The EU’s General Data Protection Regulation (Regulation 2016/679) is the world’s strictest data privacy law, setting new rules on how personal data should be collected, processed, and shared. In this guide, we cover the major provisions in detail and discuss what your business must do to comply.
1. Introduction to the GDPR
The General Data Protection Regulation (GDPR), is a new set of rules that unifies the data privacy laws across EU countries, and strengthens the rights of European citizens to protect their information. The regulation came into effect on May 25, 2018.
Businesses must now become more transparent with how they use data, implement stronger data security measures, and obtain permission before collecting certain kinds of data – or be subject to much larger fines than ever before.
Since the Data Protection Directive and Data Protection Act (DPA) came into effect in the 1990s, EU privacy laws have been ill-equipped to handle the increasing challenges that have accompanied the rise of social media and cloud computing. Moreover, the inconsistency of enforcement among European nations left business owners to navigate through a foggy legal environment — often implementing only piecemeal compliance plans.
By updating privacy standards and unifying laws across the EU, the GDPR has become the most comprehensive and expansive digital privacy law yet, and will likely become the gold standard of consumer data protection rights.
2. Key Terms & Definitions
Before we get into the finer aspects of the law, it’s important to understand some common terms and phrases mentioned throughout the text. Let’s review:
Consent – Consent is one of the core principles of the GDPR. Under GDPR consent rules, there are several scenarios that require controllers and processors to get permission from data subjects before collecting and processing their personal data.
Data Controller – A data controller is anyone that determines how and why personal data is collected.
Data Processor – A data processor is anyone that gathers, stores, or maintains personal data. Processors are often third-party service providers that handle data for controllers.
Data Protection Authority (DPA) – A data protection authority is the supervisory body in each EU member state that is responsible for providing advice on data protection issues, investigating complaints against controllers and processors, and levying fines on organizations they find to be in violation of the GDPR.
Data Protection Impact Assessment (DPIA) – A DPIA is a systematic process used to evaluate the risks that a specific data processing activity might present to the rights and freedoms of a natural person.
Data Protection Officer (DPO) – A data protection officer is an individual who an organization appoints to ensure their data collection, processing, and management practices are compliant with the GDPR.
Data Subject – A data subject is any individual whose personal information is collected or processed.
Personal Data – Also known as personally identifiable information (PII), personal data is described as anything that can identify a natural person, such as:
- Photos, videos, or audio files
- Bank details
- Identification number
- Online identifiers (account numbers, PINs, IP address)
- Location data
- Pseudonymous data (key-coded data)
If you collect any of the data listed above from EU data subjects, then you MUST comply with GDPR regulations.
Sensitive Personal Data – Personal data is considered sensitive if it reveals any of the following:
- Racial/ethnic Origin
- Political opinions
- Religious/philosophical beliefs
- Sex life and sexual orientation
- Genetic/biometric data
If you collect information from EU data subjects that falls into either category, you MUST comply with the GDPR. However, if you collect information considered “sensitive,” you’ll be subject to more stringent guidelines.
3. Who Does the GDPR Apply to?
The GDPR applies to any company or organization — regardless of where it’s located — that provides services and products to, or monitors the behavior of, EU data subjects.
One of the major features of the GDPR is the extraterritorial expansion of its application to companies beyond the EU’s physical borders. Previous legislation only applied to companies that operated in the EU or used servers located in the EU.
However, now even companies headquartered in the US may need to comply with the GDPR — or face legal penalties.
Examples of when the regulation applies:
1. A full-service marketing agency in the US takes on an American app developer. The marketing agency is helping the developer with their new photo editing app that’s been launched in the US, Canada, and UK.
- The app developer must comply, as they clearly market their product to users in the UK. The agency may also need to comply if they are given the authority to perform marketing activities through which they process user data from UK customers (e.g., email marketing, retargeting ads).
2. A small fitness blog, run by an Australian, sells workout programs, ebooks, and access to a forum of fitness enthusiasts. This site is translated in German and French, and the owner runs Google ads for their workout programs in both Germany and France.
- While the site may be small, the owner would still need to comply as the website clearly targets and advertises to users in the EU.
Examples of when the regulation doesn’t apply:
1. A Japanese business sells clothing on its website, which is only in Japanese.
- Although in theory, an EU citizen could stumble on their website and input personal info to purchase a sweatshirt, this business would likely not need to comply as it is not targeting EU consumers.
2. A Canadian software company hires a German citizen living in Canada.
- The GDPR would not apply in this scenario because the EU citizen is living and being paid in Canadian dollars. Under Article 3, for the GDPR to apply to an entity outside of the EU, they must either be processing data for the purpose of offering good/services to data subjects in the EU, or monitoring behavior that takes place in the EU.
3. A stay at home mom starts a small personal blog to share DIY tips for children’s projects with local moms.
- Regardless of where this mom is located, the GDPR would not apply because she’s not actually collecting or processing any data, nor is she selling a product or service.
4. GDPR Compliance Requirements
Below are the big changes that the GDPR will bring to the internet privacy fold. Depending on the type of data you collect and whether you are a processor or controller, you may have to comply with some or all of these changes.
Feature #1: Data Breach Notifications
Article 33 of the GDPR states that:
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.
This means that data processors and controllers must notify their supervisory authorities of a security breach within 72 hours of discovering the breach. The notification must at least include:
- A description of the breach in terms of the number of people that were affected and the kind of data that was accessed
- The contact details of the company’s data protection officer
- Any possible consequences of the data breach
- What actions are being taken by the company to mitigate the consequences
Feature #2: Data Protection Impact Assessments (DPIAs)
A DPIA is an evaluation of the effect of a data processing activity on the security of personal data. Article 35 requires controllers to conduct DPIAs in the event that one of their data processing activities is “likely to result in a high risk to the rights and freedoms of natural persons.”
According to the text, the assessment should address the necessity of the data processing activity, outline the risks, and offer measures that will be used to avoid said risks. Ultimately, the DPIA should result in a judgement on whether or not the potential risks of a processing activity are justified.
However, Article 35 isn’t clear on what exactly a high risk processing activity is, and only provides a few examples:
- “automated processing for purposes of profiling and similar activities intended to evaluate personal aspects of data subjects”
- “processing on a large scale of special categories of data or of data relating to criminal convictions and offenses”
- “a systematic monitoring of a publicly accessible area on a large scale”
Fortunately, the UK’s Information Commissioner’s Office (ICO) provides a clearer list of actions that likely require a DPIA. ICO recommends that a DPIA should be conducted whenever you plan to:
- use new technologies
- use profiling or sensitive data
- profile data subjects on a large scale
- process genetic or biometric data
- match data or combine datasets from different sources
- track individuals’ location or behavior
- profile children or target marketing or online services at them
As a starting point, ICO also provides a template that you can use to guide you through the process.
Feature #3: Privacy by Design (PbD)
Developed in the 1990s, Privacy by Design is a concept that argues for privacy and security to be fully integrated into the design processes, procedures, protocols, and policies of a business. There are seven major principles that guide this concept:
- Privacy should be the default setting
- Privacy should be proactive, not reactive
- Privacy and design should go hand in hand
- Privacy shouldn’t be sacrificed for functionality
- PbD should be implemented for the full life cycle of the data
- Data collection operations should be fully visible and transparent
- User protection must be prioritized
Now that Privacy by Design is a legal requirement, businesses should make a point to implement this concept into all new and existing endeavors.
Feature #4: Stricter Consent Conditions
Although the GDPR expands many privacy features, when it comes to consent, the definition actually gets narrower. As outlined in Article 7, controllers will no longer be able to use opt-out or implied methods of consent — such as pre-ticked boxes, silence, or inactivity.
Instead, the text lays out that consent:
should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
If pre-ticked boxes and inactivity no longer count, then what constitutes unambiguous consent and how does it differ from explicit consent?
Below is an example of each type of consent:
Consent Example #1: Unambiguous Consent with an Affirmative Act
A website offers a free downloadable ebook in return for some basic information, such as the user’s name, industry, and job title. There is an optional email field with subtext underneath stating, “Enter your email address to receive our weekly newsletter and product updates.”
Consent Example #2: Explicit Consent
A website offers a paid, personalized nutrition plan. There is an online health form that needs to be filled in before making this purchase. Underneath the health form, there is a checkbox that needs to be checked before the form is submitted that reads:
I consent to you using this information to recommend an appropriate nutrition plan.
The differences between the examples above might seem minute, but there’s a drastic distinction. In the unambiguous consent example, the user is taking an “affirmative action” by inputting their email address, but they aren’t explicitly signing or clicking something that says they agree to the processing of information for a specific purpose.
Feature #5: Data Subject Access Requests (DSAR)
Under the GDPR, EU citizens have 8 rights over data collected from them:
- The right to be informed: data subjects should be able to easily learn how their data is collected and processed
- The right of access: data subjects have the right to request to access any data that has been collected from them
- The right of rectification: data subjects have the right to request to change inaccurate or incomplete data that has been collected from them
- The right to erasure: individuals have the right to request the deletion of their data, also referred to as the ‘right to be forgotten’
- The right to restrict processing: individuals have the right to request to block specific data processing activities
- The right to data portability: individuals have the right to request to retain and reuse their data for other services
- The right to object: data subjects have the right to object to the use of their data for certain processing activities
- Rights in relation to automation: data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her
To exercise these rights, data subjects can make direct requests to controllers, whether it be through a phone call, email, or web form. These requests must be addressed quickly as the GDPR only gives controllers 30 days to respond. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
Feature #6: Appointing a Data Protection Officer (DPO)
The last major piece of the GDPR is the requirement to appoint a data protection officer (DPO). A DPO plays several key roles in your GDPR compliance plan. They are responsible for:
- Educating controllers and processors on how they must comply with the regulation
- Monitoring compliance efforts
- Offering advice on data protection assessments
- Acting as the point of contact for the supervisory authority
Determining whether your business needs to designate a data protection officer or not will become a major element of complying with the GDPR. If assigning one is necessary for your company, the act of doing so will play a critical role in keeping your business compliant in the eyes of European regulators.
Controllers and processors are required to designate a DPO if:
- The processing is carried by a government entity
- The controller/processor regularly collects and processes a large amount of data
- The controller/processor processes a variety of sensitive personal information
5. Summary of the Major GDPR Articles
Chapter 2 – Core Principles
|#6||lawfulness of processing||Data collection and processing must fall under at least 1 of 6 legal bases:
1. User consent
2. Legitimate interest
3. Contractual necessity
4. Vital interest of the user
5. Legal obligation
6. Public interest
|#7||conditions for consent||If using consent as a legal basis, businesses must:
1. Request consent using clear and plain language
2. Provide the specific reasons for requesting consent
3. Require users to take an affirmative action to demonstrate their consent (e.g., ticking a box)
4. NOT bundle consent (do not make consent a precondition to use a service, unless absolutely necessary to carry out the contract or service)
5. Maintain records of user consent
6. Allow users to withdraw consent at anytime
|#9||special categories of personal data||If a business collects data relating to race or ethnicity, political opinions, religious beliefs, trade union membership, genetic data, biometric data, or sexual orientation, they must first collect EXPLICIT consent OR meet 1 of 9 other conditions listed in the article|
Chapter 3 – User Rights
|#13||Information to provide when collecting user data||When personal data is obtained, the data controller must provide users with all of the following information:
1. The identity and the contact details of the data controller and DPO
2. Purposes of processing
3. Possible recipients of the data
4. Other details, depending if they apply
*Note, this is only necessary if the user DOES NOT already have this information
|#15||Right of access by the data subject||Users have the right to access details on the data collected from them, at any time. Data controllers must reply to these requests within 30 days (within 90 days for complex cases).|
|#16||Right to rectification||Users have the right to have data controllers fix any inaccurate data about them. Data controllers must reply to these requests within 30 days (within 90 days for complex cases).|
|#17||Right to be forgotten||Users may request to have their data deleted. Data controllers must reply to these requests within 30 days (within 90 days for complex cases).|
|#18||Right to restriction of processing||Users may request to limit how their data is processed. Data controllers must reply to these requests within 30 days (within 90 days for complex cases).|
|#20||Right to data portability||Users can request to receive their data and give it to another data controller|
|#21||Right to object||Users may request that the data controller stops processing any data that was collected on the basis of public or legitimate interest if the legitimate grounds of the user override those of the controller.|
Chapter 4 – Controllers and Processors
|#25||Data protection by design and by default||Data controllers should implement technical & organizational data safeguards (e.g., pseudonymisation of data) throughout their data collection, processing, and maintenance activities.|
|#27||EU Representatives||When the controller or processor is not located in the EU, they must appoint a representative in the EU.|
|#28||Processors||Data controllers can only work with processors that meet the requirements of the GDPR|
|#30||Records of processing activities||Controllers/processors and, where applicable, their representative must keep a record of all processing activities if they employ more than 250 persons, if the processing is likely to result in a risk to the rights and freedoms of data subjects, if the processing is not occasional, or if the processing includes special categories of data or personal data relating to criminal convictions and offenses.|
|#33||Data Breach Notification to Supervisory Authority||In the event of a breach, processors and controllers have 72 hours to notify the supervisory authority of the breach. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.|
|#34||Data Breach Notification to Data Subjects||In the event of a data breach that is likely to result in a high risk to the rights and freedoms of natural persons, controllers shall notify users without undue delay.|
|#35||Data Protection Impact Assessment (DPIA)||Before new high-risk processing procedures are implemented, the controller must assess the impact of these procedures on their ability to protect user data.|
|#36||Supervisory Authority's Review of DPIA||When a DPIA finds that a processing activity presents a high risk to user data, the supervisory authority must be consulted.|
|#37||Designating a DPO||A processor or controller must appoint a DPO if:
1. The processing is done by a public authority
2. The data being processed is related to criminal convictions
3. Special categories of personal data are being processed on a large scale
|#39||Responsibilities of the DPO||The DPO must:
1. Advise controllers/processors and train staff on proper compliance measures
2. Provide advice on DPIAs
3. Cooperate with the supervisory authority
|#42||Compliance Certifications||EU member states, the supervisory authority, the Board and the Commission should encourage the establishment of data protection certifications, seals, and marks for controllers and processors to demonstrate their compliance.|
|#43||Certification Organizations||EU member states and the supervisory authority can approve and accredit organizations to issue certifications, seals, or marks.|
Chapter 5 – Data Transfers
|#45||Transfers based on the "adequacy decision"||Data transfers to an outside country or international organization can be made if the Commission has deemed the outside country/organization to have adequate data protections.|
|#46||Safeguarding Data Transfers||Transfers to outside countries/organizations that have not been approved by the Commission can only done if the controller has taken appropriate measures to safeguard the data (e.g., binding corporate rules or an approved code of conduct)|
6. GDPR Violations
As mentioned earlier, the final date to comply with the GDPR was May 25, 2018. Now that that date has passed, businesses that are not compliant are subject to steep GDPR fines (take lessons from the €50 million Euro Google GDPR fine).
Before the GDPR, EU member states were responsible for individually setting fines for violations. This, of course, meant that penalties across the EU were inconsistent. Now, penalties have been unified, with the maximum penalty as high as €20 million, or 4 percent of global annual turnover – whichever is higher.
Based on an Ovum report commissioned by Intralinks, 52% of US companies think that they are likely to be fined for noncompliance. Moreover, the global management company, Oliver Wyman, predicts that the EU is likely to collect $6 billion in fines and penalties in the first year of enforcement.
My business is located in the US, there’s no way they can penalize me, right?
Just because a business is not located in the EU, does not mean it can get away with violating the GDPR. The EU judges violations based on a company’s legal presence, not just its location. Legal presence is determined by a variety of factors, but the most important question is whether the company is directing business efforts toward EU consumers.
If you’re seeking out residents or citizens of the EU, you probably have a legal presence in the EU – thereby making it possible for you to be sued by that European citizen in a European court. Not convinced that a US court will hold up a ruling from the EU?
There are a number of ways for European citizens to get judgements from EU courts recognized and enforced in the US. However, if you do have a physical presence in the EU (e.g., office location, European bank accounts), then getting US courts involved won’t even be necessary. European courts can simply go after the assets that you own in Europe.
The effects and influence of the GDPR in the US may be as strong as they are within the EU.
As we’ve outlined above, there are a plethora of considerations that businesses will need to address in order to comply with this regulation. But here at Termly, our main concern is how this law will affect your business’s policies.
Based on our research, we’ve found that companies will need to make seven significant changes to their privacy policies in order to fulfill GDPR requirements:
1. Include an EU representative’s contact details: If you are a data controller and your business is not located in the EU, you must appoint a local representative and provide their contact details in your policy.
3. Provide the legal basis for each piece of data collected: Businesses must now outline the legal justifications for each action in which they use personal information — whether it is based on user consent, done in the customer’s legitimate interests, necessary to fulfill a contract with users, or to comply with legal obligations.
4. Describe transfers of personal information: If you conduct cross-border personal data transfers, you’ll need to provide the details of the recipient, including the destination country, whether the recipient is covered by the EU Commission, the risks of the transfer, and the safeguards you have in place.
5. Cover how long you keep personal information: The GDPR requires that you specify how long you will retain a user’s information.
The GDPR is just the first domino to fall, influencing new internet laws around the world. So sit down with your team and put together a compliance plan that will save you from the backlash of the GDPR, and prepare you for the many data privacy laws yet to come. Now is the time to make privacy your priority.