rights include limiting the data collected in the first place, control of how the data is used and stored, and access to their data to change, transfer or delete it.
Let's look at these rights one-by-one.
Article 6 of the GDPR states that processing of the data subject's personal data is lawful only under certain circumstances, including when the individual gives consent to the processing of the personal data for a specific purpose.
This issue of acquiring consent from data subjects before processing their data is very important. It is not allowed under the GDPR to assume that EU citizens consent to collection of personal data simply because they visit your website or use your app. You must present users with the option to actively consent to your collection and use of their data if you choose to use consent as your lawful basis for processing.
See this example from Mikesdotnetting in which users must select one of two buttons, I'm happy with this or Learn more. When a user clicks I'm happy with this, this will count as giving consent.
It's a good idea to use banner notices, pop-ups, checkboxes and other similar methods for informing your users about the information you intend to collect and giving them the choice to consent or decline.
You must store an electronic record of their choice, date-stamped for the time of their selection, and provide an easy way to withdraw consent.
Article 15, Right of access by the data subject, requires you to make it easy for your website users to access their data after you have collected it.
Users must be able to correct their data or request an electronic copy of it, which you must provide within 30 days in most cases, or 60 days if the data is particularly complex.
According to this article, your customers can inquire about whether or not your business collects and processes their personal data.
If your business does process their personal data, then you're required to give your users access to their personal data and let them know why you process their data, which types of personal data are being processed, who the recipients of the data are, and how long the data will be stored. You'll also need to know how to respond when users exercise their rights.
For guidance on handling these requests, see our article: How to Handle Privacy Access Requests Under the GDPR.
Recital 59 discusses procedures for the exercising of these rights:
The GDPR also gives data subjects the right to restrict processing of their personal data.
This means a user can instruct you to stop processing or sharing their information, even if they had previously consented to your data processing methods.
This is spelled out in Article 18, Right to restriction of processing.
According to Article 18, the data subject has the right to restrict data processing by your business if their personal data is inaccurate, the processing is unlawful, your business no longer needs the data, or the data subject objects to processing.
Article 20, Right to data portability, gives EU citizens the right in these cases to instruct you to transmit their data to another data entity without any interference from you.
This means an EU citizen can instruct you to transmit their data to a competitor of yours or any other entity of their choice, and you must comply with that request.
This article also gives EU citizens the right to request a copy of their data from you. If they do, you must provide the data upon request in a commonly used electronic format so that the consumer can read the data or transfer it to another entity to read it. Typically, this would include certain common types of files such as a .csv file or a .xls spreadsheet.
Additionally, Article 21, Right to object, gives data subjects the right to instruct you to restrict the processing of their data for any one of several acceptable reasons such as for marketing purposes or profiling.
Unless you have an overriding legal or business need to deny a data subject's objection to processing their data, then you must comply with their request.
For example, if you collect email addresses for email marketing or mobile numbers for text message marketing, you need allow your users to actively consent to opting into those marketing methods, and you must give them an easy way to opt out at any time. Failure to do this violates the Right to object.
What's more, you must inform data subjects of their right to object, and you must do this before processing their data.
In cases where data subjects consider their personal information to be inaccurate or incomplete, Article 16 gives them the right to rectify it. The request to rectify must be completed within 30 days or less from the date of the request. In the case of a complex request, this limit can be extended to two months.
Most websites provide user-friendly tools to update user data or download it electronically, and this is recommended for compliance with Article 16.
See this example from Facebook's General Account Settings page:
In that example, users have one-click access to edit their name, username, contact information and certain user preferences such as Facebook Ad account settings and weather settings. This simple dashboard also gives users a link to Download a copy of their Facebook data.
The more you do to make it easy for your website users to access, modify, download or transfer their data, the better positioned you will be to comply with the GDPR's rights for controlling their data.
2. Right to Be Informed
Recital 58 of the GDPR requires you to provide EU citizens with details about how you use their personal information. This is referred to as the principle of transparency, which means the burden for educating consumers about their rights and how you use their data is on you.
For websites, this is commonly done in the home page footer, such as this example from GoDaddy:
See this example from Yahoo:
The more you do to make your data handling methods known to your users, the better-positioned you will be to ensure compliance with the GDPR's obligations to uphold your users' rights to be informed.
3. Right to Erasure ("Right to be Forgotten")
Article 17, Right to erasure (right to be forgotten), spells out the many circumstances in which EU citizens can instruct you to erase their data.
The GDPR gives data subjects the right to have their personal data erased in a number of circumstances, including:
- When their personal data is no longer needed for the purpose it was originally collected
- When they withdraw consent
- If they object to the processing of their data
- If their personal data has been unlawfully processed
- If their personal data has to be erased in order to comply with a legal obligation.
4. Data Protection Officer (DPO)
You may need to appoint a data protection officer (DPO) to help oversee your compliance with the GDPR. Your DPO will be responsible for monitoring compliance and internal systems and personnel responsible for processing data.
If you process data on a large scale, you likely need to appoint a qualified DPO to oversee your data handling procedures. You also must support that professional's ongoing education for remaining abreast of GDPR compliance requirements.
5. Obligations for Data Processors
Data processor obligations are spelled out in Article 28. Data Processors are required to process data according to the requirements of the data controller. These requirements are to be specified in the controller/processor contract.
Data processors are required to implement appropriate organizational and technical measures for securing personal data during its processing. They also must contribute to any compliance audits.
6. Data Protection Impact Assessment
Security of data is central to the GDPR. Protecting data to prevent a data breach, and responding quickly and appropriately in the event of a data breach are requirements of the regulation.
Where the rights and freedoms of data subjects are at high risk, organizations must conduct a data protection assessment in order to meet requirements for protecting data from any sort of breach.
According to the GDPR, a breach of a data subject's personal data could potentially lead to physical, material, or non-material damage if not addressed in a timely manner. For this reason, you are required to inform your supervisory authority of any breach as soon as you become aware of it.
Key things to remember:
- Your employees need to learn their roles and responsibilities in order to comply with the new regulation.
- The GDPR gives EU citizens certain rights and privileges regarding their personal data, and you are obligated to uphold those rights.
- You may need to appoint a data protection officer (DPO) to oversee GDPR compliance if you process certain types or large volumes of data from EU citizens.