Overview of the GDPR Law
The EU's General Data Protection Regulation (GDPR) is one of the world's strictest privacy laws. The goal is to give individual's as much control as possible over what happens to their personal data when they share it online, without preventing businesses from using personal data for commercial purposes.
But what does the GDPR cover, and who must comply with its terms? Let's take a look and really get into what the GDPR requires, and what it means for you.
- 1. The Scope of the GDPR
- 2. Who Must Comply With the GDPR
- 2.1. Data Controllers
- 2.2. Data Processors
- 3. The 6 Principles of Personal Data Processing
- 3.1. Lawfulness, Fairness and Transparency
- 3.2. Purpose Limitation
- 3.3. Data Minimisation
- 3.4. Accuracy
- 3.5. Storage Limitation
- 3.6. Integrity and Confidentiality
- 4. The 6 Lawful Grounds for Data Processing Under the GDPR
- 4.1. User Consent
- 4.2. Performance of a Contract
- 4.3. Legal Compliance
- 4.4. Protecting Vital Interests
- 4.5. Protecting Public Interests
- 4.6. Legitimate Interests
- 5. The 8 GDPR Rights for Individuals
- 5.1. Right to Be Informed - Article 12
- 5.2. Right of Access - Article 15
- 5.3. Right to Rectification - Article 16
- 5.4. Right to Be Forgotten - Article 17
- 5.5. Right to Restrict Processing - Article 18
- 5.6. Right to Data Portability - Article 20
- 5.7. Right to Object - Article 21
- 5.8. Rights Around Automated Decision-Making and Profiling - Article 22
- 6. How to Comply With the GDPR
- 6.2. Get Appropriate User Consent When Needed
- 6.3. Have Data Security Measures in Place
- 6.4. Report Data Breaches Appropriately
- 7. Conclusion
The Scope of the GDPR
Essentially, the GDPR covers what's known as personal data processing.
First, according to Article 4 of the GDPR, personal data is any data you can use to identify an individual (or "data subject"), whether it's their name or an IP address.
There's no exhaustive list as to what counts as personal data, so if you're in doubt, consider it personal data.
Next, processing is any action taken on personal data, including collecting, recording or storing it.
Again, it's a non-exhaustive list, but examples include:
- Using cookies
- Collecting data for marketing emails
- Sending customers an email regarding their order
Who Must Comply With the GDPR
Every business collecting personal data from, and offering goods and services to EU citizens, must comply with the GDPR. It doesn't matter if you're based in the EU or not. What matters is where your user base is located.
However, the specific obligations placed upon you by the GDPR will differ slightly depending on whether you're classed as a "data controller" or "data processor."
Data controllers are defined in Article 4 as basically any company or public body collecting personal data from individuals and determining how it's used.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
For example, if you run an eCommerce store that sells goods to EU citizens, you're a data controller.
Data controllers must:
- Comply with the GDPR
- Help individuals exercise their data rights
If you're a controller, you must also only work with GDPR-compliant data processors.
Data processors are the third parties responsible for processing personal data on a controller's behalf.
So, if the eCommerce store is the controller, the company processing payments for you is the processor, since they're handling personal data for you.
In addition to complying with the GDPR, data processors must:
- Only use the data in their possession for a set purpose, and
- Get their controller's permission before they subcontract any work to other processors
They must also help people exercise their data rights, if asked.
The 6 Principles of Personal Data Processing
If you plan on handling personal data, you must abide by the following principles set out in Article 5, each of which are set out below.
Lawfulness, Fairness and Transparency
You can't handle someone's personal information unless you do so in a way that's:
- Fair - You're using the data in ways the person would reasonably expect.
- Lawful - You have legitimate grounds for processing the data.
- Transparent - People must be able to know about your data processing practices.
We'll cover this in more detail a little later.
You must set out the reasons why you're collecting data, and you can't use it for any other purpose unless it's something the person could reasonably expect e.g. you may need to pass data to a credit agency before offering someone financing on a purchase.
You should only collect as much data as you need to fulfill the legitimate purpose you've identified.
In other words, you don't need someone's date of birth and Social Security Number to send them a marketing email, so don't collect it.
Next, you should take reasonable steps to ensure you're collecting accurate personal data. You must rectify any mistakes or errors as soon as possible.
Don't keep personal data on file for any longer than necessary. If you're legally obliged to store data for a certain amount of time, don't store it any longer than this.
Integrity and Confidentiality
You must take reasonable steps to safeguard the personal data in your possession.
What's reasonable depends on the data sensitivity and your business size.
The 6 Lawful Grounds for Data Processing Under the GDPR
In Article 6, the GDPR sets out six reasons why you can lawfully process personal data belonging to an EU citizen.
It sounds obvious, but if someone gives you permission to use their personal information in a certain way, then it's fine to do so.
We'll consider consent in more detail later, but for now, just bear in mind you can process data if someone says it's ok to.
Performance of a Contract
You can process personal data to perform an essential contract of services e.g. a contract of sale.
If you must process personal data to comply with a legal obligation, you can.
For example, maybe you need to disclose data as part of a legal investigation.
Protecting Vital Interests
Is a person's life at risk? If so, you may be able to disclose personal data to protect "vital interests."
This may include, for example, a doctor who needs access to a patient's allergy history to check if they're having an allergic reaction and they're unable to consent themselves.
Protecting Public Interests
Public authorities, or bodies with special legal powers, can process personal data in the wider public interest without consent.
Finally, you can process personal data if you can show you have a legitimate interest in doing so. What's a "legitimate interest," though?
According to the UK's Information Commissioner's Office (ICO), it's your responsibility to show that:
- There's a lawful and specific reason for data processing,
- You need the data to comply with the legitimate interest you've just identified, and
- The data processing is proportionate when weighed against an individual's rights and freedoms
The 8 GDPR Rights for Individuals
If you're a data controller, you must:
- Make people aware of the rights they have under the GDPR, and
- Help them understand and exercise these rights, if they choose to
Under the GDPR, individuals have eight specific rights. Let's break them down.
Right to Be Informed - Article 12
Under Article 12, you must ensure people know what rights they have over their personal data. It's on you to communicate this information to people in a clear, easily accessible format. Usually, this means something in writing.
Right of Access - Article 15
Under Article 15, Individuals can make a Subject Access Request, which basically means they can request to access whatever personal data you hold on them.
If someone makes a Subject Access Request, you're usually obliged to give them a copy of this information.
Right to Rectification - Article 16
Are you holding inaccurate personal data belonging to an EU citizen? Under Article 16 of the GDPR, you're obliged to rectify any inaccuracies as soon as they're brought to your attention.
If you think the individual is wrong, you can refuse to make the changes, but it's on you to prove why they're wrong.
Right to Be Forgotten - Article 17
Article 17 allows users to request that you delete any personal information you store on them.
You don't need to comply if:
- The data's held for statistical or archiving purposes
- You need the data to either answer or make a legal claim
- Complying interferes with your right to freedom of expression
- You're complying with a legal obligation, or acting in the public interest
Right to Restrict Processing - Article 18
Under Article 18, an individual can ask you to stop using their personal data for a certain purpose e.g. they can request you to stop sending them newsletters or marketing emails.
If you're obliged to hold personal data for a certain length of time before deleting it, you can simply restrict how you process it.
Right to Data Portability - Article 20
Remember how users can ask for copies of their personal data? Well, it's important you provide the data in a portable format so they can transfer it to another company e.g. a new car insurance provider. This is set out in Article 20.
In other words, you can't make it difficult for someone to e.g. end a contract with you and switch to another company.
Right to Object - Article 21
Under Article 21, people have the right to object to how you're using their personal data at any time.
- If you're processing the data solely for marketing purposes, you must stop as soon as you're asked to do so.
- If there's another ground for data processing, some exceptions may apply.
Rights Around Automated Decision-Making and Profiling - Article 22
Article 22 gives people the right to object if you make a decision that affects them based solely on automated profiling. In other words, they can request some form of human involvement in the decision-making.
An example of when this might apply is with a loan application.
If a customer applies for a loan and they're refused based purely on a computer algorithm giving them a low credit score, they can challenge the decision.
How to Comply With the GDPR
OK, so those are the rules, but how do you comply with your legal obligations? Essentially, it comes down to four things:
- Getting express and informed consent to personal data processing
- Developing a cybersecurity program
- Reporting data breaches if any occur
- Individuals' data rights
- What personal data you collect
- The lawful basis for processing
- How you collect the data, and why
- Third-party data sharing practices
- Cookies usage
- Your contact details
You should publish it somewhere obvious on your website, like the website footer.
Get Appropriate User Consent When Needed
If you rely on consent as your lawful basis, under Article 7, implied consent is insufficient. Instead, it must be clear, express, informed consent.
- You must get consent for every type of processing e.g. opening an account and receiving marketing emails, if you're relying on consent.
- Users must know they can withdraw consent at any time, and it must be easy to do so.
- You can't pressure someone into giving consent, either. It must be freely given.
Generally, it's best to use checkboxes, or "clickwrap," to get affirmative, clear consent.
Have Data Security Measures in Place
You must protect personal data for as long as you have it. Appropriate safeguards include:
- Password protection
- Data encryption
- Network protection and firewalls
- Up-to-date antivirus and anti-malware tools
It's all about what's proportionate for your business. You might consider hiring an IT expert for more help on this.
Report Data Breaches Appropriately
- You don't need to report a data breach if there's little chance of harm e.g. an unauthorized employee accidentally read a customer invoice left lying on a desk.
- Even if there's no need to report the incident, you must record it.
If in doubt, contact your local supervisory authority.
For further guidance on writing data breach notice letters, see our article How to Write GDPR-Compliant Data Breach Notification Letters.
The GDPR covers the protection of personal data, and it applies to all businesses selling goods or services to EU citizens.
GDPR compliance means:
- Writing a GDPR-compliant policy and ensuring it's obvious on your website.
- Helping people exercise their GDPR rights, and addressing their concerns when necessary.
- Ensuring you have express, informed consent if you're relying on consent as a lawful basis for processing.
- Keeping personal data safe using security processes suitable for the data you're handling and your company size.
Finally, if there's a data breach, you may need to report it to affected individuals.