Last updated on 23 May 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
The General Data Protection Regulation (GDPR) came into force in May of 2018. This extensive privacy law is considered by some to be the world's toughest. The European Union (EU) describes the GDPR as:
"an essential step to strengthening citizens' fundamental rights in the digital age and facilitating business [...]"
Here's an overview and general look at some of the most important components of the GDPR and how they'll affect both businesses and individuals around the world.
The EU comprises 28 Member States, and the GDPR applies in all of them. The United Kingdom remains part of the EU for now, and has passed national law - the Data Protection Act 2018 - that gives the GDPR full effect. This law will remain in force after the UK leaves the EU, unless the UK Parliament repeals or amends it.
Your company may not be based in the EU. However, to quote the European Commision, the GDPR still applies if you're "offering good/services (paid or for free) or monitoring the behavior of individuals in the EU."
The GDPR regulates the "processing" of "personal data." This might not sound like it's something you do, but it's actually a very broad term:
In Article 4, the GDPR makes a distinction between "data controllers" and "data processors."
To put this in context - if your website sells shoes and uses an eCommerce platform like Shopify to take payments for those shoes, you're the data controller and Shopify is the data processor.
If your business employs five people and you pay them using payroll software such as ADP, you're the data controller, and ADP is the data processor.
Duties of both controllers and processors include:
Duties of controllers include:
Duties of processors include:
All data processing in the EU must abide by the six data processing principles set out in Article 5 of the GDPR:
Under Article 5(1)(a), personal data needs to be:
"processed lawfully, fairly and in a transparent manner in relation to the data subject."
Under Article 5(1)(b), personal data can only be:
"collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes."
You can only process people's personal data in ways they've agreed to or would reasonably expect - and only for the purposes you need to process it for.
Under Article 5(1)(c), personal data has to be:
"adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."
Once you know why and how you'll be processing people's personal data, you can only process the data that you need to achieve this. You don't need someone's phone number to send them an email.
Under Article 5(1)(d), personal data needs to be:
"accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay."
Keep your records accurate, keep them up-to-date, and have a system in place to correct any inaccuracies.
Under Article 5(1)(e), personal data must be:
"kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed."
Only keep personal data for as long as you legitimately need it. You shouldn't still have the email address of someone who purchased something from your store ten years ago.
Article 5(1)(f) states that personal data must be:
"processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures."
Keep personal data safe, anonymize and encrypt it where feasible, and co-operate with the data authorities of the EU. If something does happen to your users' personal data, you'll need to report it within 72 hours.
Under Article 6, you can only process personal data if you have identified one of the six lawful bases for doing so. It's illegal to process personal data in the EU without a lawful basis.
One way to ensure that you're processing your users' data legally is to ask their permission to do it. This is essential for certain circumstances of processing, e.g. direct marketing for new customers. However, it actually isn't always the best way.
Consent is a big part of the GDPR. One of the biggest changes it brings about is the very strict requirements it places on companies to earn the consent of their users. Some of the conditions for consent are set out at Article 7 and Recital 43 of the GDPR.
The key points are that in order for consent to be considered valid, it must be:
If you're in a contract with someone, you may have contractual obligations that you can't fulfill unless you process their personal data in a particular way. Or, you might need to process someone's personal data in order to decide whether to enter into a contract with them. For example, you might need to keep part of someone's medical records on file if you're about to offer them health insurance.
You might have a legal obligation to process someone's personal data in a particular way. For example, disclosing your employees' immigration status to border authorities, or complying with a court subpoena.
You need to be able to justify processing your users' personal data in this way. It's not just a matter of doing whatever the state tells you to do with their data.
If someone's life depends on you processing their data in a particular way, it's lawful to do so. Article 6(1)(d) of the GDPR permits the processing of personal data where it's necessary to "protect an interest which is essential for the life of the data subject or that of another natural person."
This sounds unlikely, but it can happen where, for example, a surgeon requires emergency access to an individual's medical records and the patient is unable to consent.
If you're part of a public body, or a private body with powers derived from law, you may be able to process personal data in order to carry out a task in the public interest. This might apply for activities related to voter registration, for example.
Legitimate interests is described by the Information Commissioner's Office (ICO) (the UK's data authority) as: "the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate."
You may be able to rely on this lawful basis if data processing is:
There are a lot of potential examples of where processing personal data might be in your legitimate interests. For example, a law firm might need to keep records of the legal advice they've given in case a client sues them for negligence. This is true whether the client has consented or not.
The GDPR gives a lot of control to individuals when it comes to their personal data. There are eight rights, and as a data controller, it's your job to help individuals exercise them.
Your users can exercise their rights under Article 15 of the GDPR to ask for information about any of their personal data that you're processing. This called a Subject Access Request. You might be called on to provide confirmation of whether you're actually processing someone's personal data. You might also be asked for a copy of your user's personal data.
Under Article 16 of the GDPR, your users have the opportunity to ask you to correct any inaccuracies your records show about them. They may be wrong, of course, and you can refuse to change their data if they are.
At Article 17 of the GDPR sits the "right to be forgotten." There's a bit of public misunderstanding about this right. It doesn't confer an entitlement for any individual to have any reference to themselves deleted from your website. You still have the right to freedom of expression. But you will have to consider erasing personal data under certain conditions.
Article 18 of the GDPR grants individuals the right to ask you to stop processing their data in a particular way. For example, an individual switches electricity suppliers and asks the old supplier to delete all of their personal data. But the old supplier is legally obliged to keep their data on file for eight years. So, instead they can restrict the processing to make sure that they aren't using the individual's data for improper activities.
Under Article 20 of the GDPR, individuals should be able to request a copy of their personal data from you and take it to another organization. This ties in with the general principle that individuals should truly own their personal data.
Under Article 21 of the GDPR, individuals have the right to object to your processing of their personal data. This applies most straightforwardly in the case of direct marketing - your users can object to receiving direct marketing from you. There are no exceptions.
Other grounds of objection are more complicated, and you may have the right to refuse to stop some types of data processing under certain conditions.
At Article 22 of the GDPR, individuals have the right to request human intervention if important decisions are being made about them based on algorithms or profiling.
For example, if a computer decides that an individual's power should be cut off because they failed to pay their bills, that individual can request that the decision is reviewed by a real person.
The GDPR has brought about significant change, particularly for non-EU businesses. But complying with these changes will ensure that your privacy practices are transparent, fair and reasonable.
Make sure that you:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
23 May 2022