The European Union has become a leader in consumer protection with its data privacy law: the General Data Protection Regulation (also called the GDPR). This groundbreaking policy establishes hundreds of pages of responsibilities and requirements for organizations all over the world.
To learn more and to get answers to some of the most frequently asked questions about this law, check out our Ultimate Guide to the GDPR.
If the GDPR sounds complicated, don't worry. In this overview, we're going to help you understand everything you need to know about the regulation, how to stay compliant, and how to protect your users, customers, and subscribers in the new age of data privacy.
What is the General Data Protection Regulation?
The General Data Protection Regulation is, undoubtedly, the most substantial data privacy law in the world. It codifies privacy laws for all individual citizens and businesses of the European Union (EU) and the European Economic Area (EEA). It provides flexibility for certain aspects of the regulation to be adjusted by individual member countries.
What's interesting about the GDPR is that even though it was drafted and passed by the European Union, it addresses the transfer of personal data outside the EU countries. The law extends its jurisdiction to any company doing business with or processing the personal data of an EU citizen, regardless of the company's location. This jurisdiction imposes obligations on organizations outside of the EU if they collect or process data on EU residents. Organizations anywhere can be penalized if they fail to meet security standards or violate an EU citizen's privacy. Fines are harsh, sometimes reaching tens of millions of euros.
When more people are entrusting their personal information to cloud services than ever before and data breaches have never been more prevalent, the European Union draws a hard line in the sand with the GDPR. But even though the regulation is far-reaching, it's light on specifics. Unclear guidance makes GDPR compliance a challenge for organizations like yours.
How we got to the GDPR
Europe's history of data protection laws dates back 70 years. The GDPR was inspired by the 1950 European Convention on Human Rights, which establishes a right to privacy for Europeans. It says, “Everyone has the right to respect for his private and family life, his home and his correspondence.” It was on this basis that the European Union sought to enshrine privacy rights through law.
As technology advanced and people began to live and work on the Internet, the EU recognized the need for digital protections. In 1995, the EU passed the Data Protection Directive 95/46/EC. This directive established minimum data privacy and security standards, but it was up to EU member states to pass privacy laws that comply with the Directive.
But by 2012, the European Parliament realized that the Data Protection Directive wasn't enough. Organizations of all types had begun to collect and process data at unfathomable rates. The existing hodgepodge of privacy laws across the then-28 member states was confusing and insufficient. They started the process of drafting a regulation - the strongest form of legal enforcement in the EU.
After years of debate, the GDPR was adopted on April 14, 2016. It became enforceable on May 25, 2018, replacing its weaker predecessor, the Data Protection Directive.
GDPR requirements, scope and definitions
Before we get into the meat of the GDPR, it helps to understand its essential legal terms. You'll see these terms throughout this article and other documents relating to the regulation and GDPR requirements.
- Personal Data: This refers to any information that can directly or indirectly identify an individual. Personal data includes names, email addresses, ethnicity, zip code or other location information, gender, banking details, IP addresses, biometric data, religious and political beliefs, web cookies, and even social media posts. Pseudonymous data may also fall under this definition, depending on how easily it can be used to identify a person.
- Data Processing: This refers to any action performed on data. Data processing includes manual and automatic methods. As you can imagine, this is a big category. The GDPR offers a few examples of processing activities: collecting, gathering, recording, structuring, organizing, storing, using, and erasing.
- Data Controllers: This is the person who decides why, when, and how personal data is processed. It refers to a specific person in your organization, such as the owner or an employee designed with data control responsibilities.
- Data Subject: This refers to a person whose data is processed, such as your customers, subscribers, fans, users, etc.
- Data Processor: This refers to any third-party organization that engages in the processing of personal data. Data processors might include service providers like email marketing tools, analytics tools, cloud vendors, and CRM systems. Any service that integrates with payments or your website is probably a data processor according to the GDPR.
How do you comply with the GDPR?
The GDPR mandates organizations to abide by Privacy by Design principles. You must implement the appropriate technical and organizational measures to protect the rights of data subjects. Technical measures might include using encryption services where personal data is stored or working with your vendors to ensure they're using end-to-end encryption. Organizational measures might consist of limiting access to personal data to only the employees who need it, staff training on data privacy and GDPR requirements, or hiring a Data Protection Officer.
Organizations are expected to comply with these principles through all of their data processing endeavors. These aren't hard rules, but they should guide your data collection and processing policies.
- Lawfulness, fairness, and transparency: Processing data should abide by the law, treat data subjects fairly, and be transparent with your processing.
- Purpose limitation: You should only process data for legitimate purposes that you specify for each data subject before you collect it.
- Data minimization: This provision limits a data processor to collect and use only the data absolutely necessary to complete its business and limit access to personal data to only those employees needing the information to complete the process consented to by the data subject.
- Accuracy: You should keep your data accurate at all times.
- Storage limitation: You should only store personal data as long as necessary for the intended purpose. You should delete the data when you're done with it.
- Integrity and confidentiality: You should process data in a way to protect its security, integrity, and privacy. (For instance, transferring data with encryption.)
- Accountability: You are responsible for demonstrating GDPR compliance. Regulators expect detailed documentation about the data you collect, how it's used, and where it is stored. You are also expected to train your staff well to implement organizational security measures and have data processing agreements in place with all of the third-party vendors who process data for you.
Another critical security measure outlined in the GDPR is pseudonymization, a process required when data is stored to transform it so that the resulting data cannot be attributed to a specific data subject without the use of additional information. Common examples of these tools are encryption and tokenization.
What are data subjects rights under the GDPR?
The GDPR awards a list of privacy rights to data subjects. These rights aim to give people more awareness and control over their data and how its used. As an organization, it's essential to understand the nature and scope of these rights so you can stay compliant with the GDPR.
- The right to be informed: Data subjects have the right to be informed about the collection and use of their personal data. This creates a variety of obligations for organizations. If data is obtained directly from the subject, the person must be informed right away - at the moment information is obtained. If the data is not obtained from the subject (maybe it came through a vendor), the person must be notified within a reasonable period of time, but no later than a month. Subjects must be informed in an easily accessible form.
- The right to access your data: Article 15 gives citizens the right to access their personal data and information about how personal data is processed. A data subject can request a copy of the actual data being processed via a data subject request. Furthermore, a data controller must share the means of data collection, provide an overview of the categories of data being processed, the purposes of the data processing, any parties with whom the data is shared.
- Rectification: The GDPR affords individuals the right to have inaccurate or incomplete personal data rectified and completed. If an individual requests rectification (verbally or in writing), you have one month to comply. You can only refuse rectification if the request is "excessive" or "manifestly unfounded."
- Erasure: A complete right to be forgotten was refined down to a more limited right of erasure in the GDPR. Under this rule, a data subject has the right to request the erasure of personal data related to them on specific grounds within 30 days. At that point, the company will stop processing and cease any further dissemination of the data. Valid grounds for erasure include situations where the data is no longer relevant, or the original purpose has been satisfied, or merely a data subject's subsequent withdrawal of consent.
- The right to restrict processing: Data subjects have the right to request the restriction or suppression of their personal data. If a subject requests a restriction, you must stop processing their data, but you can store it. They can make this request verbally or in writing. You have one month to respond and comply.
- Data portability: Data portability is a data subject's ability to transfer personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. They should be able to easily transfer their data from one IT environment to another safely and securely, without disrupting its usability. As an organization, you are obligated to provide your data subjects with the entirety of their data in a standard machine-readable format.
- The right to object: The GDPR provides data subjects with the right to object how their information is used for marketing, sales, or non-service-related purposes. An organization must inform individuals of their right to object from the first communication. However, each objection is to be looked at individually, and an organization does not have to apply these objection rules if the data processing meets one of the following criteria:
- Legal or official authority is being carried out.
- Legitimate interest where the organization needs to process data in order to provide you with a service you signed up for.
- A task carried out for public benefit.
- Automated decision-making and profiling
Individuals have the right not to be subject to solely automated decisions, including profiling, which have a legal or similarly significant effect on them. For instance, a website that automatically approves or denies people for loans or makes hiring decisions would have a "significant effect" on their lives. Data subjects can opt-out of these practices.
GDPR requirements for processing personal data
Article 6 of the GDPR explains when it's legal to process personal data. Don’t collect, store, process, or sell data unless you can justify it with one of the following lawful bases:
- The data subject gave specific consent to process the data. (Example: The subject gave you their email address to opt-in to your email marketing list.)
- Processing is necessary to execute or to prepare to enter into a contract with the data subject is a party. (Example: You need to check their credit before approving a loan.)
- You need to comply with a legal obligation. (Example: A must process their data to comply with a court order.)
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person. (Example: Processing data could save someone's life.)
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- You have a legitimate interest to process someone’s personal data, except where such interests are overridden by the fundamental rights and freedoms of the data subject. This is the most flexible lawful basis.
Once you've determined the justification for processing data, you must document the basis lawful basis and notify the data subject. If you change the lawful basis at a later point, you must inform the subject of this change.
Prior to processing and notifying data subjects, businesses should go through a Data Protection Impact Assessment. This process helps identify and minimize data protection risks of a project.
Clear notice and consent
Under the GDPR, before processing any personal data, a business must ask for explicit permission from the data subject using precise language. Examples of consent requests are cookie banners you've surely seen on every website over the last couple of years.
When it comes to asking for consent, the GDPR establishes several strict rules:
- Consent must be “freely given, specific, informed, and unambiguous.” You can't coerce them into giving consent, lie about the purpose of the consent, or hide the intent of data processing in hard-to-understand language.
- When you ask for consent, your communication must be “clearly distinguishable from the other matters” and presented in “clear and plain language.” You can't bury the language in another document.
- Data subjects can withdraw their consent whenever they want. It must be as easy to withdraw consent as it is to give it. You are obligated to honor their decision. If you process their data for another purpose, you must get their consent again.
- An organization cannot obtain continuous blanket consent. A new request for consent is required each time data is used for a new purpose.
- Children under 13 can only give consent if they have permission from their parents.
- You must keep documentation of their consent or refusal.
The GDPR requires companies to notify all data subjects of a security breach within 72 hours of discovering the breach. This notification method will include as many forms as deemed necessary to disseminate the information in a timely manner, including email, telephone message, and public announcement.
However, an important distinction is that the notice to data subjects is not required if the data controller has implemented appropriate technical and organizational protection measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption (Article 34).
Data protection officers (DPO)
The GDPR requires some organizations to designate a Data Protection Officer (DPO) to oversee the application of the GDPR and to protect personal data from misuse, unauthorized access, and other security breaches. You must appoint a DPO if:
- You are a public authority (other than a court) acting in a judicial capacity.
- Your core activities require you to monitor people on a large scale. (e.g., Facebook's entire model revolves around tracking its users.)
- Your core activities include the processing of special categories of data listed under Article 9 or Article 10.
That said, it's smart to appoint a DPO even if you aren't required to. It's good to have someone on staff who understands the GDPR and how it applies to your organization, can advise people in your organization about their responsibilities, monitor GDPR compliance, and work with supervisory authorities in the event of a data breach or other issue.
If you're an organization based outside the EU, you must also appoint an EU-based person as a representative and point of contact for their GDPR obligations (Article 27).
The penalties laid out for violations of GDPR are significant. Under the law, organizations found to be in violation can be fined up to 4% of annual global revenue, or 20 Million Euros, whichever is greater.
The most notable recent enforcement actions include Google’s January 2019 fine of 50 million euros assessed by the French Data Regulator (CNIL). The CNIL found that Google was in violation of Article 21 of GDPR because it had not sufficiently informed users about how they were collecting personal data to use this in line with personalized advertising.
Other significant enforcement actions include the UK’s ICO levying fines of €110,390,200 on Marriott International, Inc. and €204,600,000 on British Airways in July of 2019. Both companies were found to violate GDPR Article 32, for having insufficient technical and organizational measures to ensure information security after a breach.
The initial years of GDPR implementation have brought progress and difficulty. Companies are still struggling to achieve compliance, but the new mandate has increased efforts to improve data security and avoid human error. It has also brought greater public awareness, with European Internet users exercising their rights under the GDPR and demanding more data security and transparency from companies.
As an organization, you'll want to consider data protection principles to design any new product, activity, or offer. Whenever you collect or process the information on a data subject, ask yourself if you have or will violate their privacy rights.
If you're ready to take your GDPR compliance seriously, sign up with Osano. Osano is an easy-to-use data privacy platform that instantly helps your website become compliant with the GDPR and other privacy laws, such as the CCPA and New York's Shield Act. Osano, is "compliance in a box," instantly helping your website comply with data privacy laws.