GDPR: General Data Protection Regulation

The General Data Protection Regulation (GDPR) is the EU's extensive regulatory framework that came into effect in May 2018 and has since revolutionized personal data protection and digital privacy throughout the globe.

In fact, the GDPR is considered to be the most stringent and protective privacy regulation in the world right now. It enhances the individual rights of EU citizens and clarifies what companies must do to safeguard these rights.

In this article, we'll go over the key aspects of the GDPR, including who it applies to, what it requires, and penalties for non-compliance with the regulation.

What is the General Data Protection Regulation?

The GDPR is a comprehensive data privacy regulation enacted by the European Union (EU) to govern how companies obtain and process personal information in the EU.

As a new and improved version of the 1995 Data Protection Directive, the GDPR strives to keep up with the growing demands for internet privacy in the world today. To do this, the law extends its reach to include organizations outside the region, so long as they offer products/services to, or collect personal information from EU citizens.

Basically, the GDPR:

• Harmonizes data protection laws across all 28 EU member states into one centralized source,
• Reinforces individual privacy rights regarding the protection of personal data, and
• Imposes fines and other punishments on violators

The GDPR's Definitions

To comprehend and appropriately comply with the GDPR, you need to understand how the law defines its terms. Let's briefly go over the essentials.

1. Personal Data

   Personal data is any information that can directly or indirectly distinguish a person. Although the law doesn't provide an exhaustive list of what should be considered personal data, here are the more obvious ones:

   • Names
   • Identification numbers
   • IP/email addresses
   • Web cookies
   • Images or videos
   • Bank details

   Anonymized data may also fall under this definition if a person can be easily identified from it.

2. Sensitive Personal Data

   Under the GDPR, sensitive personal data is a unique class of personal information that comes with stricter regulations due to its intrusive nature. It includes but is not restricted to the following:

   • Biometric data
   • Genetic data
   • Sexual orientation
   • Political opinions
   • Philosophical/Religious beliefs
   • Racial/Ethnic data

3. Processing

   Processing is a delicate term under the GDPR. It refers to any activity or operation (whether electronic or manual) carried out on personal data. Cited examples include:

   • Collecting data
   • Recording data
   • Storing or organizing data
   • Modifying data
   • Using data
   • Disclosing data
   • Restricting data
   • Erasing data

   With that said, just assume everything you do with a person's data can be labeled as processing.

4. Data Controller

   A data controller specifies the purpose ('why') and the mode ('how') of obtaining personal information. Data controllers are responsible for safeguarding the rights and privacy of data subjects.

5. Data Processor

   A data processor is an individual or organization that "processes personal data on behalf of the controller". Common examples of data processors include third-party service providers like payroll companies, eCommerce platforms, and payment processors.

Data Processing Principles of the GDPR

Under the GDPR, if you process data in the EU, you must observe the seven data protection and accountability principles listed in Article 5 of the regulation. Briefly, the principles are as follows.

Lawfulness, Fairness, and Transparency

Personal data must be:

• Processed legally by identifying one of the lawful bases for doing so,
• Handled fairly and appropriately, and
• Managed in a transparent way

Purpose Limitation

You must process people's personal data for the exact lawful purpose specified or decided upon during its collection.

Here's how Twitter satisfies this requirement in its Data Processing Addendum:

Data Minimization

The data minimization principle states that you should only obtain and process data that you strictly need for the pre-established purposes and no more. For example, you don't need a person's date of birth to send them email newsletters.

Accuracy

Personal information in your possession must be kept accurate and regularly updated. You should also have measures in place to promptly rectify inaccuracies (once identified) or delete them permanently.

Storage Limitation

You must delete personal data when it's no longer necessary for the legitimate purpose specified during its collection. However, you may hold on to personal data for longer periods if you process data for:

• Archiving purposes in the interest of the public,
• Historical or scientific research, or
• Statistical purposes

Integrity and Confidentiality

You must employ technical and organizational safeguards to protect personal data from illegal processing and unforeseen loss or damages.

In most cases, this will involve using mechanisms like encryption software, two-factor authentication, and anonymization tools to safeguard data wherever possible.

Accountability

If you're a data controller under the GDPR, then the responsibility of observing the listed principles and demonstrating GDPR compliance falls on you.

The GDPR's Scope: Who Does it Apply to?

The GDPR, unlike its predecessor, is not only exclusive to individuals and companies operating in the EU. Organizations outside the region may now be subject to the regulation in certain instances.

To find out if you fall under the GDPR's scope, consider the following questions:

Do you collect personal information or monitor the behavior of EU citizens?

For example, if you have EU users sign up on your website or you track IP addresses or cookies of visitors from the EU, then the GDPR applies to you regardless of your location.

Moreover, the stringency of the law may depend on the type of information you collect. Recall that sensitive personal data is held to stricter regulations than personal data.

Do you offer goods or services to EU citizens?

If you target EU citizens with the hope of selling them your products or services (physical or online), the GDPR applies to you regardless of your location.

To put this in context, if your website features pricing in euros or ads in French, it targets EU citizens and will, therefore, be subject to the regulation.

Exceptions to the GDPR

Under the GDPR, there are two significant exceptions to note.

The first is for companies with less than 250 employees. Organizations in this category are not fully exempt, but they enjoy a more lenient coverage under the regulation.

However, such companies must fully comply with the GDPR when:

• Their processing activities may risk the rights and freedoms of data subjects
• They process sensitive personal data or process data frequently, or
• They process a special data category relating to "criminal convictions and offenses"

Secondly, the GDPR does not apply to individuals or companies involved in purely "personal or household activities". Its scope only covers "commercial or professional activities."

Lawful Basis for Processing Personal Data Under the GDPR

Before attempting to process an individual's personal data, you must identify one of the lawful bases under the GDPR to justify doing so. Briefly, they are as follows.

Consent

If you process under the lawful basis of consent, your processing activities are considered legal only after getting clear, affirmative consent from your data subjects. This lawful basis promotes the GDPR mission to give more control to data subjects.

Contract

You may need to process personal data to execute or enter into a contract with data subjects. For example, a customer may sign up for a trial before a contract, which may require you to collect their personal data (e.g., contact information).

Legal Obligation

Processing a person's data without consent is allowed when the law compels you to do so. For example, you may have to disclose a user's personal information to aid federal authorities in a criminal investigation.

Vital Interests

Processing a person's data is considered lawful if their life depends on it, and they can't provide consent. This legal basis may be more prominent in the medical industry due to its nature.

Public Task

Processing personal data may be crucial to perform a duty in the public's interest or the exercise of official authority.

Legitimate Interests

Companies with genuine, legitimate reasons may process data without consent as long as it does not interfere with the rights or freedoms of data subjects. Examples include:

• Information and network security
• Fraud prevention
• Indicating dangers to general safety

General Requirements of the GDPR

The GDPR has provided both controllers and processors with several new requirements they must observe and implement to be considered compliant with the regulation. Briefly, they include the following.

Also, check out our GDPR Preparation Planning Checklist for further guidance.

Have a GDPR-Compliant Privacy Policy

The GDPR requires a number of disclosures to be made, including a number of the following points. The best way to make the disclosures and keep your users informed of important facts relating to their personal data is to have a Privacy Policy that complies with GDPR requirements.

Strengthen Individual Rights Under the GDPR

As an organization subject to the regulation, you must observe and help exercise the individual user rights under the GDPR. They include:

• Right to be informed - Notify users about how you obtain and process their data in a brief, intelligible, and easily accessible form.
• Right of access - Allow users to obtain information about how you use, store, or disclose their data.
• Right of rectification - Let users correct inaccurate information about them displayed in your records.
• Right to erasure - Promptly delete users' data at their request.
• Right to restrict processing - Stop processing users' data at their request.
• Right to data portability - Allow users to transfer a copy of their data to another company.
• Right to object - In certain instances, users can object to the processing of their personal data.
• Rights related to automated decisions - Protect users from automated decisions by granting a review when requested.

These rights should be prominently displayed and easily accessible for users' convenience, typically within your Privacy Policy.

For example, here's how Zoom displays this information in its Privacy Statement:

Implement Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) helps evaluate how your processing activities may affect the protection of personal data.

You must observe this requirement if your processing operations are likely to expose the rights and freedoms of users to high risk. Such cases include when you:

• Process a considerable amount of data that could significantly affect a lot of users
• Process a high volume of sensitive personal data
• Utilize the latest technologies to process data, or
• Process data in order to profile people

Designate a Data Protection Officer

A data protection officer (DPO) supervises an organizations' data protection strategy. DPOs are appointed to educate and advise management about GDPR compliance as well as address the privacy concerns of users.

Designating a DPO is not optional in certain instances. According to the regulation, you must appoint a DPO if you:

• Are a public authority (e.g., a state university),
• Often process data or monitor data subjects on a large scale, or
• Process a substantial amount of sensitive personal data or data relating to criminal offenses and convictions

In addition, your DPO's name and contact information should be publicly displayed in your Privacy Policy.

Here's how Oracle satisfies this requirement in its Privacy Policy:

Obtain Consent When Needed

Consent is now more deeply regulated under the GDPR. According to the law, consent must be clear, specific, unambiguous, and characterized by an approving action.

If you collect sensitive personal data, you must also obtain explicit consent from data subjects. To get explicit consent, you can make users tick a box that states that by ticking the box, they agree with your policies.

Additionally, consent must be easy to withdraw and given only by users over the age of 13 or else approved by a parent.

Here's how PayPal obtains explicit consent from its users before creating accounts:

Consent is also required before using website cookies that track EU citizens. Engine Yard complies appropriately with this requirement by giving its users options regarding cookies, as shown below:

Implement Privacy by Design

Privacy by Design is a concept that requires companies to implement data privacy principles at the onset of a new product or process (i.e., by default).

With that said, seven fundamental principles must be observed under this requirement to reduce data collection and improve security. They include the following:

• Strive to prevent crises rather than seeking solutions
• Value privacy as the default setting
• Incorporate privacy into the design
• Privacy should be completely functional
• Protect data throughout its lifecycle
• Embrace transparency
• Prioritize the protection of users' information

Notify of Data Breaches

Under the GDPR, a personal data breach is defined as:

"A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed"

In the event a data breach occurs, you must inform the proper supervising authority within seventy-two hours of discovering it.

You must also inform the concerned data subjects if the breach may threaten their rights and freedoms. Your notice should contain the following information:

• The nature of the breach
• The name and contact details of the DPO or similar information
• The possible ramifications
• The recommended steps to take in order to manage the breach

Learn about how to write a GDPR-compliant data breach notification letter here.

Protect Data During Data Transfers

Under the GDPR, organizations must take additional steps to protect personal data during transfers to third countries (i.e., countries outside the EU that handle personal data).

The regulation lists several safeguards that must be adopted during such transfers.

Here's how IBM outlines its various safeguards to facilitate international transfers in its Privacy Statement:

So what happens if you don't meet these requirements?

GDPR Fines for Non-Compliance

The GDPR fines for non-compliance are one of the steepest in the world right now, running into tens of millions of dollars. To establish suitable penalties for violators, the GDPR has categorized the stringency of infringements into two tiers.

Tier 1 infringements are characterized by breaches of controller and processor duties, monitoring bodies, and certification bodies.

GDPR fines for tier 1 violations can run up to 2% of the company's annual global turnover from the previous financial year or €10 million (whichever is higher).

On the other hand, Tier 2 infringements are characterized by violations of data processing principles, consent, individual rights under the GDPR, etc.

Fines for such violations can run up to 4% of the company's annual global turnover from the previous financial year or €20 million (whichever is higher).

Summary

Since its introduction, the GDPR has completely transformed the privacy game for both data subjects and organizations alike.

Taking actions now to comply not only protects your organization from the stringent penalties of the regulation but also depicts top-notch industry standards to reassure users of their personal data security.

Here are the key takeaways to ensure GDPR compliance:

• Observe the GDPR's data processing principles
• Process data only after identifying one of the lawful bases
• Pay attention to the individual rights of users and help exercise them
• Get clear, affirmative consent to process personal data and explicit consent for sensitive data
• Provide and maintain a GDPR-compliant Privacy Policy
• Appoint a DPO if required by law and provide the contact information in your Privacy Policy
• Stay up-to-date on privacy trends to ensure full compliance