12 Facts about GDPR Compliance Regulations You Need to Know

  • by Noah Ramirez, JD / CIPP
  • last updated July 29, 2020
12 Facts about GDPR Compliance Regulations You Need to Know

What is GDPR?

By now, you’ve likely heard of the General Data Protection Regulation (GDPR), but you may not understand all of its implications, especially if your company operates outside of the EU. The GDPR is often referred to as the biggest and most significant change in data privacy regulation in 20 years. Its goal is to transform how organizations in every sector handle consumer data, putting consumers in the driver’s seat. For the first time, people have a say over who collects their personal data, when it’s collected, and how it’s used.

With this regulation, companies can’t just clean up the mess and say sorry after a data breach. They can’t collect and use consumer data without oversight or plainly-worded disclosures. They have to prove they are following the GDPR’s requirements to protect that data on day one. Transparency is the name of the game, a new notion to many organizations that have traditionally put data privacy on the back burner, much less tell consumers how they handle their data.

While the GDPR changes may seem overwhelming right now, the long-term results are expected to be better customer experiences and greater trust between consumers and companies.

12 Facts about GDPR

Plenty is riding on compliance. At least one global survey found 85 percent of U.S. companies believe the GDPR compliance regulations put them at a disadvantage with their European competitors, yet the same survey discovered the U.S. is the least trusted country for respecting privacy rights. Even more, 67 percent of U.S. consumers agree the U.S. should do more to protect their data privacy. Compliance with the GDPR could do much to improve these negative perceptions.

To help you understand the rumors swirling about GDPR, we put together this list of important facts that you need to know.

1. The GDPR May Be An EU Mandate, But It Impacts Every Country

The EU Parliament approved the GDPR in 2016 to replace a data protection initiative from 1995, but the changes weren’t enforced until May 25, 2018. There’s a misconception across the pond that U.S. companies that don’t do business with European companies are exempt. Not so fast.

The GDPR changes apply as much to organizations in other countries as they do to those within the EU. If any organization, EU or otherwise, offers goods or services to or monitors the behavior of EU data subjects, they’re on the hook.

2. It Applies to Virtually All Kinds of Data

The GDPR governs almost every data point an organization would collect, across every conceivable online platform, especially if it’s used to uniquely identify a person. It also includes data routinely requested by websites, such as IP addresses, email addresses, and physical device information. Here’s a list of the types of data protected under the GDPR.

  • Basic identity information (including name, address, email address, etc.)
  • Web data such as location, IP address, cookie data, and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation
  • Any information that relates to an identified or identifiable living individual

As you can imagine, “basic identity information” is a broad category. It includes user-generated data, such as social media posts, personal images uploaded to websites, medical records, and other uniquely personal information commonly transmitted online. Yes, that means organizations must protect your tweets and Facebook statuses.

3. Under the GDPR, Users Have 8 Basic Rights

The GDPR establishes eight rights that apply to all users. Your organization is obligated to respect these rights or face the severe penalties we discussed above.

  1. The right to access. Individuals may request access to their personal data. They may also ask about how their data is used, processed, stored, or transferred to other organizations. You must provide an electronic copy of the personal data, free of charge if requested.
  2. The right to be informed. Individuals must be informed and give free consent (not implied) before you gather and process their data.
  3. The right to data portability. Individuals may transfer their data from one service provider to another at any time. The transfer must happen in a commonly used and machine-readable format.
  4. The right to be forgotten. If users are no longer customers, or if they withdraw their consent to use their personal data, then they have the right to have their data deleted.
  5. The right to object. If a user objects to your use or processing of their data, they can request that you stop. There are no exceptions to this rule. All processing must stop as soon as the user makes their request.
  6. The right to restrict processing. Individuals can ask you to stop processing their data or stop a certain kind of processing. Their data can remain in place if they choose.
  7. The right to be notified. Individuals have the right to be notified in the event of a data breach that compromises their personal data. This must happen within 72 hours of your first learning of the breach.
  8. The right to rectification. Users can request that you update, complete, or correct their personal data.

As you can see, these rights give individuals considerable power over their data. They now have a number of tools to limit and prohibit you from using their personal information.

4. You’ll Have to Designate a Representative in the EU

Most companies outside of the EU must designate a representative in the EU if they process personal data of EU residents, but don’t have a European presence. This means if your U.S. company sells products online to customers in the EU, or even if you just have visitors to your website from the EU, you have to comply. The designated representative is there as a contact for EU supervisory authorities and data subjects and to maintain processing records.

If you don’t already have an EU-based subsidiary, corporate affiliate, or external data protection officer, you can name an unaffiliated person or entity. Consider a “GDPR Representative as a Service,” where you pay a U.S. company a flat fee to name one of their EU representatives to act as yours, listing them as your EU contact to satisfy GDPR. It’s a fast and easy way to ensure you are covered.

5. There Are Hefty Penalties for Non-Compliance

The GDPR is a complete shift in thinking, and it’s safe to say many U.S.-based organizations are still scratching their heads. While there will be some grace period as companies learn their responsibilities and come up to speed, patience won’t last long. Companies must at least prove to officials that they are actively working towards accountability and compliance. Penalties for non-compliance are tiered and can be as high as 4 percent of global turnover, or $24.4 million, whichever is greater.

6. You Have to Switch from “Opt-Out” to “Opt-In”

Compliance with the GDPR means adopting the principle of affirmative consent. This requires you to switch from an “opt-out” approach of data collection and processing to an “opt-in” approach. Instead of assuming user consent (by opting them in automatically and providing an opt-out method), you now must obtain explicit permission before you collect, store, and process their data. This new approach applies to everything, even if you’re just adding a customer’s email address to your newsletter list.

Furthermore, users don’t just have the right to decide whether you collect and use their data. They can also decide how you use it. They have the legal right to question and appeal how their personal information is presented to themselves and others. For instance, a user might object to Google’s use of their data to refine their algorithm and show content to other users. Or a user might choose to opt-out entirely at any point due to their right to be forgotten, in which case it’s your responsibility to scrub their data from your systems.

7. You Can’t Hide Behind Legalese

Does anyone read the fine print or the pages of data privacy practices? Likely not. Pew Research reported that half of online Americans don’t even know what a privacy policy is. The GDPR changes prohibit companies from hiding behind illegible terms and conditions that are difficult to understand. Instead, companies must clearly define their data privacy policies and make them easily accessible. There’s another caveat: You also have to know and monitor the privacy policies of your vendors and their vendors to be sure they’re in compliance when they use your EU users’ data because you could be held accountable for their compliance with the GDPR.

8. Breach Notifications Have Time Limits

When a breach happens and threatens consumer rights to privacy, companies are on the clock to report them within 72 hours of becoming aware of the breach. Data processors must notify their customers right away. This may be one of the biggest changes in practice for U.S. companies, where more than half have no incident response procedures in place and nearly 60 percent do not share their data on breaches. Equifax took six weeks to report a breach that impacted up to 143 million Americans.

Consumer patience is running thin. With the GDPR changes, companies who must comply will have to pay penalty fees for such behavior.

9. You’ll Have to Answer to Data Subjects

The GDPR requirements give consumers (a.k.a. data subjects) the right to ask companies for the information they hold on them. Companies must be able to give them what they want - within a month. These “subject access requests” will force organizations to know where their collected data is at all times, what data is being collected, how it’s being used by whom, and when it’s being accessed. If the consumer finds an error, the organization must correct the error. If the customer opts to invoke their “right to be forgotten,” the company must erase their data. If the consumer doesn’t like how their personal data is being collected and used, they can object.

Most U.S.-based organizations are behind when it comes to having this data at their fingertips. Big data is big and it isn’t always in the same place. Customer data can be in core operational systems, cloud applications, online file-sharing services, removable media, physical storage cabinets, third-party providers, temporary files, sandbox systems, backup systems, and employee devices, just to name a few.

Ultimately, gaining control over this data benefits both the organization and the consumer. Forbes believes GDPR compliance has five benefits: enhanced cybersecurity, improved data management, increased marketing ROI, boosted audience loyalty and trust, and the opportunity to become the first to establish a new business culture. If that’s not enough, consider the alternative penalty fines for non-compliance. GDPR compliance, therefore, won’t happen overnight and it may be a painful process. But, even as you up your transparency game, you’ll gain visibility into your vendors’ data compliance practices at the same time, forcing all companies to do better or get left behind.

10. You May Need to Hire a Data Protection Officer

Under the GDPR, you may have a legal obligation to hire a Data Protection Officer (DPO). This person is an enterprise security leadership role that’s responsible for overseeing a company’s data protection strategy, educating and training employees on regulatory compliance, implementing policies to ensure compliance with the GDPR, responding to data subject access requests, and serving as the point of contact between the organization and GDPR Supervisory Authorities. You must hire one if…

  • Your organization is a public authority (i.e. controls and/or maintains public infrastructure or has the authority to regulate public property).
  • Your organization is engaged in large-scale systematic monitoring of user data.
  • Your organization processes large volumes of personal user data.
The size of your organization is irrelevant here. What matters is the size of your data processing. But as you’re probably thinking, “large-scale” and “large volumes” are nebulous terms. The regulation doesn’t offer clear definitions. We have to make our best guess for now until the regulation is amended or clarified in the courts.

11. Cloud-Based Storage is Not Exempt from the GDPR

Like many organizations, you may use a cloud-based storage provider to house your data, such as Microsoft Azure, Google Cloud, of Amazon Web Services. This practice does not offload your responsibilities to the cloud storage provider. You must ensure that your cloud service provider and the systems you use to integrate with that provider are GDPR compliant. This is another reason it's helpful to hire a data protection officer.

12. The GDPR Prioritizes Human Rights Over the User Experience

It’s important to keep in mind that the purpose of the GDPR is to protect consumers. It’s an ambitious, far-reaching piece of legislation designed to safeguard our privacy and give us agency over our data. There’s no doubt that GDPR compliance creates challenges for all types of organizations, especially those whose models rely heavily on robust data processing. Compliance requires one-time and recurring costs, new policies and procedures, education and training, and even new employees.

The framers of the GDPR are aware of those challenges, but while they understand your frustration, they feel - and we at Osano agree - that users’ rights are paramount, even at the expense of the user experience. At a time when nearly every conceivable data point of our lives is stored online, we are remarkably vulnerable to theft and exploitation, and so require concrete safeguards to protect ourselves.

You Don’t Have to Manage it on Your Own

EU authorities will penalize your business for violating the GDPR, no matter your size. Yes, even small businesses fall across their radar. It’s critical that you comply, but the regulation is massive and complex.

With Osano, you become GDPR compliant instantly. We serve as your GDPR representative, monitor your vendors, help you respond to subject access requests, and alert you about new or changing privacy laws with advice on how to prepare. Let Osano make it simple.

Noah Ramirez, JD / CIPP

About The Author · Noah Ramirez, JD / CIPP

Noah is an Osano staff attorney focusing on data privacy best practices, legislative monitoring, and policy monitoring. When he's not writing about or researching data privacy Noah enjoys rock climbing and yoga.