GDPR: General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a regulation set forth by the EU that governs the protection and dissemination of personal data and enhances digital privacy for people located in the EU.
The GDPR's primarily goal is to serve as a unifying, comprehensive, data and privacy framework for any organization that controls or processes data from anyone in the EU.
Ultimately, the GDPR is:
- Strengthening individual privacy rights
- Simplifying the handling of personal data in the course of international business
- Imposing punishments and other penalties on businesses that violate its requirements
There's a lot more to it than that, so let's get into the details of the GDPR.
- 1. Why is the GDPR Necessary?
- 2. The GDPR's Scope: Who Does It Apply to?
- 3. GDPR Requirements and Characteristics
- 3.1. Consent
- 4. Create Compliant Cookie Consent
- 4.1. Data Breach Notifications
- 4.2. Conduct Data Protection Impact Assessments
- 4.3. Elect a Data Protection Officer (DPO)
- 4.4. Enhance Individual User Rights
- 4.5. Privacy By Design and Default
- 6. GDPR Preparation Resources
Why is the GDPR Necessary?
The Data Protection Directive and Data Protection Act of 1995 laid the initial structure for European privacy laws and compliance.
However, with new and increasing data creation, handling, and storage challenges, a result of the meteoric rise of social media and cloud computing, the Data Protection Directive lagged behind.
The fragmented nature of individual nation's privacy laws led to inconsistent enforcement throughout the EU, leaving internal, and foreign, business owners blindly navigating their way through data compliance procedures, often coming up short.
Now, instead of 28 countries relying on their own interpretations of what constitutes data protection and compliance, they are provided with structured and uniform guidance.
With the implementation of the GDPR in early 2018, the EU now boasts the most comprehensive and protective digital privacy regulatory framework in the world, striking an effective balance between privacy and data protection rights and fundamental human rights and other public and private interests.
GDPR Legislative Fact: The GDPR was drafted as an upgrade to the 1995 Data Protection Directive, ultimately harmonizing and synthesizing a collective of privacy regulations into one manageable and unified source.
The GDPR's Scope: Who Does It Apply to?
When determining whether a business or website falls under the scope of the GDPR or whether it is exempt, it's important to ask the following questions:
1. Does the business or website engage in the collection of information and data from users located in the EU?
One of the most important changes building upon the Data Protection Directive's incomplete framework was the GDPRs expansion to include anyone, regardless of location, who collects or processes personal data of individuals in the EU.
Article 3 of the GDPR covers:
- Controllers or processors of personal data that are located in the EU,
- Controllers or processors of personal data not located in the EU when they offer goods or services to data subjects in the EU or monitor their behavior, and
- Controllers or processors of personal data not located in the EU who are a Member State required by virtue of international law to comply
In sum, even if your company is located in Florida, as long as you offer goods or services to data subjects located within the EU, the GDPR will apply.
2. Does the business have more than 250 employees?
The GDPR concedes that smaller, rather than larger, companies pose a less serious threat to the destruction and wrongful dissemination of personal data, and should therefore be held to less stringent regulation.
Companies with less than 250 employees enjoy a more narrowed scope under the GDPR, and are only required to maintain records of data processing activities when:
- The processing carries a potential risk of harming data subject rights,
- There is a frequent and regular processing of data, or
- The personal data falls under a special category relating criminal offenses and convictions
Keep in mind that organizations and companies with more than 250 employees are required to comply to the fullest extent of GDPR regulations.
3. Is the business a data controller, or processor?
On top of geographic expansion and considerations, the GDPR expanded upon the material scope of the EU Data Privacy Directive.
Data privacy compliance now requires not only data controllers, but data processors adhere to such regulations, and imposes increased responsibilities and obligations on processors.
|Article 4 Definition: "...the natural legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data."||Article 4 Definition: "...a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."|
Understanding the key requirements and differences between data controllers and data processors is important before formulating your compliance gameplan, as each one will have their own regulation and compliance measures to follow.
Can a company be both? Yes. It's possible for a single company to be both a data processor and a data controller.
An example is when a payroll company also processes the data of its own staff. It's a data controller of its own staff's data, and a processor of client data.
4. Does the business collect personal or sensitive data?
The GDPR classifies consumer data into two distinct categories: "personally identifying" and "sensitive personal" data.
After all, without knowing what constitutes the GDPR's definition of data, a company won't know whether they deal in the type of information covered under the GDPR's scope.
Personally Identifiable information (PII): Includes any information distinguishing an individual's identity, such as full name, identification number, bank details, home and email address, passport number, location data, pseudonymous data, and photo, audio, or video files.
Sensitive Personal Information (SPI): Includes any information which reveals a person's biometric, genetic, health, sexual, religious, philosophical, political, racial, or ethnic data.
GDPR Legislative Fact: The GDPR is not without criticism or controversy, and has caused quite a stir for being less than two years old. Since its inception, there have been thousands of proposed amendments, pushing for both increased and less data privacy.
GDPR Requirements and Characteristics
The deadline for complying with the GDPR was set as May 25th, 2018.
What are the consequences for failing to comply? The stakes have been increased, and the GDPR imposes significantly heftier fines and penalties on companies who fail to comply.
For tier 1 companies, non-compliance fines run all the way up to €4 million, or 2% of a company's annual global turnover, and €20 million, or 4% for tier 2 companies.
Below is a list of six crucial changes the GDPR requires companies to adopt and implement in order to be considered GDPR-compliant.
Consent is considered an important aspect of individuals understanding and retaining control over how their data is handled and processed.
Under the GDPR, consent needs to be freely given, informed, and unambiguous, which greatly increases the standard of what's considered valid consent.
No longer can you legally claim that someone is agreeing to your Terms and Policies simply by being active on your website. Now, to get adequate consent, you need to implement clickwrap methods that utilize un-ticked checkboxes and clearly-labeled buttons.
In this example, the box would have to be unchecked so the user could check it himself to show consent:
Your cookie consent notice, like other forms of GDPR consent, should use either (or better yet, both) a checkbox or an "I Agree" button that makes it very clear that users are agreeing and consenting to have cookies used.
Here's an example of such a notice:
Create Compliant Cookie Consent
Data Breach Notifications
It's very important that you handle all data breaches appropriately.
Under the GDPR, data controllers and processors are legally required to notify a supervising authority, along with the individuals affected, within seventy-two (72) hours of discovering the breach. The data breach notification should include the following elements:
- The nature of the data breach,
- The name and contact details of the Data Protection Officer, or another point of contact to obtain information,
- The likely consequences of the breach,
- The measures proposed, or taken, in order to remedy and address the breach.
Conduct Data Protection Impact Assessments
Data protection impact assessments (DPIAs), are required when a data processing activity poses a high risk to the fundamental rights and freedoms of a natural person. Such assessments should be conducted in several instances, including when a company:
- Processes on a large scale of special categories of personal data, or data relating to criminal offenses and convictions,
- Uses new technologies to process data,
- Processes a considerable amount of data that could greatly affect a high volume of individuals, and
- Processes data "for purposes of profiling and similar activities intended to evaluate personal aspects of data subjects."
Elect a Data Protection Officer (DPO)
Not all companies are required to appoint a Data Protection Officer (DPO) under the GDPR. You'll only need to appoint one when:
- The company is a public authority,
- The controller or processor's primary duties include large scale data monitoring, or
- The controller or processor handles a wide range of sensitive personal data (SPI)
Even if you aren't required to appoint one, doing so anyway can be a great step towards ensuring GDPR compliance.
DPOs should be appointed in order to:
- Inform and train processors and controllers on their requirements and obligations under the GDPR, and other data protection laws,
- Be the first point of contact for supervisory authorities and individuals whose data is processed, and
- Monitor company compliance with the GDPR, and give advice on data protection impact assessments (DPIAs).
Enhance Individual User Rights
The GDPR has created and emphasized 8 user rights that enhance individual rights. While not every right applies to every company and every situation, you must be aware of them and how they affect your business.
The rights are as follows:
- The right of access: Data subjects must be given the ability to know what personal data a company has about them, and you must handle privacy access requests appropriately.
- The right to erasure (be forgotten): Data subjects have the right to request companies delete their data and stop processing it.
- The right to restrict processing: Data subjects have the right to restrict personal data processing under certain circumstances.
- The right to object: Data subjects have the right to object to processing of their data.
- The right to rectification: Data subjects have the right to have any inaccurate or incomplete personal data rectified.
- The right to data portability: Data subjects have the right to copy, transfer, or move personal data to a different company.
- The right to be informed: Data subjects deserve to be provided with information regarding data processing activities.
These rights can be found in Chapter 3 of the GDPR. It's important to review each right to make sure it applies to your business. As noted above, some of the rights come with exceptions and circumstances where they either must or may not be honored.
Privacy By Design and Default
Data protection and Privacy by Design and default requires companies to integrate data protection measures into their business processes and protocols. Simply put, companies need to account for data privacy protections and measures during the design stage of a project or product by following the following seven principles:
- Privacy as a default setting
- Privacy should be preventative and not remedial
- Privacy should be embedded into design
- Privacy should be fully functional
- Privacy should prioritize user protection
- Privacy should be transparent
- Privacy should cover the entire life cycle of the data
GDPR Compliance Refresher: The GDPR harmonizes various data breach notification laws in the EU. Most notably, it requires businesses to inform a data breach authority of a data breach within seventy-two (72) hours of discovering it.
Having such a requirement in place, puts added pressure and expectation on organizations to have effective mechanisms for recognizing and responding to breaches in real-time.
When aligning and conforming Privacy Policies with GDPR requirements, companies will need to make several key changes, such as:
Identifying a point of contact: This includes providing the contact details of your Data Protection Officer or whoever else is responsible for handling privacy questions at your business. If you are a company located outside of the EU, provide your EU Representative's contact details.
Explaining data collection practices in adequate detail: Companies are required to outline their methods for collecting data and how data used, as well as what the general data retention period is.
Not only are they required to inform data subjects of the above matters, they are also required to provide justifying reasons for doing so (referred to as the legal bases for collecting and processing information).
Conduct a privacy law self-audit so you know exactly what your data collection practices are.
Cross-border transfer information: Companies must provide sufficient details of data transfers they may engage in where user data is sent to third countries, and any safeguards put in place.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
GDPR Preparation Resources
Throughout this article we've linked some resources that can help you get prepared and underway with GDPR compliance. In addition, here's our official GDPR Preparation Planning checklist as well as our GDPR Readiness checklist.