Overview of the GDPR Law

Overview of the GDPR Law

The EU's General Data Protection Regulation (GDPR) is one of the world's strictest privacy laws. The goal is to give individual's as much control as possible over what happens to their personal data when they share it online, without preventing businesses from using personal data for commercial purposes.

But what does the GDPR cover, and who must comply with its terms? Let's take a look and really get into what the GDPR requires, and what it means for you.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.



The Scope of the GDPR

Essentially, the GDPR covers what's known as personal data processing.

First, according to Article 4 of the GDPR, personal data is any data you can use to identify an individual (or "data subject"), whether it's their name or an IP address.

There's no exhaustive list as to what counts as personal data, so if you're in doubt, consider it personal data.

Next, processing is any action taken on personal data, including collecting, recording or storing it.

Again, it's a non-exhaustive list, but examples include:

  • Using cookies
  • Collecting data for marketing emails
  • Sending customers an email regarding their order

Who Must Comply With the GDPR

Who Must Comply With the GDPR

Every business collecting personal data from, and offering goods and services to EU citizens, must comply with the GDPR. It doesn't matter if you're based in the EU or not. What matters is where your user base is located.

However, the specific obligations placed upon you by the GDPR will differ slightly depending on whether you're classed as a "data controller" or "data processor."

Data Controllers

Data controllers are defined in Article 4 as basically any company or public body collecting personal data from individuals and determining how it's used.

For example, if you run an eCommerce store that sells goods to EU citizens, you're a data controller.

Data controllers must:

If you're a controller, you must also only work with GDPR-compliant data processors.

Data Processors

Data processors are the third parties responsible for processing personal data on a controller's behalf.

So, if the eCommerce store is the controller, the company processing payments for you is the processor, since they're handling personal data for you.

In addition to complying with the GDPR, data processors must:

  • Only use the data in their possession for a set purpose, and
  • Get their controller's permission before they subcontract any work to other processors

They must also help people exercise their data rights, if asked.

The 6 Principles of Personal Data Processing

The 6 Principles of Personal Data Processing

If you plan on handling personal data, you must abide by the following principles set out in Article 5, each of which are set out below.

Lawfulness, Fairness and Transparency

You can't handle someone's personal information unless you do so in a way that's:

  • Fair - You're using the data in ways the person would reasonably expect.
  • Lawful - You have legitimate grounds for processing the data.
  • Transparent - People must be able to know about your data processing practices.

We'll cover this in more detail a little later.

Purpose Limitation

You must set out the reasons why you're collecting data, and you can't use it for any other purpose unless it's something the person could reasonably expect e.g. you may need to pass data to a credit agency before offering someone financing on a purchase.

Data Minimisation

You should only collect as much data as you need to fulfill the legitimate purpose you've identified.

In other words, you don't need someone's date of birth and Social Security Number to send them a marketing email, so don't collect it.

Accuracy

Next, you should take reasonable steps to ensure you're collecting accurate personal data. You must rectify any mistakes or errors as soon as possible.

Storage Limitation

Don't keep personal data on file for any longer than necessary. If you're legally obliged to store data for a certain amount of time, don't store it any longer than this.

Integrity and Confidentiality

You must take reasonable steps to safeguard the personal data in your possession.

What's reasonable depends on the data sensitivity and your business size.

The 6 Lawful Grounds for Data Processing Under the GDPR

The 6 Lawful Grounds for Data Processing Under the GDPR

In Article 6, the GDPR sets out six reasons why you can lawfully process personal data belonging to an EU citizen.

It sounds obvious, but if someone gives you permission to use their personal information in a certain way, then it's fine to do so.

We'll consider consent in more detail later, but for now, just bear in mind you can process data if someone says it's ok to.

Performance of a Contract

You can process personal data to perform an essential contract of services e.g. a contract of sale.

If you must process personal data to comply with a legal obligation, you can.

For example, maybe you need to disclose data as part of a legal investigation.

Protecting Vital Interests

Is a person's life at risk? If so, you may be able to disclose personal data to protect "vital interests."

This may include, for example, a doctor who needs access to a patient's allergy history to check if they're having an allergic reaction and they're unable to consent themselves.

Protecting Public Interests

Public authorities, or bodies with special legal powers, can process personal data in the wider public interest without consent.

Legitimate Interests

Finally, you can process personal data if you can show you have a legitimate interest in doing so. What's a "legitimate interest," though?

According to the UK's Information Commissioner's Office (ICO), it's your responsibility to show that:

  • There's a lawful and specific reason for data processing,
  • You need the data to comply with the legitimate interest you've just identified, and
  • The data processing is proportionate when weighed against an individual's rights and freedoms

The 8 GDPR Rights for Individuals

The 8 GDPR Rights for Individuals

If you're a data controller, you must:

  • Make people aware of the rights they have under the GDPR, and
  • Help them understand and exercise these rights, if they choose to

Under the GDPR, individuals have eight specific rights. Let's break them down.

Right to Be Informed - Article 12

Under Article 12, you must ensure people know what rights they have over their personal data. It's on you to communicate this information to people in a clear, easily accessible format. Usually, this means something in writing.

The easiest way to comply with this Article is to provide a Privacy Policy. We'll look at what to include below.

Right of Access - Article 15

Under Article 15, Individuals can make a Subject Access Request, which basically means they can request to access whatever personal data you hold on them.

If someone makes a Subject Access Request, you're usually obliged to give them a copy of this information.

Right to Rectification - Article 16

Are you holding inaccurate personal data belonging to an EU citizen? Under Article 16 of the GDPR, you're obliged to rectify any inaccuracies as soon as they're brought to your attention.

If you think the individual is wrong, you can refuse to make the changes, but it's on you to prove why they're wrong.

Right to Be Forgotten - Article 17

Article 17 allows users to request that you delete any personal information you store on them.

You don't need to comply if:

  • The data's held for statistical or archiving purposes
  • You need the data to either answer or make a legal claim
  • Complying interferes with your right to freedom of expression
  • You're complying with a legal obligation, or acting in the public interest

Right to Restrict Processing - Article 18

Under Article 18, an individual can ask you to stop using their personal data for a certain purpose e.g. they can request you to stop sending them newsletters or marketing emails.

If you're obliged to hold personal data for a certain length of time before deleting it, you can simply restrict how you process it.

Right to Data Portability - Article 20

Remember how users can ask for copies of their personal data? Well, it's important you provide the data in a portable format so they can transfer it to another company e.g. a new car insurance provider. This is set out in Article 20.

In other words, you can't make it difficult for someone to e.g. end a contract with you and switch to another company.

Right to Object - Article 21

Under Article 21, people have the right to object to how you're using their personal data at any time.

  • If you're processing the data solely for marketing purposes, you must stop as soon as you're asked to do so.
  • If there's another ground for data processing, some exceptions may apply.

Rights Around Automated Decision-Making and Profiling - Article 22

Article 22 gives people the right to object if you make a decision that affects them based solely on automated profiling. In other words, they can request some form of human involvement in the decision-making.

An example of when this might apply is with a loan application.

If a customer applies for a loan and they're refused based purely on a computer algorithm giving them a low credit score, they can challenge the decision.

How to Comply With the GDPR

How to Comply With the GDPR

OK, so those are the rules, but how do you comply with your legal obligations? Essentially, it comes down to four things:

  • Writing a GDPR-compliant Privacy Policy
  • Getting express and informed consent to personal data processing
  • Developing a cybersecurity program
  • Reporting data breaches if any occur

Have a GDPR Privacy Policy

A Privacy Policy sets out your data processing policies. It must include clauses describing:

  • Individuals' data rights
  • What personal data you collect
  • The lawful basis for processing
  • How you collect the data, and why
  • Third-party data sharing practices
  • Cookies usage
  • Your contact details

You should publish it somewhere obvious on your website, like the website footer.

Learn more about how to create a GDPR-compliant Privacy Policy and use our template here: GDPR Privacy Policy Template.

If you rely on consent as your lawful basis, under Article 7, implied consent is insufficient. Instead, it must be clear, express, informed consent.

  • You must get consent for every type of processing e.g. opening an account and receiving marketing emails, if you're relying on consent.
  • Users must know they can withdraw consent at any time, and it must be easy to do so.
  • You can't pressure someone into giving consent, either. It must be freely given.

Generally, it's best to use checkboxes, or "clickwrap," to get affirmative, clear consent.

Here's an example from American Eagle's UK website. You can't open an account without first clearly consenting to the Privacy Policy:

American Eagle UK Create Account form with consent checkbox highlighted

Have Data Security Measures in Place

You must protect personal data for as long as you have it. Appropriate safeguards include:

  • Password protection
  • Data encryption
  • Network protection and firewalls
  • Up-to-date antivirus and anti-malware tools

It's all about what's proportionate for your business. You might consider hiring an IT expert for more help on this.

Report Data Breaches Appropriately

If there's a data breach and there's a chance the data could be compromised, you're obligated to inform the affected individuals without undue delay, according to Articles 33 and 34.

  • You don't need to report a data breach if there's little chance of harm e.g. an unauthorized employee accidentally read a customer invoice left lying on a desk.
  • Even if there's no need to report the incident, you must record it.

If in doubt, contact your local supervisory authority.

For further guidance on writing data breach notice letters, see our article How to Write GDPR-Compliant Data Breach Notification Letters.

Conclusion

The GDPR covers the protection of personal data, and it applies to all businesses selling goods or services to EU citizens.

GDPR compliance means:

  • Writing a GDPR-compliant policy and ensuring it's obvious on your website.
  • Helping people exercise their GDPR rights, and addressing their concerns when necessary.
  • Ensuring you have express, informed consent if you're relying on consent as a lawful basis for processing.
  • Keeping personal data safe using security processes suitable for the data you're handling and your company size.

Finally, if there's a data breach, you may need to report it to affected individuals.