19 February 2020
The GDPR is currently one of the strictest privacy laws in the world, with a global reach.
Here's everything you need to understand the effects of the regulation and get your GDPR compliance plan started.
The General Data Protection Regulation (GDPR) is the EU's new legal framework for protecting personal data and digital privacy. It's an upgraded version of the 1995 Data Protection Directive.
It strives to do two main things:
This new regulation enhances the Data Protection Directive by updating it to deal with modern challenges of social media, cloud computing and other areas of concern over internet privacy. A lot has changed in the world of online personal data exchange since the 90's, and the GDPR works to address these changes.
In fact, the GDPR is considered to be the most expansive, inclusive and comprehensive digital privacy law in the world to date.
The GDPR was passed in April 2016 and had an enforcement deadline of May 25, 2018.
The GDPR has expanded and broadened the reach of existing privacy laws. This means that if the Data Protection Directive didn't apply to your website/app, the new GDPR might.
For example, the previous legislation only applied to companies operating in the EU or operating from servers located within the EU. Now, however, the GDPR applies to any company that meets certain criteria regardless of its location.
Here's how to determine if it applies to you.
Ask yourself the following questions:
If you do offer products and services to citizens of the EU, you must comply with the GDPR.
Whether you sell tangible goods or provide internet-based services, if you do this with EU citizens as customers the GDPR applies to you, regardless of where you're located.
If you don't offer products or services at all or to citizens of the EU, keep reading. The GDPR may still apply to you.
Next, ask yourself:
If you do collect information from citizens of the EU, you will fall under the GDPR.
However, depending on how sensitive the information you collect is, you may fall under stricter standards.
The GDPR covers two categories of protected information: "personal" and "sensitive personal."
Similarly to the old legislation, personal data under the GDPR law refers to anything that can be used to identify a person, including but not limited to the following:
If you collect this type of information, you must:
Here's an example of a sign up page that collects personal data from users and would trigger GDPR compliance. Even if just one of the pieces of data on this form was requested, compliance would still be required.
Sensitive personal data under GDPR law is considered more sensitive and thus comes with greater protections and more stringent regulations.
Sensitive personal data includes but isn't limited to the following:
If you collect this type of information, you must:
The old Data Privacy Directive only applied to data controllers - the people who determine how and why personal data is collected for a website/app.
However, the GDPR broadens its scope to data processors as well. Data processors are the people who do the collection, storage and maintenance of user information.
Some examples of data processors include the following:
If you're a data processor and process data from EU citizens, you'll need to comply with special GDPR regulations including the following:
If you don't comply with the GDPR, it can come with big penalties.
Organizations can be hit with fines of up to 4% of their annual global turnover or €20 million, whichever is higher. A tiered penalty approach means that you can be fined up to 4% depending on the level of non-compliance.
For example, you may be fined 2% for not having records in order or not conducting an appropriate impact assessment.
The GDPR contains 11 chapters and 91 articles.
According to a PWC survey and study, 92% of U.S. companies consider GDPR to be a top data protection priority, with 68% of them planning to spend between $1 million and $10 million to comply with the regulation.
There are three main roles involved in ensuring compliance with GDPR for your company:
The "data controller" is the individual or department at your business that decides what personal data your business will collect and why. The data controller may dictate to the data processor how to process the data including how long to retain it, what rights users have to accessing their data, etc., or may allow the data processor to use its best judgment and industry standard practices.
The "data processor" is a party other than an employee of the data controller. It may be an outsourced firm or third party, typically one that specializes in data processing, storage and security.
Consider the following four examples:
A website collects email addresses to provide a company newsletter.
The website uses MailChimp as its email newsletter service. Since the website chooses to collect the email addresses, the website is the data collector. MailChimp is the data processor because it takes the data collected by the website, stores it and processes it to send newsletters on behalf of the website.
A mobile app shows ads to its users via a third party such as AdSense or Mixpanel.
Here, the app collects user data and then implements a third party to use this data for the purpose the third party provides - showing ads. In this example, the mobile app is the data collector because it collects user data. AdSense or Mixpanel is the data processor because it processes the data through its own service in order to show ads on the app.
A website simply provides users with information and content. It has no signup capabilities, no login form and doesn't send out newsletters. It's a presentational website such as Wix.
However, this website does use Google Analytics. In this example, Google Analytics would be both the data collector and the data processor. This is because the website itself doesn't collect any information, but rather gives Google Analytics the OK to collect what it needs to function. Google Analytics will then collect and process the information on its own.
Remember: Data controllers are the companies that collect the data, while data processors are the companies that store, process and protect the data.
Read more about the distinction and specific requirements at the GDPR's website.
Keep in mind that while old legislation dealt only with data controllers, the GDPR now deals with data processors as well.
You only need to appoint a DPO if you:
Learn more about DPO requirements here.
Data controllers are responsible for deciding which personal data is collected and for what purpose. This places a lot of discretion and responsibility on the data controller, which is why they have been under legal requirements since the 90's with early legislation.
The GDPR adds additional requirements for data controllers including:
Data Privacy Impact Assessments (DPIAs) help to evaluate the effect of the data processing on the protection of the personal data. They do this by assessing the data processing operations in place and considering risks.
Data controllers will now have to get clear, unambiguous affirmative consent before collecting personal data, and explicit consent before collecting sensitive personal data.
These may sound like the same thing, but they're not. Clear and unambiguous affirmative consent doesn't have to be explicit.
For example, you can ask users for an email address in order to send them a newsletter. If a user enters an email address and submits it to you, that's clear and unambiguous consent through an affirmative act.
Here's an example of a way to get clear, unambiguous affirmative consent to collect personal data in the form of an email address:
To get explicit consent, you can make a user click a checkbox that explicitly states that by checking the box, the user is agreeing to something.
An affirmative action is different than an explicit action under the GDPR.
If you collect personal data such as email addresses, first names, birthdates, mailing addresses:
Any conduct that clearly indicates a user is accepting to have his data processed at the time will work to show consent.
In the earlier example, the conduct that indicates consent is when a user enters her email address and clicks submit. These two actions provide clear, unambiguous affirmative consent that the company may collect that email address.
In the following example, a user will enter both a name and email address, as well as click Download before submitting personal information. These steps work to show that a user is consenting to share that personal data.
If you collect sensitive personal data such as sexual orientation, health information, religious views, etc.:
Here's an example that's similar to the earlier example. While the form isn't collecting sensitive personal data, it's still getting explicit consent by using the checkbox as well as a Confirm button.
The GDPR's list of the 8 rights of users will need to be respected when personal information is collected:
Data processors are responsible for maintaining, securing and processing data collected. This may be a department or person in your company, or may be a third party you've outsourced to.
For example, a third party might be MailChimp that helps you store and process email addresses you collect.
Under the GDPR, there are a number of new obligations for data processors, including the following
Data processors will now have to maintain written records for personal data processing activities carried out for the controller.
You must have appropriate technical and organizational measures in place to ensure an appropriate level of security and data integrity for any data you process.
You must notify the controller without undue delay if a data breach ever occurs.
If you're required to have a DPO, you can hire an expert consultant or independent contractor if you don't have an in-house high-level legal compliance executive.
Your DPO will have the following duties under the GDPR:
Since the 1990's, Privacy by Design has been a general, recommended method of developing a business with privacy in mind from the beginning.
However, now Privacy by Design is a requirement under GDPR.
Privacy by Design has 7 key principles that work to keep personal data collection to a minimum, with maximum protection.
If your business falls under the GDPR, you'll need to make efforts to implement and satisfy these 7 principles:
Read more about Privacy by Design at the article linked above.
The GDPR applies to you if your business does any one of the following:
Data controllers must:
Data processors must:
Your DPO must:
Remember, you only need to appoint a DPO if your company processes data that reveals any sensitive personal information, is a public authority or regularly monitors data on a large scale from EU citizens.
In order for your collection of personal data to be GDPR-compliant, you must follow these six privacy principles which can be found in Article 5 of the GDPR.
Here are the six processing conditions that you must satisfy at least one of if you collect personal data:
Learn more about the meaning of each condition here.
Here are the ten processing conditions that you must satisfy at least one of if you collect sensitive personal data:
Learn more about the meaning of each condition here.