GDPR: General Data Protection Regulation
The General Data Protection Regulation (GDPR) is the EU's extensive regulatory framework that came into effect in May 2018 and has since revolutionized personal data protection and digital privacy throughout the globe.
In fact, the GDPR is considered to be the most stringent and protective privacy regulation in the world right now. It enhances the individual rights of EU citizens and clarifies what companies must do to safeguard these rights.
In this article, we'll go over the key aspects of the GDPR, including who it applies to, what it requires, and penalties for non-compliance with the regulation.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 1. What is the General Data Protection Regulation?
- 1.1. The GDPR's Definitions
- 2. Data Processing Principles of the GDPR
- 2.1. Lawfulness, Fairness, and Transparency
- 2.2. Purpose Limitation
- 2.3. Data Minimization
- 2.4. Accuracy
- 2.5. Storage Limitation
- 2.6. Integrity and Confidentiality
- 2.7. Accountability
- 3. The GDPR's Scope: Who Does it Apply to?
- 3.1. Do you collect personal information or monitor the behavior of EU citizens?
- 3.2. Do you offer goods or services to EU citizens?
- 3.3. Exceptions to the GDPR
- 4. Lawful Basis for Processing Personal Data Under the GDPR
- 4.1. Consent
- 4.2. Contract
- 4.3. Legal Obligation
- 4.4. Vital Interests
- 4.5. Public Task
- 4.6. Legitimate Interests
- 5. General Requirements of the GDPR
- 5.2. Strengthen Individual Rights Under the GDPR
- 5.3. Implement Data Protection Impact Assessments
- 5.4. Designate a Data Protection Officer
- 5.5. Obtain Consent When Needed
- 5.6. Implement Privacy by Design
- 5.7. Notify of Data Breaches
- 5.8. Protect Data During Data Transfers
- 6. GDPR Fines for Non-Compliance
- 7. Summary
What is the General Data Protection Regulation?
The GDPR is a comprehensive data privacy regulation enacted by the European Union (EU) to govern how companies obtain and process personal information in the EU.
As a new and improved version of the 1995 Data Protection Directive, the GDPR strives to keep up with the growing demands for internet privacy in the world today. To do this, the law extends its reach to include organizations outside the region, so long as they offer products/services to, or collect personal information from EU citizens.
Basically, the GDPR:
- Harmonizes data protection laws across all 28 EU member states into one centralized source,
- Reinforces individual privacy rights regarding the protection of personal data, and
- Imposes fines and other punishments on violators
The GDPR's Definitions
To comprehend and appropriately comply with the GDPR, you need to understand how the law defines its terms. Let's briefly go over the essentials.
Personal data is any information that can directly or indirectly distinguish a person. Although the law doesn't provide an exhaustive list of what should be considered personal data, here are the more obvious ones:
- Identification numbers
- IP/email addresses
- Web cookies
- Images or videos
- Bank details
Anonymized data may also fall under this definition if a person can be easily identified from it.
Sensitive Personal Data
Under the GDPR, sensitive personal data is a unique class of personal information that comes with stricter regulations due to its intrusive nature. It includes but is not restricted to the following:
- Biometric data
- Genetic data
- Sexual orientation
- Political opinions
- Philosophical/Religious beliefs
- Racial/Ethnic data
Processing is a delicate term under the GDPR. It refers to any activity or operation (whether electronic or manual) carried out on personal data. Cited examples include:
- Collecting data
- Recording data
- Storing or organizing data
- Modifying data
- Using data
- Disclosing data
- Restricting data
- Erasing data
With that said, just assume everything you do with a person's data can be labeled as processing.
A data controller specifies the purpose ('why') and the mode ('how') of obtaining personal information. Data controllers are responsible for safeguarding the rights and privacy of data subjects.
A data processor is an individual or organization that "processes personal data on behalf of the controller". Common examples of data processors include third-party service providers like payroll companies, eCommerce platforms, and payment processors.
Data Processing Principles of the GDPR
Under the GDPR, if you process data in the EU, you must observe the seven data protection and accountability principles listed in Article 5 of the regulation. Briefly, the principles are as follows.
Lawfulness, Fairness, and Transparency
Personal data must be:
- Processed legally by identifying one of the lawful bases for doing so,
- Handled fairly and appropriately, and
- Managed in a transparent way
You must process people's personal data for the exact lawful purpose specified or decided upon during its collection.
Here's how Twitter satisfies this requirement in its Data Processing Addendum:
The data minimization principle states that you should only obtain and process data that you strictly need for the pre-established purposes and no more. For example, you don't need a person's date of birth to send them email newsletters.
Personal information in your possession must be kept accurate and regularly updated. You should also have measures in place to promptly rectify inaccuracies (once identified) or delete them permanently.
You must delete personal data when it's no longer necessary for the legitimate purpose specified during its collection. However, you may hold on to personal data for longer periods if you process data for:
- Archiving purposes in the interest of the public,
- Historical or scientific research, or
- Statistical purposes
Integrity and Confidentiality
You must employ technical and organizational safeguards to protect personal data from illegal processing and unforeseen loss or damages.
In most cases, this will involve using mechanisms like encryption software, two-factor authentication, and anonymization tools to safeguard data wherever possible.
If you're a data controller under the GDPR, then the responsibility of observing the listed principles and demonstrating GDPR compliance falls on you.
The GDPR's Scope: Who Does it Apply to?
The GDPR, unlike its predecessor, is not only exclusive to individuals and companies operating in the EU. Organizations outside the region may now be subject to the regulation in certain instances.
To find out if you fall under the GDPR's scope, consider the following questions:
Do you collect personal information or monitor the behavior of EU citizens?
For example, if you have EU users sign up on your website or you track IP addresses or cookies of visitors from the EU, then the GDPR applies to you regardless of your location.
Moreover, the stringency of the law may depend on the type of information you collect. Recall that sensitive personal data is held to stricter regulations than personal data.
Do you offer goods or services to EU citizens?
If you target EU citizens with the hope of selling them your products or services (physical or online), the GDPR applies to you regardless of your location.
To put this in context, if your website features pricing in euros or ads in French, it targets EU citizens and will, therefore, be subject to the regulation.
Exceptions to the GDPR
Under the GDPR, there are two significant exceptions to note.
The first is for companies with less than 250 employees. Organizations in this category are not fully exempt, but they enjoy a more lenient coverage under the regulation.
However, such companies must fully comply with the GDPR when:
- Their processing activities may risk the rights and freedoms of data subjects
- They process sensitive personal data or process data frequently, or
- They process a special data category relating to "criminal convictions and offenses"
Secondly, the GDPR does not apply to individuals or companies involved in purely "personal or household activities". Its scope only covers "commercial or professional activities."
Lawful Basis for Processing Personal Data Under the GDPR
Before attempting to process an individual's personal data, you must identify one of the lawful bases under the GDPR to justify doing so. Briefly, they are as follows.
If you process under the lawful basis of consent, your processing activities are considered legal only after getting clear, affirmative consent from your data subjects. This lawful basis promotes the GDPR mission to give more control to data subjects.
You may need to process personal data to execute or enter into a contract with data subjects. For example, a customer may sign up for a trial before a contract, which may require you to collect their personal data (e.g., contact information).
Processing a person's data without consent is allowed when the law compels you to do so. For example, you may have to disclose a user's personal information to aid federal authorities in a criminal investigation.
Processing a person's data is considered lawful if their life depends on it, and they can't provide consent. This legal basis may be more prominent in the medical industry due to its nature.
Processing personal data may be crucial to perform a duty in the public's interest or the exercise of official authority.
Companies with genuine, legitimate reasons may process data without consent as long as it does not interfere with the rights or freedoms of data subjects. Examples include:
- Information and network security
- Fraud prevention
- Indicating dangers to general safety
General Requirements of the GDPR
The GDPR has provided both controllers and processors with several new requirements they must observe and implement to be considered compliant with the regulation. Briefly, they include the following.
Also, check out our GDPR Preparation Planning Checklist for further guidance.
Strengthen Individual Rights Under the GDPR
As an organization subject to the regulation, you must observe and help exercise the individual user rights under the GDPR. They include:
- Right to be informed - Notify users about how you obtain and process their data in a brief, intelligible, and easily accessible form.
- Right of access - Allow users to obtain information about how you use, store, or disclose their data.
- Right of rectification - Let users correct inaccurate information about them displayed in your records.
- Right to erasure - Promptly delete users' data at their request.
- Right to restrict processing - Stop processing users' data at their request.
- Right to data portability - Allow users to transfer a copy of their data to another company.
- Right to object - In certain instances, users can object to the processing of their personal data.
- Rights related to automated decisions - Protect users from automated decisions by granting a review when requested.
For example, here's how Zoom displays this information in its Privacy Statement:
Implement Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) helps evaluate how your processing activities may affect the protection of personal data.
You must observe this requirement if your processing operations are likely to expose the rights and freedoms of users to high risk. Such cases include when you:
- Process a considerable amount of data that could significantly affect a lot of users
- Process a high volume of sensitive personal data
- Utilize the latest technologies to process data, or
- Process data in order to profile people
Designate a Data Protection Officer
A data protection officer (DPO) supervises an organizations' data protection strategy. DPOs are appointed to educate and advise management about GDPR compliance as well as address the privacy concerns of users.
Designating a DPO is not optional in certain instances. According to the regulation, you must appoint a DPO if you:
- Are a public authority (e.g., a state university),
- Often process data or monitor data subjects on a large scale, or
- Process a substantial amount of sensitive personal data or data relating to criminal offenses and convictions
Obtain Consent When Needed
Consent is now more deeply regulated under the GDPR. According to the law, consent must be clear, specific, unambiguous, and characterized by an approving action.
If you collect sensitive personal data, you must also obtain explicit consent from data subjects. To get explicit consent, you can make users tick a box that states that by ticking the box, they agree with your policies.
Additionally, consent must be easy to withdraw and given only by users over the age of 13 or else approved by a parent.
Here's how PayPal obtains explicit consent from its users before creating accounts:
Implement Privacy by Design
Privacy by Design is a concept that requires companies to implement data privacy principles at the onset of a new product or process (i.e., by default).
With that said, seven fundamental principles must be observed under this requirement to reduce data collection and improve security. They include the following:
- Strive to prevent crises rather than seeking solutions
- Value privacy as the default setting
- Incorporate privacy into the design
- Privacy should be completely functional
- Protect data throughout its lifecycle
- Embrace transparency
- Prioritize the protection of users' information
Notify of Data Breaches
Under the GDPR, a personal data breach is defined as:
"A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed"
In the event a data breach occurs, you must inform the proper supervising authority within seventy-two hours of discovering it.
You must also inform the concerned data subjects if the breach may threaten their rights and freedoms. Your notice should contain the following information:
- The nature of the breach
- The name and contact details of the DPO or similar information
- The possible ramifications
- The recommended steps to take in order to manage the breach
Protect Data During Data Transfers
Under the GDPR, organizations must take additional steps to protect personal data during transfers to third countries (i.e., countries outside the EU that handle personal data).
The regulation lists several safeguards that must be adopted during such transfers.
Here's how IBM outlines its various safeguards to facilitate international transfers in its Privacy Statement:
So what happens if you don't meet these requirements?
GDPR Fines for Non-Compliance
The GDPR fines for non-compliance are one of the steepest in the world right now, running into tens of millions of dollars. To establish suitable penalties for violators, the GDPR has categorized the stringency of infringements into two tiers.
Tier 1 infringements are characterized by breaches of controller and processor duties, monitoring bodies, and certification bodies.
GDPR fines for tier 1 violations can run up to 2% of the company's annual global turnover from the previous financial year or €10 million (whichever is higher).
On the other hand, Tier 2 infringements are characterized by violations of data processing principles, consent, individual rights under the GDPR, etc.
Fines for such violations can run up to 4% of the company's annual global turnover from the previous financial year or €20 million (whichever is higher).
Since its introduction, the GDPR has completely transformed the privacy game for both data subjects and organizations alike.
Taking actions now to comply not only protects your organization from the stringent penalties of the regulation but also depicts top-notch industry standards to reassure users of their personal data security.
Here are the key takeaways to ensure GDPR compliance:
- Observe the GDPR's data processing principles
- Process data only after identifying one of the lawful bases
- Pay attention to the individual rights of users and help exercise them
- Get clear, affirmative consent to process personal data and explicit consent for sensitive data
- Stay up-to-date on privacy trends to ensure full compliance