Is your website or app compliant with the EU’s General Data Protection Act (GDPR)? The May 25th deadline is here! So if you’re not compliant, grab a cup of coffee, find a seat somewhere comfortable, and dive into our compliance guide to learn what you need to do to meet the GDPR’s requirements.
Based on a survey done by PwC, 68% of US-based companies plan to spend between $1 million and $10 million to comply with the GDPR.
If you don’t know where to start or are still unsure if the regulation applies to you, there’s no need to worry, we’ve got you covered. Below, our guide explores the ins and outs of the law in a way that you can easily understand — even without a law degree.
Table of Contents:
- What is the General Data Protection Regulation?
- Does the GDPR Apply to my Website/App?
- Key Features and Requirements of the GDPR
- Summary of the Major GDPR Articles
- Enforcement and Penalties
1. What is the General Data Protection Regulation?
Passed in April 2016, the General Data Protection Regulation is the EU’s new legal framework for the protection of personal data and digital privacy. As an upgraded version of the 1995 Data Protection Directive, the overarching goal behind the GDPR is to unify the data privacy laws among EU countries and strengthen the rights of European citizens to protect their information.
Since the Data Protection Directive and Data Protection Act (DPA) came into effect in the 1990s, the laws have been ill-equipped to handle the increasing data challenges that have accompanied the rise of social media and cloud computing. Moreover, the inconsistency of enforcement among European nations has left business owners to navigate through a foggy legal environment — often implementing only piecemeal compliance plans.
By updating privacy standards and unifying laws across the EU, the GDPR is the most comprehensive and expansive digital privacy law yet, and will likely become the gold standard of consumer rights data protection.
2. Does the GDPR Apply to my Website/App?
If you’re unsure of whether you fall within the new extended scope of the GDPR, then ask yourself the following questions:
Do I Offer Products/Services to or Collect Information From European Citizens?
One of the major features of the GDPR is the expansion of its application to companies beyond the EU’s physical borders. Previous legislation only applied to companies that operated in the EU or used servers located in the EU.
Now however, the GDPR has broadened the EU’s privacy laws to apply to any company — regardless of its location — that provides services and products to those in the EU, or gathers personal information from them.
Put simply, even if your company is located in New York, if you market your app to European citizens, you must also comply with the GDPR or face legal penalties.
A study done by Ovum found that two-thirds of US companies expect to change their European business strategies.
Am I a Data Controller or a Data Processor?
Not only has the physical scope of EU privacy laws expanded, but it has also extended to all those that come in contact with personal information.
The GDPR makes a point to distinguish the different roles and responsibilities of data controllers and data processors. Data controllers are those that determine how and why personal data is collected. On the other hand, data processors are those that gather, store, and maintain user information for a data controller. Some common examples of data processors are:
- cloud service providers
- accounting services
- payroll companies
- data disposal services
- IT service providers
- payment processors
Unlike the EU’s Data Privacy Directive which only applied compliance measures to data controllers, data processors are now also obliged to comply with special GDPR regulations, such as:
- Keeping detailed records of all processing activities performed for the controller
- Implementing stricter technical and organizational security measures
- Conducting data protection impact assessments
- Appointing a data protection officer
- Notifying controllers of data breaches without undue delay
So before crafting a compliance plan, make sure you understand which category your business falls under and the specific regulations that you’ll need to satisfy.
What Kind of Data do I Collect? Personal vs. Sensitive Data
The major motivation behind the GDPR is to strengthen the security of consumer data, so it’s crucial that you have a clear understanding of the GDPR’s definition of data. The kind of information you collect will determine if the law applies to you and whether you must comply with stricter regulations.
The GDPR separates data into two categories: “personal” and “sensitive personal.” Personal Data is described as anything that can identify a “natural person,” such as:
- Photos, videos, or audio files
- Bank details
- Identification number
- Online identifiers (account numbers, PINs, IP address)
- Location data
- Pseudonymous data (key-coded data)
If you collect any of the data listed above from EU citizens then you MUST comply GDPR regulations. On the other hand, “Sensitive Personal Data” is considered information that reveals the following:
- Racial/Ethnic Origin
- Political opinions
- Religious/Philosophical beliefs
- Sex life and sexual orientation
- genetic/biometric data
If you collect information that falls into either category from EU citizens, then you MUST comply with GDPR regulations. However, if you collect information considered “sensitive,” you’ll be subject to more stringent regulations.
Again, sit down with your team to clarify exactly what type of information you collect. As we will discuss in the next section, whether you collect personal or sensitive personal data will determine the level of consent that you need to obtain from users.
3. Key Features and Requirements of the GDPR
Below are the big changes that the GDPR will bring to the internet privacy fold. Depending on the type of data you collect and whether you are are processor or controller, you may have to comply with some or all of these changes.
Feature #1: Data Breach Notifications
Article 33 of the GDPR states that:
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.”
This means that data processors and controllers must notify their customers of a security breach within 72 hours of discovering a hack. The notification must at least include:
- a description of the breach in terms of the number of people that were affected and the kind of data that was accessed
- provide the contact details of the company’s data protection officer
- outline the possible consequences of the hack
- explain the actions that are being taken by the company to mitigate the consequences
Feature #2: Data Privacy Impact Assessments (DPIAs)
Article 35 requires controllers to conduct DPIAs in the event that one of their data processing activities has a high potential to risk the privacy rights of individuals. A DPIA is an evaluation of the effect of a data processing activity on the protection of personal data.
According to the text, the assessment should address the necessity of the data processing activity, outline the risks, and offer measures that will be used to avoid said risks. Unfortunately, the text isn’t exhaustive on all of the specific instances that require a DPIA – it only provides a few examples of high-risk data processing activities:
- “automated processing for purposes of profiling and similar activities intended to evaluate personal aspects of data subjects”
- “processing on a large scale of special categories of data or of data relating to criminal convictions and offences”
- “a systematic monitoring of a publicly accessible area on a large scale”
Feature #3: Privacy by Design
Developed in the 1990s, Privacy by Design is a concept that argues for privacy and security to be fully integrated into the design processes, procedures, protocols, and policies of a business. There are seven major principles that guide this concept:
- Privacy should be the default setting
- Privacy should be proactive, not reactive
- Privacy and design should go hand in hand
- Privacy shouldn’t be sacrificed for functionality
- PbD should be implemented for the full life cycle of the data
- Data collection operations should be fully visible and transparent
- User protection must be prioritized
Now that Privacy by Design is a legal requirement, we can finally expect business to take it seriously and explore the implementation of this concept further.
Feature #4: Stricter Consent Conditions
Although the GDPR expands many privacy features, when it comes to consent the definition actually gets narrower. As outlined in Article 7, controllers will no longer be able to use opt-out or implied methods of consent — such as pre-ticked boxes, silence, or inactivity.
Instead, the text lays out that consent:
“should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
Furthermore, as stated in Article 9, only when the controller collects sensitive personal data, does the consent need to be explicit consent (opt-in).
This is where the idea of consent can get bit confusing. You’ll notice from the statement above, that processing personal information requires unambiguous — but not necessarily explicit — consent. But what does that actually mean? If pre-ticked boxes and inactivity no longer count, then what constitutes unambiguous consent with a clear affirmative action and how does it differ from explicit consent?
Below is an example of each type of consent:
Consent Example #1: Unambiguous Consent w/an affirmative act
A website offers a free downloadable ebook in return for some basic information such as the user’s name, industry, and job title. There is an optional email field with subtext underneath stating, “Enter your email address to receive our weekly newsletter and product updates.”
Consent Example #2: Explicit Consent
The differences between the examples above might seem minute, but there is quite a drastic distinction. In the unambiguous consent example, the user is taking an “affirmative action” by inputting their email address, but they aren’t explicitly signing or clicking something that says they agree to the processing of information for a specific purpose.
Read our GDPR consent guide for a more in-depth explanation of the definition of consent and what your business must do to legally obtain it.
Feature #5: Stronger User Rights
Building on the DPA, the GDPR strengthens the rights of individuals and lays out 8 user rights that data controllers must respect:
- The right to be informed: individuals should be provided with transparent information on how their data is processed
- The right of access: individuals have the right to access any data that has been processed from them
- The right of rectification: individuals have the right to rectify inaccurate or incomplete data that has been collected from them
- The right to erasure: individuals have the right to request the deletion of their data
- The right to restrict processing: individuals have the right to block the processing of their data
- The right to data portability: individuals have the right to reuse their data for other services
- The right to object: individuals have the right to object to the processing of their data
- Rights in relation to automation: protects individuals from automated decision making processes
For more details on the 8 rights above, check out the UK Information Commissioner’s Office Website.
Feature #6: Appointing a Data Protection Officer (DPO)
The last major piece of the GDPR is the requirement of a data protection officer. A DPO plays several roles. They are responsible for:
- educating controllers and processors on how they must comply with the regulation
- monitoring compliance efforts
- offering advice on data protection assessments
- acting as the point of contact for the supervisory authority
However, not every business will need to assign a data protection officer. Controllers and processors are required to designate a DPO if:
- the processor is a public authority
- the controller/processor regularly monitors individuals’ data on a large scale
- the controller/processor processes a variety of sensitive personal information
Determining whether your business needs to designate a data protection officer or not will become a major element of complying with the GDPR. If assigning one is necessary for your company, the act of doing so will play a critical role in keeping your business compliant in the eyes of European regulators.
4. Summary of the Major GDPR Articles
Chapter 2 – Core Principles
|#6||lawfulness of processing||Data collection and processing must fall under at least 1 of 6 legal bases:
1. User Consent
2. Legitimate Interest
3. Contractual Necessity
4. Vital Interest of the User
5. Legal Obligation
6. Public Interest
|#7||conditions for consent||If using consent as a legal basis, businesses must:
1. Request consent using clear and plain language
2. Provide the specific reasons for requesting consent
3. Require users to take an affirmative action to demonstrate their consent (eg. ticking a box)
4. NOT bundle consent (do not make consent a precondition to use a service, unless absolutely necessary to carry out the contract or service)
5. Maintain records of user consent
6. Allow users to withdraw consent at anytime
|#9||special categories of personal data||If a business collects data relating to race or ethnicity, political opinions, religious beliefs, trade union membership, genetic data, biometric data, or sexual orientation, they must first collect EXPLICIT consent OR meet 1 of 9 other conditions listed in the article|
Chapter 3 – User Rights
|#13||Information to provide when collecting user data||When personal data is obtained, the data controller must provide users with all of the following information:
1. The identity and the contact details of the data controller and DPO
2. Purposes of processing
3. Possible recipients of the data
4. Other details, depending if they apply
*Note, this is only necessary if the user DOES NOT already have this information
|#15||Right of access by the data subject||Users have the right to access details on the data collected from them, at any time. Data controllers must reply to these requests within 30 days.|
|#16||Right to rectification||Users have the right to have data controllers fix any inaccurate data about them. Data controllers must reply to these requests within 30 days.|
|#17||Right to be forgotten||Users may request to have their data deleted. Data controllers must reply to these requests within 30 days.|
|#18||Right to restriction of processing||Users may request to limit how their data is processed. Data controllers must reply to these requests within 30 days.|
|#20||Right to data portability||Users can request to receive their data and give it to another data controller|
|#21||Right to object||Users may request to stop processing any data that was collected on the basis of public or legitimate interest.|
Chapter 4 – Controllers and Processors
|#25||Data protection by design and by default||Data controllers should implement technical & organizational data safeguards (eg. pseudonymisation of data) throughout their data collection, processing, and maintenance activities.|
|#27||EU Representatives||When the controller or processor is not located in the EU, they must appoint a representative in the EU.|
|#28||Processors||Data controllers can only work with processors that meet the requirements of the GDPR|
|#30||Records of processing activities||Controllers/Representatives must keep a record of all processing activities|
|#33||Data Breach Notification to Supervisory Authority||In the event of a breach, processors and controllers have 72 hours to notify the supervisory authority of the breach.|
|#34||Data Breach Notification to Data Subjects||In the event of a data breach, controllers shall notify users without undue delay.|
|#35||Data Protection Impact Assessment (DPIA)||Before new high-risk processing procedures are implemented, the controller must assess the impact of these procedures on their ability to protect user data.|
|#36||Supervisory Authority's Review of DPIA||When a DPIA finds that a processing activity presents a high risk to user data, the supervisory authority must be consulted.|
|#37||Designating a DPO||A processor or controller must appoint a DPO if:
1. If the processing is done by a public authority
2. The data being processed related to criminal convictions
3. Special categories of personal data are being processed on a a large scale"
|#39||Responsibilities of the DPO||The DPO must:
1. Advise controllers/processors and train staff on proper compliance measures
2. Provide advice on DPIAs
3. Cooperate with the advisory authority
|#42||Compliance Certifications||EU Member States, the supervisory authority, the Board and the Commission, should encourage the establishment of data protection certifications, seals, and marks for controllers and processors to demonstrate their compliance.|
|#43||Certification Organizations||EU member states and the supervisory authority can approve and accredit organizations to issue certifications, seals, or marks.|
Chapter 5 – Data Transfers
|#45||Transfers based on the "adequacy decision"||Data transfers to an outside country or international organization can be made if the Commission has deemed the outside country/organization to have adequate data protections.|
|#46||Safeguarding Data Transfers||Transfers to outside countries/organizations that have not been approved by the Commission can only done if the controller has taken appropriate measures to safeguard the data (eg. binding corporate rules or an approved code of conduct)|
5. Enforcement and Penalties
As mentioned earlier, the final date to comply with the GDPR is May 24, 2018. After that, businesses that do not comply are subject to considerably steeper penalties than any privacy legislation before it.
Before the GDPR, EU member states were responsible for individually setting fines for violations. This, of course, meant that penalties across the EU were inconsistent. Now with the GDPR, penalties have been unified, with the maximum penalty as high as €20 million, or 4 percent of global annual turnover.
Based on an Ovum report commissioned by Intralinks, 52% of U.S. companies think that they are likely to be fined for noncompliance. Moreover, the global management company, Oliver Wyman, predicts that the EU is likely to collect $6 billion in fines and penalties in the first year of enforcement.
It’s hard to estimate how much a fine will be because infringements are judged on a case-by-case basis. The severity of the fines is based on a variety of factors such as the length of the infringement, whether it was intentional or negligent, if actions were taken to rectify the issue, the type of data involved, and if the company has a history of previous infringements.
My business is located in the U.S., there’s no way they can penalize me, right?
WRONG! Just because a business is not located in the EU, does not mean it can get away with violating the GDPR. The EU judges violations based on a company’s legal presence, not just its location. Legal presence is determined by a variety of factors, but the most important question whether the company is directing their efforts towards EU users.
If you’re seeking out EU users, you probably have a legal presence in the EU, thereby making it possible for you to be sued by European citizen in a European court. Not convinced that a U.S. court will hold up a ruling from the EU?
There are a number of ways for European citizens to get judgements from EU courts recognized and enforced in the U.S. In fact, it has been noted that foreign judgements are enforced in the U.S. more often than in any other country. However, if you do have a physical presence in the EU (e.g. office location, European bank accounts), then getting U.S. courts involved won’t even be necessary. European courts can simply go after the assets that you own in Europe.
As we’ve outlined above, there are a plethora of considerations that businesses will need to address in order to comply with this new regulation. But here at Termly, our main concern is how this law will affect your business’s policies.
Based on our research, we’ve found that companies will need to make seven significant changes to their privacy policies in order to fulfill GDPR requirements:
1. Include an EU representative’s contact details: If you are a data controller and your business is not located in the EU, you must appoint a local representative and provide their contact details in your policy.
3. Provide the legal basis for each piece of data collected: Businesses must now outline the legal justifications for each action in which they use personal information — whether it is based on user consent, done in the customer’s legitimate interests, necessary to fulfil a contract with users, or to comply with legal obligations.
4. Describe transfers of personal information: If you conduct cross-border personal data transfers, you’ll need to provide the details of the recipient, including the destination country, if the recipient is covered by the EU Commission, the risks of the transfer, and the safeguards you have in place.
Read this article for more details on the GDPR’s stance towards data transfers.
5. Cover how long you keep personal information: The GDPR requires that you specify how long you will retain a user’s information.
Although the enforcement date may seem far away, procrastinating with GDPR compliance should not be an option for your business. The GDPR is just the first domino to fall and will almost certainly influence data privacy laws around the world in the next decade. So sit down with your team and put together an action plan that will guarantee your compliance by May 25th. Now is the best time to get your business on board and make privacy a priority.