GDPR for Beginners

The General Data Protection Regulation (GDPR) is a comprehensive legal framework that regulates how companies collect and process personal data in the European Union (EU).

Revered as the most robust digital privacy regulation in the world today, the GDPR has been a landmark in the data protection realm, establishing a new threshold for global data protection practices.

If you're looking to understand what the law is all about and how it applies to your business, then read on as we explain the GDPR in simple, actionable steps.

What is the EU's General Data Protection Regulation?

The GDPR is the core of the EU's digital privacy legislation, primarily designed to "harmonize" data privacy laws across all its member countries. With its introduction, the GDPR provides new rights and better protection for the personal data of EU citizens.

After its approval in April 2016, the regulation came into full effect on May 25, 2018, and requires businesses of all kinds to comply accordingly, should they fall under its scope. Being outside the EU region does not mean you're excluded from compliance as long as you offer goods/services or monitor people's behavior in the EU.

Individual User Rights Under the GDPR

The GDPR empowers EU citizens with several new rights and privileges, giving them more control over how their personal data is used. Briefly, individual rights include the following:

• The right to be informed: Data subjects must be informed about the collection and processing of their personal data in a concise, understandable, and easily accessible form.
• The right of access: Data subjects must be allowed to access their personal data and obtain relevant information regarding its use, storage, and disclosure to third parties (if any).
• The right to rectification: You must grant data subjects the ability to rectify inaccurate personal information about themselves on your platform.
• The right to data portability: You must provide data subjects with a copy of their personal data upon request for transfer to another controller without interference.
• The right to restrict processing: Data subjects have the right to restrict you from processing their personal data for a specific purpose.
• The right to erasure: Data subjects have the right to request a prompt deletion of their personal data in certain instances.
• The right to object: Data subjects can object to the processing of their personal data, especially in the case of direct marketing and other types of similar profiling.
• The right to not be subject to automated decisions: Data subjects have the right to request a review if critical decisions about them are made through an automated process (e.g. profiling).

Here's how Clubhouse adapts its Privacy Policy to satisfy the GDPR's individual rights requirements:

For a more in-depth look at these rights and how to facilitate them under the GDPR, check out our feature article: 8 User Rights Under the GDPR.

The GDPR's Definitions

To fully understand the scope, activities, and obligations under the GDPR, it's crucial to get a grasp of how certain terms are defined under the law, within Article 4.

1. Personal Data

   Simply put, personal data is any information that can be used to identify a real person. To quote the GDPR at Article 4:

   "Personal data means any information relating to an identified or identifiable natural person (data subject)"

   From this definition, personal data may include an individual's name, location, mobile number, identification number, home/email address, and other similar information.

2. Data Subject

   A data subject is an individual whose personal data is processed by companies. They are your consumers or website users.

3. Sensitive Personal Information

   Under the GDPR, sensitive personal information refers to a special category of personal data guarded by stricter regulations. They include:

   • Sexual orientation
   • Health data
   • Biometric information
   • Racial/Ethnic information
   • Political views
   • Genetic information
   • Religious/Philosophical beliefs

4. Processing

   The GDPR defines processing as "any operation or set of operations" implemented on personal data (basically anything). It proceeds to cite examples of actions that constitute processing. They include:

   • Collecting data
   • Documenting data
   • Storing or classifying data
   • Adjusting data
   • Utilizing data
   • Disclosing data
   • Restricting data
   • Deleting data

5. Controller

   A controller is a person or a company that "decides the purposes and methods" of processing personal data. In simpler terms, a controller determines why data is collected and how it will be processed.

6. Processor

   A processor is a person or a company that processes personal data on behalf of the controller. Consequently, processors operate under the direction and supervision of controllers (or their own industry standards in certain instances).

   Understanding the obligations and differences between a data controller and a data processor is crucial to identify where you belong and to become fully GDPR-compliant.

   For example, let's say you obtain customers' email addresses and their permission to market your products. If you use an online email service like Aweber to send them promotional emails, you're the data controller, and Aweber is the data processor.

Data Processing Principles

In addition to the rights granted to data subjects, the GDPR also introduces several privacy principles that must be observed by companies to ensure better data protection in the EU. They are as follows:

• Lawfulness, fairness, and transparency: You must ensure that personal data under your care is processed in a lawful, fair, and transparent way.
• Accuracy: You must keep personal data accurate and constantly updated.
• Purpose limitation: Personal data must be processed for the appropriate purposes specified to data subjects during collection.
• Storage limitation: You should only keep personal data for as long as absolutely necessary.
• Data minimization: You should obtain and process only as much data as absolutely needed for the reasons specified.
• Integrity and confidentiality: You must provide technical and organizational systems to protect personal data from unlawful processing or accidental circumstances.
• Accountability: You (as a data controller) are responsible for demonstrating GDPR compliance with the listed principles above.

Who Does the GDPR Apply to?

The GDPR is considerably expansive in scope and consequently applies to almost every major organization in the world. Below are the conditions that determine if your company is subject to the regulation.

A business presence within the EU

You automatically become subject to the GDPR once your company is located within the EU region. This stipulation applies to both data controllers and processors situated in the EU.

With that said, keep in mind that the GDPR only applies to individuals or organizations engaged in purely "professional or commercial activities" and makes no provision for "personal or household activities."

Collects or processes personal data of EU citizens

According to the GDPR, countries outside the EU region that manage personal data (aka 'Third Countries') may be subject to the regulation regardless of their own data protection laws.

If your company is located in a third country, you must comply with the GDPR if:

• You offer goods/services to EU citizens
• You process personal or sensitive data of EU citizens, or
• You monitor the behavior of EU citizens

For example, a video game company in California that features gamers from the EU and collects their information will be subject to the GDPR.

Employs more than 250 individuals

If your company falls under this category, you must comply with all responsibilities of the GDPR.

However, companies with less than 250 employees are not fully exempt from the regulation. The GDPR relieves such companies of most documentation responsibilities, except when:

• Their processing activities is likely to jeopardize the rights and freedoms of data subjects
• They process personal data frequently or process sensitive personal information
• They process data "relating to criminal convictions and offenses"

Legal Basis for Processing Personal Data

Under the GDPR, processing personal data is illegal if you have not identified one of the six legal bases for doing so. Briefly, they are as follows:

• Consent: If you operate under the legal basis of consent, you must not process data unless you have obtained the approval or permission of data subjects.
• Legal Obligation: You may have to process a person's data at the behest of the law. For example, the court compels you to disclose a data subject's information.
• Contract: Processing may be required to implement or enter into a contract with the data subject. For example, carrying out a background check before hiring a potential candidate.
• Vital Interests: It is legally allowed to process a person's data if their life depends on it.
• Public task: Processing may be required to carry out an official duty or perform a task in the interest of the public.
• Legitimate Interests: This has been termed "the most flexible lawful basis". Legitimate interests allow companies to (reasonably) process data without consent as long as the processing does not hinder individuals' rights or freedoms.

After identifying the legal basis for your processing activities, you should document such and inform your data subjects.

Requirements of the General Data Protection Regulation

Now we're going to look at the major requirements you must observe to be considered GDPR-compliant.

Data Breach Notifications

Data breach notifications play a significant role in the GDPR.

According to the law, both controllers and processors are legally obligated to inform the appropriate supervising authority of a personal data breach within seventy-two (72) hours after its detection.

In addition, you must notify the affected data subjects of any breach that may place their rights and freedoms at high risk, as well as provide information relating to:

• The nature of the personal data breach
• The name and contact information of the Data Protection Officer, or another contact point to get information
• The possible consequences, and
• The measures taken or suggested to alleviate the possible consequences

Consent

Consent is considered one of the most crucial aspects of the GDPR that gives individuals control over how their data is processed. Here are the key points to note:

• Consent requires a freely given, distinct, informed, unambiguous, and clear-cut affirmative action from data subjects.
• Data subjects have the right to withdraw consent at any time, and you must bring this to their attention.
• Consent must be given by data subjects over the age of 13, otherwise approved by a parent/guardian.

• Explicit consent is needed for processing sensitive personal information.

  Note that explicit consent is different from clear, affirmative consent. The best way to get explicit consent is to have your users click a checkbox that explicitly says that by checking the box, they accept your terms.

• Finally, consent should be documented as it can help avoid legal disputes.

Here's an example of how Vudu gets explicit consent from users before they sign up on its platform:

You should also seek user consent before using website cookies in order to fully comply with the regulation.

Here's how EY explicitly obtains consent from its users to provide cookies in compliance with the GDPR:

Alternatively, you may adopt other clickwrap methods to confirm user consent, as long as they are GDPR-compliant.

Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is a GDPR requirement that must be observed whenever your processing activities place individual rights and freedoms at high risk. These assessments are especially required if:

• You process a large amount of sensitive personal information
• You process a substantial volume of data that could significantly affect many individuals
• You use modern technologies to process data, or
• You process data for profiling purposes or similar activities

Data Protection Officer (DPO)

A Data Protection Officer (DPO) is an independent individual appointed by a company to regulate its data protection strategy and ensure GDPR compliance.

Once appointed, a DPO's duty is to inform, guide, and advise companies about GDPR compliance. They also serve as the primary contact point for both supervisory authorities and individuals on privacy matters.

Although not all companies are required to appoint one, having a DPO can be beneficial in the GDPR-compliance journey. Under the law, you must designate a DPO if:

• Your company is a public authority (excluding courts),
• Your processing activities involve regular and systematic large-scale data monitoring, or
• Your processing activities involve handling a high volume of sensitive personal information or data relating to criminal offenses and convictions

Here's how Spotify complies with this requirement in its Privacy Policy:

Privacy Policy

A Privacy Policy is another essential requirement of not only the GDPR but various other privacy laws.

It provides an avenue for disclosing all relevant information to your data subjects, supervisory authorities, and the general public. It is also the first place that will be checked for GDPR compliance.

Briefly, a standard GDPR-compliant Privacy Policy should contain at least the following information:

• The type of data you collect
• Reasons for collection
• The legal basis for processing such data
• Data retention period
• Individual rights under the GDPR
• Third-party disclosures (if any), and
• Contact details for your company and your DPO (if available)

Finally, you must provide the information above in a concise, understandable, and easily accessible form.

Data Transfers

Data transfer is a conditional requirement under the GDPR. This means you don't have to take additional measures if you transfer personal data within the EU area.

However, if you are transferring data to a third country, you must employ one of the safeguards set forth by the law.

In most cases, a standard contractual clause (SCC) is used to ensure appropriate data protection during international transfers.

For example, TikTok adopts some GDPR-prescribed safeguards for data transfers as shown below:

Privacy by Design and by Default

The notion of privacy by design and by default requires companies to consider data privacy matters at the initial stage (or design) of any new product or process. To accomplish this, companies must observe seven key principles.

They are as follows:

• Be preventive rather than remedial
• Prioritize privacy
• Integrate privacy into the design
• Value privacy over profit-making
• Enforce lifecycle data protection
• Exhibit transparency with users
• Prioritize users in matters concerning their data

GDPR Penalties for Non-compliance

The penalties for not complying with the GDPR have significantly increased when compared with its predecessor (the 1995 Data Protection Directive).

In setting appropriate fines for non-compliance, the GDPR has classified the severity of violations into two tiers.

For tier 1 infringements, fines for non-compliance can go as high as €10 million, or 2% of the company's yearly global turnover from the previous year (whichever amount is higher).

Tier 1 infringements are based on violations of:

• Obligations of controllers and processors
• Certification bodies, and
• Monitoring bodies

For tier 2 infringements, fines for non-compliance can go as high as €20 million, or 4% of the company's yearly global turnover from the previous year (whichever amount is higher).

Tier 2 infringements are based on violations of:

• Data transfers to third countries
• Principles for data processing
• Processing sensitive personal information
• Conditions for consent
• Individual rights under the GDPR

GDPR Compliance Checklist

As demonstrated by the penalties above, non-compliance with the GDPR is not an option. If you fall under its scope, you must take measures to comply with the regulation in its entirety. This may involve seeking legal or professional help.

Here's a refresher of the most important things to take note of:

• Ensure you adhere to the GDPR's data processing principles
• Take note of your user rights and help exercise them upon request
• Provide an easy-to-read GDPR-compliant Privacy Policy or update your existing one
• Provide your DPO's contact details or similar information to address privacy concerns
• Process data only after identifying a legal basis for doing so
• Obtain clear and explicit consent to process data (where applicable)
• Keep all other GDPR requirements in mind and comply accordingly