Last updated on 01 July 2022 by Stephen Titcombe (Legal writer at TermsFeed)
The General Data Protection Regulation (GDPR) is a comprehensive legal framework that regulates how companies collect and process personal data in the European Union (EU).
Revered as the most robust digital privacy regulation in the world today, the GDPR has been a landmark in the data protection realm, establishing a new threshold for global data protection practices.
If you're looking to understand what the law is all about and how it applies to your business, then read on as we explain the GDPR in simple, actionable steps.
The GDPR is the core of the EU's digital privacy legislation, primarily designed to "harmonize" data privacy laws across all its member countries. With its introduction, the GDPR provides new rights and better protection for the personal data of EU citizens.
After its approval in April 2016, the regulation came into full effect on May 25, 2018, and requires businesses of all kinds to comply accordingly, should they fall under its scope. Being outside the EU region does not mean you're excluded from compliance as long as you offer goods/services or monitor people's behavior in the EU.
The GDPR empowers EU citizens with several new rights and privileges, giving them more control over how their personal data is used. Briefly, individual rights include the following:
For a more in-depth look at these rights and how to facilitate them under the GDPR, check out our feature article: 8 User Rights Under the GDPR.
To fully understand the scope, activities, and obligations under the GDPR, it's crucial to get a grasp of how certain terms are defined under the law, within Article 4.
Simply put, personal data is any information that can be used to identify a real person. To quote the GDPR at Article 4:
"Personal data means any information relating to an identified or identifiable natural person (data subject)"
From this definition, personal data may include an individual's name, location, mobile number, identification number, home/email address, and other similar information.
A data subject is an individual whose personal data is processed by companies. They are your consumers or website users.
Sensitive Personal Information
Under the GDPR, sensitive personal information refers to a special category of personal data guarded by stricter regulations. They include:
The GDPR defines processing as "any operation or set of operations" implemented on personal data (basically anything). It proceeds to cite examples of actions that constitute processing. They include:
A controller is a person or a company that "decides the purposes and methods" of processing personal data. In simpler terms, a controller determines why data is collected and how it will be processed.
A processor is a person or a company that processes personal data on behalf of the controller. Consequently, processors operate under the direction and supervision of controllers (or their own industry standards in certain instances).
Understanding the obligations and differences between a data controller and a data processor is crucial to identify where you belong and to become fully GDPR-compliant.
For example, let's say you obtain customers' email addresses and their permission to market your products. If you use an online email service like Aweber to send them promotional emails, you're the data controller, and Aweber is the data processor.
In addition to the rights granted to data subjects, the GDPR also introduces several privacy principles that must be observed by companies to ensure better data protection in the EU. They are as follows:
The GDPR is considerably expansive in scope and consequently applies to almost every major organization in the world. Below are the conditions that determine if your company is subject to the regulation.
You automatically become subject to the GDPR once your company is located within the EU region. This stipulation applies to both data controllers and processors situated in the EU.
With that said, keep in mind that the GDPR only applies to individuals or organizations engaged in purely "professional or commercial activities" and makes no provision for "personal or household activities."
According to the GDPR, countries outside the EU region that manage personal data (aka 'Third Countries') may be subject to the regulation regardless of their own data protection laws.
If your company is located in a third country, you must comply with the GDPR if:
For example, a video game company in California that features gamers from the EU and collects their information will be subject to the GDPR.
If your company falls under this category, you must comply with all responsibilities of the GDPR.
However, companies with less than 250 employees are not fully exempt from the regulation. The GDPR relieves such companies of most documentation responsibilities, except when:
Under the GDPR, processing personal data is illegal if you have not identified one of the six legal bases for doing so. Briefly, they are as follows:
After identifying the legal basis for your processing activities, you should document such and inform your data subjects.
Now we're going to look at the major requirements you must observe to be considered GDPR-compliant.
Data breach notifications play a significant role in the GDPR.
According to the law, both controllers and processors are legally obligated to inform the appropriate supervising authority of a personal data breach within seventy-two (72) hours after its detection.
In addition, you must notify the affected data subjects of any breach that may place their rights and freedoms at high risk, as well as provide information relating to:
Consent is considered one of the most crucial aspects of the GDPR that gives individuals control over how their data is processed. Here are the key points to note:
Explicit consent is needed for processing sensitive personal information.
Note that explicit consent is different from clear, affirmative consent. The best way to get explicit consent is to have your users click a checkbox that explicitly says that by checking the box, they accept your terms.
Here's an example of how Vudu gets explicit consent from users before they sign up on its platform:
You should also seek user consent before using website cookies in order to fully comply with the regulation.
Here's how EY explicitly obtains consent from its users to provide cookies in compliance with the GDPR:
Alternatively, you may adopt other clickwrap methods to confirm user consent, as long as they are GDPR-compliant.
A Data Protection Impact Assessment (DPIA) is a GDPR requirement that must be observed whenever your processing activities place individual rights and freedoms at high risk. These assessments are especially required if:
A Data Protection Officer (DPO) is an independent individual appointed by a company to regulate its data protection strategy and ensure GDPR compliance.
Once appointed, a DPO's duty is to inform, guide, and advise companies about GDPR compliance. They also serve as the primary contact point for both supervisory authorities and individuals on privacy matters.
Although not all companies are required to appoint one, having a DPO can be beneficial in the GDPR-compliance journey. Under the law, you must designate a DPO if:
It provides an avenue for disclosing all relevant information to your data subjects, supervisory authorities, and the general public. It is also the first place that will be checked for GDPR compliance.
Finally, you must provide the information above in a concise, understandable, and easily accessible form.
Data transfer is a conditional requirement under the GDPR. This means you don't have to take additional measures if you transfer personal data within the EU area.
However, if you are transferring data to a third country, you must employ one of the safeguards set forth by the law.
In most cases, a standard contractual clause (SCC) is used to ensure appropriate data protection during international transfers.
For example, TikTok adopts some GDPR-prescribed safeguards for data transfers as shown below:
The notion of privacy by design and by default requires companies to consider data privacy matters at the initial stage (or design) of any new product or process. To accomplish this, companies must observe seven key principles.
They are as follows:
The penalties for not complying with the GDPR have significantly increased when compared with its predecessor (the 1995 Data Protection Directive).
In setting appropriate fines for non-compliance, the GDPR has classified the severity of violations into two tiers.
For tier 1 infringements, fines for non-compliance can go as high as €10 million, or 2% of the company's yearly global turnover from the previous year (whichever amount is higher).
Tier 1 infringements are based on violations of:
For tier 2 infringements, fines for non-compliance can go as high as €20 million, or 4% of the company's yearly global turnover from the previous year (whichever amount is higher).
Tier 2 infringements are based on violations of:
As demonstrated by the penalties above, non-compliance with the GDPR is not an option. If you fall under its scope, you must take measures to comply with the regulation in its entirety. This may involve seeking legal or professional help.
Here's a refresher of the most important things to take note of:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022