The GDPR is a massive law that reformed the data protection landscape globally. Here, we take you through the basics so your organization can aim for compliance.
What is the GDPR?
The EU General Data Protection Regulation changed the world of privacy law. It obligated companies to make sweeping changes to their data protection and privacy practices to comply or face potentially massive fines.
It was technically "adopted" in 2016, but lawmakers gave organizations a two-year grace period to revamp whatever policies necessary to come into compliance. It finally went into effect in May 2018.
Europe has always been ahead of the game on data protection. Its laws date back 70 years. Before the GDPR, the European Convention on Human Rights of 1950 granted European's a right to privacy. The Convention served as the impetus for codifying the right to privacy into law.
Before the GDPR, the EU Data Protection Directive regulated data privacy. But it became effective in 1995, long before companies were collecting data at the scale they are now, and long before digital commerce created end-user data trails that advertisers could track across the web.
But by 2012, the European Parliament realized that the Directive wasn't enough. Websites were vacuuming up user data at an unprecedented rate, and the existing hodgepodge of privacy laws across the (then-28) member states was confusing and insufficient. They decided to draft a regulation, the strongest form of legal enforcement in the EU.
It comes down to this: If your organization collects, uses or stores EU citizens' personal data, regardless of where it's processed, you're covered by this law.
When did the GDPR go into effect?
The GDPR went into effect May 25, 2018. Regulators gave organizations a two-year grace period before enforcement began.
GDPR requirements, scope and definitions
Though the GDPR is an EU-based law, it doesn't apply to only EU companies. It has what's called extraterritorial reach. That means that even if a company doesn't operate within the EU -- say it's U.S.-based -- but has customers in the EU, it must comply with the GDPR. In addition, the GDPR required EU member states to pass national laws that closely mapped to the GDPR's provisions.
The GDPR aims to give individuals — which the legislation calls "data subjects" — privacy protections but also allow businesses relying on data to survive or thrive. To strike this balance, the GDPR introduced new concepts on protecting data. Those include:
- Expanded definitions for "personal data" and "sensitive data."
- Data protection by design principles for technology and operations.
- Accountability measures.
- Expanded data subject rights, including the right to be forgotten and to object to automated data processing.
- Provisions on data breach notification.
In addition, companies' partners are on the hook. If you process data on behalf of a company with EU citizens, you must comply with the GDPR.
GDPR terms and concepts you must understand
Understanding the GDPR requires working definitions of the vocabulary it uses. Here is a list of some of the most important terms.
- Personal Data: Any information that can directly or indirectly identify an individual. This includes names, email addresses, ethnicity, zip code or other location information, gender, banking details, IP addresses, biometric data, religious and political beliefs, web cookies and even social media posts.
- Data Processing: Any action performed on data, including manual and automatic methods.
- Data Controllers: The person who decides why, when and how personal data is processed.
- Data Subject: A person whose data is processed. Think customers, subscribers.
- Data Processor: Any third-party organization that engages in processing personal data, including email marketing tools, analytics tools, and cloud vendors.
- Accountability: Organizations must put technical and organizational measures in place to demonstrate what they did with data and why it was necessary.
- Transparency: Organizations must communicate to data subjects about data processing in a way that's "easily accessible and easy to understand" and uses "clear and plain language."
- Privacy by Design: Data protection through technology design.
What are data subject rights under the GDPR?
The GDPR grants specific rights to data subjects to increase transparency and give them control over their data and how it's used. It's essential to know these data rights so you can responsibly comply when they want to exercise their privacy rights.
The right to be informed that you've collected and used personal data. If you collected it from the subject yourself, you have to notify the data subject at the time of collection. Suppose you're a third-party vendor, for example, and obtained the data secondarily. In that case, the data subject must be informed within a "reasonable period of time," no later than 30 days, and in an easily accessible form.
The right to access personal data and how it's processed. A data subject can ask for a copy of all the data being processed about them. It's called a Data Subject Access Request (DSAR). It's essential to have a mechanism to intake DSARs because a data subject can request a copy of the data, an overview of the categories of data you're processing, why you're doing so and any parties with whom you're sharing the data.
The right to rectify inaccurate or incomplete personal data. If an individual requests rectification (verbally or in writing), you have one month to comply. If the request is "excessive or "manifestly unfounded," you can refuse.
The right to erase data. Under this rule, a data subject has the right to request that you erase their personal data within 30 days. Certain conditions must exist for the request to be legitimate, of course. Those include if the data is no longer relevant, the original purpose for collection has been satisfied or if a data subject withdraws consent. If any of those apply, you have to stop processing their data and further disseminating that data.
The right to restrict processing of personal data. If a data subject requests this, you have to stop processing their data, but you can still store it. Requests can be made verbally or in writing, and you have 30 days to respond.
The right to data portability. Data subjects must be allowed to take their data from one platform to another and do so easily, safely and securely. Data controllers must allow it without disrupting its useability. You must provide data subjects with the entirety of their data in a standard, machine-readable format.
The right to object. Data subjects can object to how their information is used for marketing, sales or non-service-related purposes. An organization must inform individuals of their right to object within the first communication. Organizations must examine each objection, but it can refuse to validate the objection if one of the following is true:
- Legal or official authority is being carried out.
- The organization has a "legitimate interest" to process data to provide a data subject with a service they signed up for.
- A task is being carried out for public benefit.
An organization can also refuse a request if the objection request is "excessive" or "manifestly unfounded."
Automated decision-making and profiling. Data subjects have the right to say no to solely automated decisions, including profiling, being made about their data that could have a legal or similarly significant effect on them. For instance, a website that automatically approves or denies people loans or makes hiring decisions would have a "significant effect" on their lives. Data subjects can opt out of these practices.
What is the consideration for data deletion under the GDPR?
As mentioned in the above section, data subjects have the right to request that organizations delete personal data about them "without undue delay." The requirements that must apply for a deletion request to be valid are:
- The data isn't needed anymore for the purpose it was collected or processed.
- The data subject is withdrawing consent for the processing, and there is no other legal ground for the processing.
- The data subject objects to the processing, and there are no other legitimate grounds for the processing
- The personal data was unlawfully processed in the first place.
- The personal data have to be erased for compliance with a legal obligation.
Data subjects can't request deletion if the data is a matter of freedom of expression or information, if the processing is a matter of public health, or if the data is archived for scientific or historical research purposes.
How do I comply with the seven principles of the GDPR?
The GDPR comprises seven principles with which organizations must comply. They are as follows:
- Lawfulness, fairness, and transparency: Processing data should abide by the law, treat data subjects fairly and be transparent.
- Purpose limitation: Companies should only process data for legitimate purposes that you specify for each data subject before you collect it.
- Data minimization: Data processors must collect and use only the data absolutely necessary to complete their business and limit access to personal data to only those employees needing the information to complete the process consented to by the data subject.
- Accuracy: Organizations should keep their data accurate at all times.
- Storage limitation: Organizations should only store personal data as long as necessary for the intended purpose. Organizations should delete the data when they're done with it.
- Integrity and confidentiality: Organizations should process data to protect its security, integrity and privacy. (For instance, transferring data with encryption).
- Accountability: Organizations are responsible for demonstrating GDPR compliance. Regulators expect detailed documentation about the data collected, how it's used and where it's stored. Organizations must train staff well to implement organizational security measures. And organizations must have data processing agreements in place with all third-party vendors who process data on their behalf.
What are the requirements for processing personal data under the GDPR?
The GDPR mandates that organizations only collect, store, process or sell data under one of the following lawful bases apply:
- The data subject gave specific consent to process the data.
- The processing is necessary to enter into a contract with the data subject.
- You need to comply with a legal obligation, like a court order.
- The processing is necessary to protect the vital interests of the data subject or someone else. Meaning, processing the data could save a life.
- The processing is necessary to carry out a task of public interest.
- Legitimate interest: You're using the data in a way the data subject would expect given the service or product you're offering.
What is the definition of "consent" under the GDPR?
To legally process data, the reason for doing so must fall under one of the GDPR's six legal bases, as listed above. Consent is one of them, and it's one of the most significant changes the GDPR ushered in, requiring organizations to acquire permission, explicitly, from any data subject before collecting their data. Not only must organizations gain consent, but they must use language that's easy to understand when asking the data subject for it.
The GDPR says a data subject consent means: "any freely given, specific, informed and unambiguous indication of the data subject's wishes by he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
So, if you're processing based on consent, you must:
- Demonstrate the data subject granted consent to processing their data.
- Ensure the request for consent was in clear and plain language and in an easily accessible form.
- Ensure the data subject has the right to revoke consent at any time
If the data subject doesn't grant consent, you must still allow them the same experience and access to your site as the data subjects who consented.
What are the rules on children's data under the GDPR?
If you seek to process children's data, you may never ask a person age 13 or under to give you consent. If you're asking for consent for children ages 13-15, you must also ask their parent or guardian. Children age 16 and up may give consent for themselves.
How does the GDPR affect marketing?
The GDPR grants specific rights to data subjects to increase transparency and give them control over their data and how it's used. In marketing, of course, the more you know about a customer, the better the sales. Determining insights about consumer interests and preferences is key to delivering relevant ads and offers. That can put the marketing tactics of younger days in conflict with the GDPR's rules. It's essential to check your practices against some of the data rights mentioned in our earlier section so you can be sure you're collecting data legally and to enable you to comply if a data subject wants to exercise their privacy rights.
The most important aspect of the GDPR to marketers are its data collection provisions, profiling data subjects and targeted ads. The GDPR requires organizations to be transparent with data subjects about how their data will be used.
You must notify customers at your first interaction that you're collecting their data. And remember, if you're a third-party vendor, you must inform the data subject within 30 days in an easy-to-read format.
It's essential to determine where your data lives in order to comply with data subject's rights under the GDPR. This is called data discovery or data mapping. That will allow you to correct inaccurate or incomplete personal data if a data subject requests you do so, and you will be able to respond to data subject access requests (DSARs) promptly. DSARs, as mentioned above, allow the data subject to request a copy of all the data you've collected on them. It can be complicated to find, categorize, and report back if you don't know where the information lives across the organization.
It's also essential to check your records to ensure you've asked the data subjects for explicit opt-in consent to process their data (no pre-ticked checkboxes!), and you've only used the data for the purpose it was collected.
If the data subject said you could collect their data to process a bill, it's not appropriate to automatically add that information onto a mailing list.
In addition, you must ensure you've given data subjects the ability to opt out of targeted advertising. And that brings us to the conversation about cookies.
What are cookies under the GDPR?
Marketers depend on cookies — small text files that store data— to follow users around the web to glean insights on users' preferences and locations, among other details. Under the GDPR, cookies can be considered personal data. If a cookie can identify a person based on their device, that's deemed personal data. Cookies considered personal data under the GDPR can include "a name, an identification number, location data or an online identifier." A special mention should be made for biometric data, such as fingerprints, which can also work as identifiers. These get a bit tricky. For help on this, the GDPR provides several examples of online identifiers in Recital 30. They include:
- Internet protocol (IP) addresses.
- Radio frequency identification (RFID) tags.
It's essential to look at the types of cookies your organization is deploying. If they're "strictly necessary" cookies, meaning they're required for the site to function, consent is not required. Otherwise, it is. Be sure to collect consent for marketing cookies, record that consent and allow it easy for data subjects to revoke consent as it was for them to say yes.
Who enforces the GDPR?
Individual data protection authorities (DPAs) from the 27 EU member states enforce the GDPR. DPAs are independent of the government. They investigate complaints, provide advice on data protection issues and determine when the GDPR has been breached. They also have fining powers.
DPAs are independent public authorities that supervise the application of the data protection law through investigative and corrective powers. They provide expert advice on data protection issues and handle complaints lodged against the General Data Protection Regulation violations and the relevant national laws.
All DPAs work together as a group on the European Data Protection Board. The European Data Protection Supervisor leads the board. The EDPB aims to harmonize GDPR enforcement across the EU. The board is responsible for guiding member states on complicated topics or the application of the law. It also issues opinions to the European Commission when it considers data protection and privacy legislation or issues.
The EDPB does not, however, enforce data protection law.
What are the punishments for violating the GDPR?
The cost of noncompliance with the GDPR can be high. Organizations that violate the law can be fined up to 4% of annual global revenue or 20 million euros, whichever is greater.
You've probably seen some of the media headlines reporting on DPAs taking action against various companies for GDPR violations. Some of the more hefty fines include:
- The Irish DPA's $267 million fine against WhatsApp in September 2021.
- The Luxembourg DPA's $887 fine against Amazon in July 2021.
- The French DPA's $593 million fine against Google in July 2021.
While it's often the big technology firms that have faced the most significant fines thus far, reading the enforcement actions will give you an indication of how the DPAs are thinking and in which areas they're most strict on enforcing.
While the GDPR is a massive piece of legislation and can be challenging to interpret, it serves as the basis for many international laws that have passed since its inception, so it's a vital regulation to understand. For example, the terms may change from the GDPR to Brazil's privacy law, but the concepts are the same. The trend is toward increased data subject rights, transparency and accountability.