The General Data Protection Regulation (GDPR) is a regulation set forth by the EU that governs the protection and dissemination of personal data and enhances digital privacy for people located in the EU.

The GDPR's primarily goal is to serve as a unifying, comprehensive, data and privacy framework for any organization that controls or processes data from anyone in the EU.

Ultimately, the GDPR is:

  • Strengthening individual privacy rights
  • Simplifying the handling of personal data in the course of international business
  • Imposing punishments and other penalties on businesses that violate its requirements

There's a lot more to it than that, so let's get into the details of the GDPR.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

Why is the GDPR Necessary?

The Data Protection Directive and Data Protection Act laid the initial structure for European privacy laws and compliance.

However, with new and increasing data creation, handling, and storage challenges, a result of the meteoric rise of social media and cloud computing, the Data Protection Directive lagged behind.

The fragmented nature of individual nation's privacy laws led to inconsistent enforcement throughout the EU, leaving internal, and foreign, business owners blindly navigating their way through data compliance procedures, often coming up short.

Now, instead of 28 countries relying on their own interpretations of what constitutes data protection and compliance, they are provided with structured and uniform guidance.

With the implementation of the GDPR in early 2018, the EU now boasts the most comprehensive and protective digital privacy regulatory framework in the world, striking an effective balance between privacy and data protection rights and fundamental human rights and other public and private interests.

GDPR Legislative Fact: The GDPR was drafted as an upgrade to the 1995 Data Protection Directive, ultimately harmonizing and synthesizing a collective of privacy regulations into one manageable and unified source.

The GDPR's Scope: Who Does it Apply to?

The GDPR's Scope: Who Does It Apply to?

When determining whether a business or website falls under the scope of the GDPR or whether it is exempt, it's important to ask the following questions:

1. Does the business or website engage in the collection of information and data from users located in the EU?

One of the most important changes building upon the Data Protection Directive's incomplete framework was the GDPRs expansion to include anyone, regardless of location, who collects or processes personal data of individuals in the EU.

Article 3 of the GDPR covers:

  • Controllers or processors of personal data that are located in the EU,
  • Controllers or processors of personal data not located in the EU when they offer goods or services to data subjects in the EU or monitor their behavior, and
  • Controllers or processors of personal data not located in the EU who are a Member State required by virtue of international law to comply

In sum, even if your company is located in Florida, as long as you offer goods or services to data subjects located within the EU, the GDPR will apply.

2. Does the business have more than 250 employees?

The GDPR concedes that smaller, rather than larger, companies pose a less serious threat to the destruction and wrongful dissemination of personal data, and should therefore be held to less stringent regulation.

Companies with less than 250 employees enjoy a more narrowed scope under the GDPR, and are only required to maintain records of data processing activities when:

  • The processing carries a potential risk of harming data subject rights,
  • There is a frequent and regular processing of data, or
  • The personal data falls under a special category relating criminal offenses and convictions

Keep in mind that organizations and companies with more than 250 employees are required to comply to the fullest extent of GDPR regulations.

3. Is the business a data controller, or processor?

On top of geographic expansion and considerations, the GDPR expanded upon the material scope of the EU Data Privacy Directive.

Data privacy compliance now requires not only data controllers, but data processors adhere to such regulations, and imposes increased responsibilities and obligations on processors.

Controller Processor
Article 4 Definition: "...the natural legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data." Article 4 Definition: "...a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."
  • Implement data protection policies
  • Adhere to the GDPR code of conduct
  • Adhere to the GDPR certification process
  • Keep detailed records of processing activities,
  • Implement comprehensive compliance and security technology,
  • Appoint a data protection Officer,
  • Conduct impact assessments, and
  • Have notification of breach procedures in place.

Understanding the key requirements and differences between data controllers and data processors is important before formulating your compliance gameplan, as each one will have their own regulation and compliance measures to follow.

Can a company be both? Yes. It's possible for a single company to be both a data processor and a data controller.

An example is when a payroll company also processes the data of its own staff. It's a data controller of its own staff's data, and a processor of client data.

4. Does the business collect personal or sensitive data?

The GDPR classifies consumer data into two distinct categories: "personally identifying" and "sensitive personal" data.

After all, without knowing what constitutes the GDPR's definition of data, a company won't know whether they deal in the type of information covered under the GDPR's scope.

Personally Identifiable information (PII): Includes any information distinguishing an individual's identity, such as full name, identification number, bank details, home and email address, passport number, location data, pseudonymous data, and photo, audio, or video files.

Sensitive Personal Information (SPI): Includes any information which reveals a person's biometric, genetic, health, sexual, religious, philosophical, political, racial, or ethnic data.

GDPR Requirements and Characteristics

GDPR Requirements and Characteristics

The deadline for complying with the GDPR was set as May 25th, 2018.

What are the consequences for failing to comply? The stakes have been increased, and the GDPR imposes significantly heftier fines and penalties on companies who fail to comply.

For tier 1 companies, non-compliance fines run all the way up to €10 million, or 2% of a company's annual global turnover, and €20 million, or 4% for tier 2 companies.

Below is a list of six crucial changes the GDPR requires companies to adopt and implement in order to be considered GDPR-compliant.

Consent is considered an important aspect of individuals understanding and retaining control over how their data is handled and processed.

Under the GDPR, consent needs to be freely given, informed, and unambiguous, which greatly increases the standard of what's considered valid consent.

No longer can you legally claim that someone is agreeing to your Terms and Policies simply by being active on your website. Now, to get adequate consent, you need to implement clickwrap methods that utilize un-ticked checkboxes and clearly-labeled buttons.

Here's an example of how to implement this, from Vudu:

Vudu Create Account form with Agree to Terms and Privacy checkbox highlighted

Consent is also required before using most cookies. If you have EU users and use cookies that require consent, you'll need to implement a cookie consent solution on your website before placing these cookies on your users' devices.

Your cookie consent notice, like other forms of GDPR consent, should use either (or better yet, both) a checkbox or an "I Agree" type of button that makes it very clear that users are agreeing and consenting to have cookies used.

Here's an example of such a notice from Standard Chartered:

Standard Chartered cookie consent notice

Make sure to link your Privacy Policy and/or Cookies Policy to your cookie consent notice.

Data Breach Notifications

It's very important that you handle all data breaches appropriately.

Under the GDPR, data controllers and processors are legally required to notify a supervising authority, along with the individuals affected, within seventy-two (72) hours of discovering the breach. The data breach notification should include the following elements:

  • The nature of the data breach
  • The name and contact details of the Data Protection Officer, or another point of contact to obtain information
  • The likely consequences of the breach
  • The measures proposed, or taken, in order to remedy and address the breach

Conduct Data Protection Impact Assessments

Data Protection Impact Assessments (DPIAs), are required when a data processing activity poses a high risk to the fundamental rights and freedoms of a natural person. Such assessments should be conducted in several instances, including when a company:

  • Processes on a large scale of special categories of personal data, or data relating to criminal offenses and convictions,
  • Uses new technologies to process data,
  • Processes a considerable amount of data that could greatly affect a high volume of individuals, and
  • Processes data "for purposes of profiling and similar activities intended to evaluate personal aspects of data subjects."

Elect a Data Protection Officer (DPO)

Not all companies are required to appoint a Data Protection Officer (DPO) under the GDPR. You'll only need to appoint one when:

  • The company is a public authority,
  • The controller or processor's primary duties include large scale data monitoring, or
  • The controller or processor handles a wide range of sensitive personal data (SPI)

Even if you aren't required to appoint one, doing so anyway can be a great step towards ensuring GDPR compliance.

DPOs should be appointed in order to:

  • Inform and train processors and controllers on their requirements and obligations under the GDPR, and other data protection laws,
  • Be the first point of contact for supervisory authorities and individuals whose data is processed, and
  • Monitor company compliance with the GDPR, and give advice on DPIAs

Enhance Individual User Rights

The GDPR has created and emphasized 8 user rights that enhance individual rights. While not every right applies to every company and every situation, you must be aware of them and how they affect your business.

The rights are as follows:

  • The right of access: Data subjects must be given the ability to know what personal data a company has about them, and you must handle privacy access requests appropriately
  • The right to erasure (be forgotten): Data subjects have the right to request companies delete their data and stop processing it
  • The right to restrict processing: Data subjects have the right to restrict personal data processing under certain circumstances
  • The right to object: Data subjects have the right to object to processing of their data
  • The right to rectification: Data subjects have the right to have any inaccurate or incomplete personal data rectified
  • The right to data portability: Data subjects have the right to copy, transfer, or move personal data to a different company
  • The right to be informed: Data subjects deserve to be provided with information regarding data processing activities

These rights can be found in Chapter 3 of the GDPR. It's important to review each right to make sure it applies to your business. As noted above, some of the rights come with exceptions and circumstances where they either must or may not be honored.

Privacy By Design and Default

Data protection and Privacy by Design and default requires companies to integrate data protection measures into their business processes and protocols.

Simply put, companies need to account for data privacy protections and measures during the design stage of a project or product by following the following seven principles:

  • Privacy as a default setting
  • Privacy should be preventative and not remedial
  • Privacy should be embedded into design
  • Privacy should be fully functional
  • Privacy should prioritize user protection
  • Privacy should be transparent
  • Privacy should cover the entire life cycle of the data

GDPR Compliance Refresher: The GDPR harmonizes various data breach notification laws in the EU. Most notably, it requires businesses to inform a data breach authority of a data breach within seventy-two (72) hours of discovering it.

Having such a requirement in place, puts added pressure and expectation on organizations to have effective mechanisms for recognizing and responding to breaches in real-time.

Making Your Privacy Policy GDPR-Compliant

Making Your Privacy Policy GDPR-Compliant

A fundamental and sometimes tedious step in bringing a company inline with GDPR compliance is by overhauling their Privacy Policy.

When aligning and conforming Privacy Policies with GDPR requirements, companies will need to make several key changes, such as:

Identifying a point of contact: This includes providing the contact details of your Data Protection Officer or whoever else is responsible for handling privacy questions at your business. If you are a company located outside of the EU, provide your EU Representative's contact details.

Here's an example from Viafoura:

Viafoura GDPR Compliance Statement: EU Representative contact section

Explaining data collection practices in adequate detail: Companies are required to outline their methods for collecting data and how data used, as well as what the general data retention period is.

Not only are they required to inform data subjects of the above matters, they are also required to provide justifying reasons for doing so (referred to as the legal bases for collecting and processing information).

Here's how Ian Williams does this:

Ian Williams Privacy Notice: Legal bases clause

Conduct a privacy law self-audit so you know exactly what your data collection practices are.

A clear explanation of a data subject's rights: A GDPR-compliant Privacy Policy needs to address the 8 user rights addressed earlier, such as a data subject's right to access, object, erasure, and so forth.

Here's how The Drum sets out user rights in its Privacy Policy:

The Drum Privacy Policy: Excerpt of clause about GDPR user rights

Cross-border transfer information: Companies must provide sufficient details of data transfers they may engage in where user data is sent to third countries, and any safeguards put in place.

Here's how Digital Kickstart sets out this information in its Privacy Policy.

(Note that the Privacy Shield Framework used to be an acceptable method for transfers of data. However, it was invalidated and has been replaced by the EU-U.S. Data Privacy Framework.)

Digital Kickstart Privacy Policy: Data Transfers and Privacy Shield Frameworks clause

Simplifying the language: To promote transparency, your Privacy Policy should be easy to read and free of all unnecessary and confusing language and legalese. If an average user can't understand their rights under your Privacy Policy, it's not a GDPR-compliant Privacy Policy.

GDPR Preparation Resources

Throughout this article we've linked some resources that can help you get prepared and underway with GDPR compliance. In addition, here's our official GDPR Preparation Planning checklist as well as our GDPR Readiness checklist.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy