The General Data Protection Regulation (GDPR) came into force in May of 2018. This extensive privacy law is considered by some to be the world's toughest. The European Union (EU) describes the GDPR as:
"an essential step to strengthening citizens' fundamental rights in the digital age and facilitating business [...]"
Here's an overview and general look at some of the most important components of the GDPR and how they'll affect both businesses and individuals around the world.
(If you're looking for an easy-to-read summary of every Article and Recital of the GDPR, we've got you covered there, too.)
The GDPR and the EU
The EU comprises 28 Member States, and the GDPR applies in all of them. The United Kingdom remains part of the EU for now, and has passed national law - the Data Protection Act 2018 - that gives the GDPR full effect. This law will remain in force after the UK leaves the EU, unless the UK Parliament repeals or amends it.
Your company may not be based in the EU. However, to quote the European Commision, the GDPR still applies if you're "offering good/services (paid or for free) or monitoring the behavior of individuals in the EU."
Processing Personal Data
The GDPR regulates the "processing" of "personal data." This might not sound like it's something you do, but it's actually a very broad term:
- Personal data means anything that can be used to identify an individual person. There's no definitive list, but we know from the huge body of EU legislation, guidance and case law that the following things might be considered personal data under certain conditions:
- Phone number
- Email address
- Information about looks or behavior
- Browser data e.g. certain cookies
- Processing is an even broader term. The GDPR says that "any operation" performed with personal data could be considered processing. It's hard to imagine something you could do with someone's personal data that wouldn't constitute "processing." Some examples include:
- Storing a list of names and email addresses
- Sending a direct marketing email
- Receiving someone's name and phone number from a third party
- Using certain targeted cookies on your website
Data Controller and Data Processor
In Article 4, the GDPR makes a distinction between "data controllers" and "data processors."
- A data controller is someone or some organization which "determines the means and purposes" of processing personal data.
- A data processor is someone or some organization which "processes personal data on behalf of the controller."
To put this in context - if your website sells shoes and uses an eCommerce platform like Shopify to take payments for those shoes, you're the data controller and Shopify is the data processor.
If your business employs five people and you pay them using payroll software such as ADP, you're the data controller, and ADP is the data processor.
Duties of both controllers and processors include:
- Complying with the GDPR
- Appointing a Data Protection Officer (DPO) if required
- Co-operating with data authorities
Duties of controllers include:
- Identifying a lawful basis for data processing
- Facilitating data rights
- Choosing and contracting only with data processors who comply with the GDPR
Duties of processors include:
- Working strictly according to the contract they have with their data controllers
- Subcontracting to other processors only with their controller's permission
- Helping their controllers facilitate data rights
Principles of Data Processing
All data processing in the EU must abide by the six data processing principles set out in Article 5 of the GDPR:
Lawfulness, Fairness and Transparency
Under Article 5(1)(a), personal data needs to be:
"processed lawfully, fairly and in a transparent manner in relation to the data subject."
Under Article 5(1)(b), personal data can only be:
"collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes."
You can only process people's personal data in ways they've agreed to or would reasonably expect - and only for the purposes you need to process it for.
Under Article 5(1)(c), personal data has to be:
"adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."
Once you know why and how you'll be processing people's personal data, you can only process the data that you need to achieve this. You don't need someone's phone number to send them an email.
Under Article 5(1)(d), personal data needs to be:
"accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay."
Keep your records accurate, keep them up-to-date, and have a system in place to correct any inaccuracies.
Under Article 5(1)(e), personal data must be:
"kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed."
Only keep personal data for as long as you legitimately need it. You shouldn't still have the email address of someone who purchased something from your store ten years ago.
Integrity and Confidentiality
Article 5(1)(f) states that personal data must be:
"processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures."
Keep personal data safe, anonymize and encrypt it where feasible, and co-operate with the data authorities of the EU. If something does happen to your users' personal data, you'll need to report it within 72 hours.
Lawful Basis for Processing Under the GDPR
Under Article 6, you can only process personal data if you have identified one of the six lawful bases for doing so. It's illegal to process personal data in the EU without a lawful basis.
One way to ensure that you're processing your users' data legally is to ask their permission to do it. This is essential for certain circumstances of processing, e.g. direct marketing for new customers. However, it actually isn't always the best way.
Consent is a big part of the GDPR. One of the biggest changes it brings about is the very strict requirements it places on companies to earn the consent of their users. Some of the conditions for consent are set out at Article 7 and Recital 43 of the GDPR.
The key points are that in order for consent to be considered valid, it must be:
- Freely given - you can't pressure someone into consenting, or confer some arbitrary disadvantage on them if they choose not to.
- Made via a clear, affirmative action - this means that:
- So-called "browsewrap" agreements, where users were told they had given consent by the mere act of visiting a website - are generally no longer allowed. "Clickwrap" - where users expressly agree to terms by clicking "I agree" - is now essential in most cases.
- Opt-out is no longer considered consent. There can be no more pre-ticked boxes.
- Granular - if you're asking users to consent to multiple types of data processing - for example, make a payment, set up an account, and receive your newsletter - you need to ask them to consent to each individual type of processing.
- Revocable - it should be easy for your users to withdraw their consent - in fact, Article 7 of the GDPR says that it should be "as easy to withdraw as to give consent."
If you're in a contract with someone, you may have contractual obligations that you can't fulfill unless you process their personal data in a particular way. Or, you might need to process someone's personal data in order to decide whether to enter into a contract with them. For example, you might need to keep part of someone's medical records on file if you're about to offer them health insurance.
You might have a legal obligation to process someone's personal data in a particular way. For example, disclosing your employees' immigration status to border authorities, or complying with a court subpoena.
You need to be able to justify processing your users' personal data in this way. It's not just a matter of doing whatever the state tells you to do with their data.
If someone's life depends on you processing their data in a particular way, it's lawful to do so. Article 6(1)(d) of the GDPR permits the processing of personal data where it's necessary to "protect an interest which is essential for the life of the data subject or that of another natural person."
This sounds unlikely, but it can happen where, for example, a surgeon requires emergency access to an individual's medical records and the patient is unable to consent.
If you're part of a public body, or a private body with powers derived from law, you may be able to process personal data in order to carry out a task in the public interest. This might apply for activities related to voter registration, for example.
Legitimate interests is described by the Information Commissioner's Office (ICO) (the UK's data authority) as: "the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate."
You may be able to rely on this lawful basis if data processing is:
- Pursuant to the legitimate interests of your organization
- Necessary for this purpose
- Not overridden by your users' rights
There are a lot of potential examples of where processing personal data might be in your legitimate interests. For example, a law firm might need to keep records of the legal advice they've given in case a client sues them for negligence. This is true whether the client has consented or not.
Individual Rights Under the GDPR
The GDPR gives a lot of control to individuals when it comes to their personal data. There are eight rights, and as a data controller, it's your job to help individuals exercise them.
Right to Be Informed
Right of Access
Your users can exercise their rights under Article 15 of the GDPR to ask for information about any of their personal data that you're processing. This called a Subject Access Request. You might be called on to provide confirmation of whether you're actually processing someone's personal data. You might also be asked for a copy of your user's personal data.
Right to Rectification
Under Article 16 of the GDPR, your users have the opportunity to ask you to correct any inaccuracies your records show about them. They may be wrong, of course, and you can refuse to change their data if they are.
Right to Erasure
At Article 17 of the GDPR sits the "right to be forgotten." There's a bit of public misunderstanding about this right. It doesn't confer an entitlement for any individual to have any reference to themselves deleted from your website. You still have the right to freedom of expression. But you will have to consider erasing personal data under certain conditions.
Right to Restrict Processing
Article 18 of the GDPR grants individuals the right to ask you to stop processing their data in a particular way. For example, an individual switches electricity suppliers and asks the old supplier to delete all of their personal data. But the old supplier is legally obliged to keep their data on file for eight years. So, instead they can restrict the processing to make sure that they aren't using the individual's data for improper activities.
Right to Data Portability
Under Article 20 of the GDPR, individuals should be able to request a copy of their personal data from you and take it to another organization. This ties in with the general principle that individuals should truly own their personal data.
Right to Object
Under Article 21 of the GDPR, individuals have the right to object to your processing of their personal data. This applies most straightforwardly in the case of direct marketing - your users can object to receiving direct marketing from you. There are no exceptions.
Other grounds of objection are more complicated, and you may have the right to refuse to stop some types of data processing under certain conditions.
At Article 22 of the GDPR, individuals have the right to request human intervention if important decisions are being made about them based on algorithms or profiling.
For example, if a computer decides that an individual's power should be cut off because they failed to pay their bills, that individual can request that the decision is reviewed by a real person.
- Contact details for your company and Data Protection Officer (if you have one)
- The categories of personal data you process (including cookies)
- Which lawful basis you're relying on
- The reasons you need to process personal data
- The various ways in which you process personal data
- What categories of third parties you need to share data with
- Information about data rights of individuals
- If you'll need to transfer your users' personal data to any non-EU countries
Adapting to the GDPR
The GDPR has brought about significant change, particularly for non-EU businesses. But complying with these changes will ensure that your privacy practices are transparent, fair and reasonable.
Make sure that you:
- Obey the GDPR's privacy principles
- Only process personal data lawfully
- Gain clear and proactive consent for direct marketing
- Help your users exercise data rights on request