GDPR: General Data Protection Regulation

GDPR: General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a regulation set forth by the EU that governs the protection and dissemination of personal data and enhances digital privacy for people located in the EU.

The GDPR's primarily goal is to serve as a unifying, comprehensive, data and privacy framework for any organization that controls or processes data from anyone in the EU.

Ultimately, the GDPR is:

  • Strengthening individual privacy rights
  • Simplifying the handling of personal data in the course of international business
  • Imposing punishments and other penalties on businesses that violate its requirements

There's a lot more to it than that, so let's get into the details of the GDPR.

Why is the GDPR Necessary?

Why is the GDPR Necessary?

The Data Protection Directive and Data Protection Act of 1995 laid the initial structure for European privacy laws and compliance.

However, with new and increasing data creation, handling, and storage challenges, a result of the meteoric rise of social media and cloud computing, the Data Protection Directive lagged behind.

The fragmented nature of individual nation's privacy laws led to inconsistent enforcement throughout the EU, leaving internal, and foreign, business owners blindly navigating their way through data compliance procedures, often coming up short.

Now, instead of 28 countries relying on their own interpretations of what constitutes data protection and compliance, they are provided with structured and uniform guidance.

With the implementation of the GDPR in early 2018, the EU now boasts the most comprehensive and protective digital privacy regulatory framework in the world, striking an effective balance between privacy and data protection rights and fundamental human rights and other public and private interests.

GDPR Legislative Fact: The GDPR was drafted as an upgrade to the 1995 Data Protection Directive, ultimately harmonizing and synthesizing a collective of privacy regulations into one manageable and unified source.

The GDPR's Scope: Who Does It Apply to?

The GDPR's Scope: Who Does It Apply to?

When determining whether a business or website falls under the scope of the GDPR or whether it is exempt, it's important to ask the following questions:

1. Does the business or website engage in the collection of information and data from users located in the EU?

One of the most important changes building upon the Data Protection Directive's incomplete framework was the GDPRs expansion to include anyone, regardless of location, who collects or processes personal data of individuals in the EU.

Article 3 of the GDPR covers:

  • Controllers or processors of personal data that are located in the EU,
  • Controllers or processors of personal data not located in the EU when they offer goods or services to data subjects in the EU or monitor their behavior, and
  • Controllers or processors of personal data not located in the EU who are a Member State required by virtue of international law to comply

In sum, even if your company is located in Florida, as long as you offer goods or services to data subjects located within the EU, the GDPR will apply.

2. Does the business have more than 250 employees?

2. Does the business have more than 250 employees?

The GDPR concedes that smaller, rather than larger, companies pose a less serious threat to the destruction and wrongful dissemination of personal data, and should therefore be held to less stringent regulation.

Companies with less than 250 employees enjoy a more narrowed scope under the GDPR, and are only required to maintain records of data processing activities when:

  • The processing carries a potential risk of harming data subject rights,
  • There is a frequent and regular processing of data, or
  • The personal data falls under a special category relating criminal offenses and convictions

Keep in mind that organizations and companies with more than 250 employees are required to comply to the fullest extent of GDPR regulations.

3. Is the business a data controller, or processor?

On top of geographic expansion and considerations, the GDPR expanded upon the material scope of the EU Data Privacy Directive.

Data privacy compliance now requires not only data controllers, but data processors adhere to such regulations, and imposes increased responsibilities and obligations on processors.

Controller Processor
Article 4 Definition: "...the natural legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data." Article 4 Definition: "...a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."
  • Implement data protection policies
  • Adhere to the GDPR code of conduct
  • Adhere to the GDPR certification process
  • Keep detailed records of processing activities,
  • Implement comprehensive compliance and security technology,
  • Appoint a data protection Officer,
  • Conduct impact assessments, and
  • Have notification of breach procedures in place.

Understanding the key requirements and differences between data controllers and data processors is important before formulating your compliance gameplan, as each one will have their own regulation and compliance measures to follow.

Can a company be both? Yes. It's possible for a single company to be both a data processor and a data controller.

An example is when a payroll company also processes the data of its own staff. It's a data controller of its own staff's data, and a processor of client data.

4. Does the business collect personal or sensitive data?

4. Does the business collect personal or sensitive data?

The GDPR classifies consumer data into two distinct categories: "personally identifying" and "sensitive personal" data.

After all, without knowing what constitutes the GDPR's definition of data, a company won't know whether they deal in the type of information covered under the GDPR's scope.

Personally Identifiable information (PII): Includes any information distinguishing an individual's identity, such as full name, identification number, bank details, home and email address, passport number, location data, pseudonymous data, and photo, audio, or video files.

Sensitive Personal Information (SPI): Includes any information which reveals a person's biometric, genetic, health, sexual, religious, philosophical, political, racial, or ethnic data.

GDPR Legislative Fact: The GDPR is not without criticism or controversy, and has caused quite a stir for being less than two years old. Since its inception, there have been thousands of proposed amendments, pushing for both increased and less data privacy.

GDPR Requirements and Characteristics

GDPR Requirements and Characteristics

The deadline for complying with the GDPR was set as May 25th, 2018.

What are the consequences for failing to comply? The stakes have been increased, and the GDPR imposes significantly heftier fines and penalties on companies who fail to comply.

For tier 1 companies, non-compliance fines run all the way up to €4 million, or 2% of a company's annual global turnover, and €20 million, or 4% for tier 2 companies.

Below is a list of six crucial changes the GDPR requires companies to adopt and implement in order to be considered GDPR-compliant.


Consent is considered an important aspect of individuals understanding and retaining control over how their data is handled and processed.

Under the GDPR, consent needs to be freely given, informed, and unambiguous, which greatly increases the standard of what's considered valid consent.

No longer can you legally claim that someone is agreeing to your Terms and Policies simply by being active on your website. Now, to get adequate consent, you need to implement clickwrap methods that utilize un-ticked checkboxes and clearly-labeled buttons.

In this example, the box would have to be unchecked so the user could check it himself to show consent:

Nest: Checkbox and button to agree to and Accept Terms and Conditions

Consent is also required before using most cookies. If you have EU users and use cookies that require consent, you'll need to implement a cookie consent solution on your website before placing these cookies on your users' devices.

Your cookie consent notice, like other forms of GDPR consent, should use either (or better yet, both) a checkbox or an "I Agree" button that makes it very clear that users are agreeing and consenting to have cookies used.

Here's an example of such a notice:

Under Armour UK Cookie Consent notice

Make sure to link your Privacy Policy and/or Cookies Policy to your cookie consent notice.

Data Breach Notifications

Data Breach Notifications

It's very important that you handle all data breaches appropriately.

Under the GDPR, data controllers and processors are legally required to notify a supervising authority, along with the individuals affected, within seventy-two (72) hours of discovering the breach. The data breach notification should include the following elements:

  • The nature of the data breach,
  • The name and contact details of the Data Protection Officer, or another point of contact to obtain information,
  • The likely consequences of the breach,
  • The measures proposed, or taken, in order to remedy and address the breach.

Conduct Data Protection Impact Assessments

Conduct Data Protection Impact Assessments

Data protection impact assessments (DPIAs), are required when a data processing activity poses a high risk to the fundamental rights and freedoms of a natural person. Such assessments should be conducted in several instances, including when a company:

  • Processes on a large scale of special categories of personal data, or data relating to criminal offenses and convictions,
  • Uses new technologies to process data,
  • Processes a considerable amount of data that could greatly affect a high volume of individuals, and
  • Processes data "for purposes of profiling and similar activities intended to evaluate personal aspects of data subjects."

Elect a Data Protection Officer (DPO)

Elect a Data Protection Officer (DPO)

Not all companies are required to appoint a Data Protection Officer (DPO) under the GDPR. You'll only need to appoint one when:

  • The company is a public authority,
  • The controller or processor's primary duties include large scale data monitoring, or
  • The controller or processor handles a wide range of sensitive personal data (SPI)

Even if you aren't required to appoint one, doing so anyway can be a great step towards ensuring GDPR compliance.

DPOs should be appointed in order to:

  • Inform and train processors and controllers on their requirements and obligations under the GDPR, and other data protection laws,
  • Be the first point of contact for supervisory authorities and individuals whose data is processed, and
  • Monitor company compliance with the GDPR, and give advice on data protection impact assessments (DPIAs).

Enhance Individual User Rights

Enhance Individual User Rights

The GDPR has created and emphasized 8 user rights that enhance individual rights. While not every right applies to every company and every situation, you must be aware of them and how they affect your business.

The rights are as follows:

  • The right of access: Data subjects must be given the ability to know what personal data a company has about them, and you must handle privacy access requests appropriately.
  • The right to erasure (be forgotten): Data subjects have the right to request companies delete their data and stop processing it.
  • The right to restrict processing: Data subjects have the right to restrict personal data processing under certain circumstances.
  • The right to object: Data subjects have the right to object to processing of their data.
  • The right to rectification: Data subjects have the right to have any inaccurate or incomplete personal data rectified.
  • The right to data portability: Data subjects have the right to copy, transfer, or move personal data to a different company.
  • The right to be informed: Data subjects deserve to be provided with information regarding data processing activities.

These rights can be found in Chapter 3 of the GDPR. It's important to review each right to make sure it applies to your business. As noted above, some of the rights come with exceptions and circumstances where they either must or may not be honored.

Privacy By Design and Default

Privacy By Design and Default

Data protection and Privacy by Design and default requires companies to integrate data protection measures into their business processes and protocols. Simply put, companies need to account for data privacy protections and measures during the design stage of a project or product by following the following seven principles:

  • Privacy as a default setting
  • Privacy should be preventative and not remedial
  • Privacy should be embedded into design
  • Privacy should be fully functional
  • Privacy should prioritize user protection
  • Privacy should be transparent
  • Privacy should cover the entire life cycle of the data

GDPR Compliance Refresher: The GDPR harmonizes various data breach notification laws in the EU. Most notably, it requires businesses to inform a data breach authority of a data breach within seventy-two (72) hours of discovering it.

Having such a requirement in place, puts added pressure and expectation on organizations to have effective mechanisms for recognizing and responding to breaches in real-time.

Making Your Privacy Policy GDPR-Compliant

Making Your Privacy Policy GDPR-Compliant

A fundamental and sometimes tedious step in bringing a company inline with GDPR compliance is by overhauling their Privacy Policy.

When aligning and conforming Privacy Policies with GDPR requirements, companies will need to make several key changes, such as:

Identifying a point of contact: This includes providing the contact details of your Data Protection Officer or whoever else is responsible for handling privacy questions at your business. If you are a company located outside of the EU, provide your EU Representative's contact details.

Translink Privacy Policy: Contact Us clause

Explaining data collection practices in adequate detail: Companies are required to outline their methods for collecting data and how data used, as well as what the general data retention period is.

Not only are they required to inform data subjects of the above matters, they are also required to provide justifying reasons for doing so (referred to as the legal bases for collecting and processing information).

Safe Prescriber Privacy Policy: Excerpt of How we may process information clause - Legal basis

Conduct a privacy law self-audit so you know exactly what your data collection practices are.

A clear explanation of a data subject's rights: A GDPR-compliant Privacy Policy needs to address the 8 user rights addressed earlier, such as a data subject's right to access, object, erasure, and so forth.

Boohoo Privacy Notice: GDPR User Rights clause

Cross-border transfer information: Companies must provide sufficient details of data transfers they may engage in where user data is sent to third countries, and any safeguards put in place.

Varlink GDPR Compliance Statement - Preparation for the GDPR: International Data Transfers and Third-Party Disclosures section

Simplifying the language: To promote transparency, your Privacy Policy should be easy to read and free of all unnecessary and confusing language and legalese. If an average user can't understand their rights under your Privacy Policy, it's not a GDPR-compliant Privacy Policy.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate". Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

GDPR Preparation Resources

Throughout this article we've linked some resources that can help you get prepared and underway with GDPR compliance. In addition, here's our official GDPR Preparation Planning checklist as well as our GDPR Readiness checklist.