The General Data Protection Regulation (GDPR) became applicable in Europe in 2018 and almost immediately changed how businesses collect and process personal information worldwide — it most likely even impacts yours.
Its goal is to protect the privacy rights of individuals in the European Union (EU) and European Economic Area (EEA) by giving them control over how their personal data gets used online.
It outlines several rules and principles businesses must follow or they risk receiving hefty fines.
To help businesses understand the regulation, I created this GDPR summary where I explain its legal scope, who it protects, what you need to do to comply, and the potential costs of violating the world’s strictest data privacy law.
- What Is the GDPR?
- Who Must Comply With the GDPR?
- Key Definitions In the GDPR
- Penalties for Noncompliance
- The GDPR's Take On…
- GDPR Requirements for Businesses
- How Do GDPR Rules Affect Users & Consumers?
- The Worldwide Effect of the GDPR
- How Are U.S. Companies Affected by the EU GDPR?
- What Does GDPR Mean for the Future?
- GDPR FAQs
- Summary
What Is the GDPR?
I like to describe the GDPR in two ways.
It’s a data privacy regulation from Europe that grants rights and control to individuals in the EU/EEA over their personal information. But it also sets specific rules and principles businesses worldwide must follow to process that precious data legally.
The GDPR created a consolidated data protection legal framework across all EU member states, plus Iceland, Lichtenstein, and Norway, which are part of the EEA single market.
It prioritizes the individual rights of data subjects above all else and holds businesses accountable for data leaks and breaches.
The Interesting History of the GDPR
The GDPR has an interesting, perhaps even tumultuous, history that I’ll briefly touch upon before discussing its specific legal requirements.
Implementing the GDPR signaled a turning point for privacy protection in our current, somewhat new digital era of big data.
While European leaders initially approved the GDPR in 2016, it became applicable on May 25, 2018, allowing EU member states and businesses worldwide two years to prepare for it.
Two years sounds like lots of time to prepare. However, many organizations remained unclear about the GDPR requirements and whether and when they needed to follow them.
This uncertainty — and lack of preparation — put them at risk of significant fines for noncompliance (I’ll talk about the financial risks of violating the GDPR later in this guide).
The regulation replaced the EU’s Data Protection Directive (DPD) from 1995.
Of course, the data environment looked significantly different in the mid-90s than in 2016. The World Wide Web was still young, and smartphones didn’t live in the pockets of consumers.
The DPD was implemented separately by EU and EEA member states and varied significantly between jurisdictions. In contrast, the text of the GDPR was directly applicable, affecting all EU member states, and its language better reflects modern data processing.
In fact, the GDPR has even been used in an attempt to regulate artificial intelligence (AI) technology in countries like Italy — in 2022, the Italian supervisory authority fined Clearview AI €20 million for storing biometric and geolocation data without having a proper legal basis for doing so under the GDPR (IAPP).
The regulation continues to inspire other regions worldwide to adopt laws with similar data privacy principles, proving that it will undoubtedly have a lasting impression on all of our lives.
Who Must Comply With the GDPR?
I find that most business owners are surprised to learn how broad the scope of the GDPR is.
The GDPR applies to entities and businesses around the world that process personal data and target EU/EEA data subjects — directly or indirectly — in either of the following ways:
- Offer goods or services available to people in the EU/EEA, even if no monetary transaction takes place
- Monitors the online behaviors of people in the EU/EEA
This application means businesses operating outside of Europe may fall under its legal threshold as either data controllers or data processors, a distinction I’ll discuss shortly.
I also find it interesting regarding the inclusivity of who it covers. The GDPR protects individuals in the EU or EEA, regardless of nationality or citizenship status, and refers to them as data subjects, as explained in Chapter 1, Article 3 of the regulation.
Key Definitions In the GDPR
Now that you know the GDPR basics, I suggest you familiarize yourself with the legal definitions of several key phrases used in the regulation to help simplify your compliance process.
In the table below, I show you the definition of those essential words as it appears in the GDPR and provide a simplified version of the meanings.
Term | Precise Legal Definition | Simplified Definition |
Personal data | “… any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” | Information about a person that can directly or indirectly identify them, like:
|
Processing | “… any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;” | Doing any of the following actions to a piece or set of personal data:
|
Consent | “…any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;” | When a data subject freely agrees to data processing by taking an affirmative, clear action (like selecting a checkbox, clicking a button labeled ‘I Agree’, writing it on a piece of paper, or signing a document with this purpose) and has access to and read a compliant privacy policy that informs them about the entity’s data processing activities.
*This is an important definition to pay attention to if your business relies on consent as a legal basis for processing personal data |
Data controller | “…the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;” | Any natural person or entity that determines the reason for and means of processing personal data pertaining to data subjects (e.g., customers, users, website visitors, etc.). |
Data processor | a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; (Chapter 1, Article 4, Part 8) | Any third party tasked by a data controller to process personal data based on the instructions provided by the controller and on their behalf. |
I’ll keep using these terms throughout this GDPR guide, so feel free to refer back to the definitions whenever necessary.
Penalties for Noncompliance
Violating the GDPR leads to hefty fines and public scrutiny. And trust me, you don’t want to end up on our list of the biggest GDPR fines of all time.
- Companies that significantly breach the regulation as listed in Article 83(5) of the GDPR face a maximum penalty of €20 million ($22.5 million) or 4% of their annual global turnover, whichever is higher.
- Less severe infractions, as listed in Article 83(4) of the GDPR, top out at €10 million ($12 million) or up to 2% of their annual global turnover.
Additionally, authorities can issue a public reprimand or restrict the undertaking of data collection activity, like banning a company from processing the information of GDPR subjects. Such restrictions can be imposed on a temporary or permanent basis.
The first significant GDPR penalty (approx. €50 million) was issued in January 2019 and didn’t stop there — the regulation has currently amassed a total of €4 billion ($4.5 billion) in fines overall. Yikes.
The GDPR’s Take On…
In the following sections, I’ll cover the GDPR’s take on several vital topics that impact businesses and your consumers.
Seven Core GDPR Principles
The text of the GDPR (Chapter 2, Article 5) outlines seven core principles that entities must follow to process personal data legally.
Those principles are:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (aka, security)
- Accountability
But I find that most businesses don’t always understand what the purpose of the GDPR is and what these core principles mean or what they refer to regarding privacy compliance. So I’ll take the time to explain each one to you.
Lawfulness, Fairness, and Transparency
According to the GDPR, all data processing performed by any entity must be legal. You must process the information fairly and in the best interest of the data subjects.
Businesses cannot mislead users about their data processing purposes or activities.
You must transparently inform your users about what information you collect from them, your legal basis for doing so, and how it gets used — including if you share it with any third parties and what their rights are.
Purpose Limitation
Under the GDPR, businesses must collect and process personal data only for the purposes they explicitly specified to the data subjects concerned.
That means that you cannot process the personal data beyond such purposes unless further processing is considered compatible with the purposes for which the personal data was originally collected. This is known as a purpose limitation.
You must make the purpose of processing clear from the start, record it in some way, and it can only change if you re-obtain consent from your users.
However, archiving data for the public interest, scientific or historical research purposes, or statistical purposes is not reliant on purpose limitations as long as you follow all provisions outlined in Chapter 9, Article 89 of the GDPR.
Data Minimization
Businesses that fall under the jurisdiction of the GDPR can only collect personal data that is adequate, relevant, and limited to what is necessary for the purposes outlined to the data subjects for the data processing.
In other words, you should only collect the data required for the stated processing purpose — you can’t just make up any reason you want for collecting as much data as possible.
The practical implementation of this principle requires applying two concepts: necessity (i.e., is the data processing necessary?) and proportionality (i.e., is it proportional?) to the personal data processing.
Accuracy
According to the GDPR, you must take reasonable steps to ensure the personal data you collect is accurate and up to date, wherever necessary. This action is required because there are obvious risks to data subjects if inaccurate information is processed.
Therefore, businesses must also take every step possible to correct or rectify inaccurate data without undue delay (within reason, of course).
Storage Limitation
The GDPR clearly states that businesses shouldn’t keep personal data for longer than necessary concerning the purpose for which the data was initially processed.
The only exception is for archival purposes concerning the public interest, scientific or historical research, or statistical purposes, in which case you may store the data for longer periods as outlined in Chapter 9, Article 89 of the GDPR.
Integrity and Confidentiality (aka, Security)
Under the GDPR, your business must take appropriate technical and organizational measures to protect personal data from unauthorized or unlawful processing, accidental loss, destruction, and damage. To put it simply, you must avoid the risk of encountering data leaks or breaches.
Being irresponsible with the personal data of data subjects may get you into trouble!
The GDPR may hold businesses financially accountable if they fall victim to such a cybercrime due to inadequate security measures.
What’s more, you must notify the applicable data protection authority about any leaks or breaches without undue delay, but not later than 72 hours from the moment you became aware of such data breach.
If the data breach is likely to result in a high risk to the rights and freedoms of the data subjects, you also have to inform them.
Because of this core principle, your business must take appropriate security steps to ensure that the data that you process is anonymized, encrypted, or at least pseudonymized to decrease the likelihood of a serious data breach.
Accountability
Accountability is one of the most important principles under the GDPR.
According to the GDPR, organizations must demonstrate that they comply with the previous six principles I just covered, known as the principle of accountability. The idea is that organizations must be responsible for collecting and processing information about people.
They need to take ownership and care of it throughout the data lifecycle. By doing so, the organization can be held accountable for its actions and inactions.
If you assume you’re GDPR-compliant but can’t prove it, you’re technically not.
Some ways you can prove that your business is compatible with the GDPR include:
- Publishing an up-to-date, accurate privacy policy available to all EU/EEA data subjects.
- Using Data Subject Access Request (DSAR) forms on your platform so your EU/EEA data subjects can easily follow through on their privacy rights.
- Ensuring you use adequate Data Processing Agreements (DPAs) with any third parties with access to your user data following the contractual obligations outlined in Chapter 4, Article 28 of the regulation.
- Appointing a Data Protection Officer (DPO) when necessary.
- Training your staff regarding data privacy and cybersecurity best practices.
- Document in detail the security measures used to adequately protect your users’ data.
- Be aware of the rights of the data subjects and be ready to assist the latter promptly.
Privacy by Design and by Default (PbD)
The GDPR describes something called Privacy by Design and by Default or PbD, which really just means you should focus on building data protection into the very core of your business from the design stage throughout the entire lifecycle of the processing activity.
By making data protection an essential component of your business, you can better anticipate risks and data breaches before they may occur. Thus, you can offer individuals a more secure environment and trust in your business.
I often tell companies that this is like a guarantee to your customers that you keep the safety and security of their personal information in mind when planning out your data collection and processing protocols.
PbD is not a new concept in the data protection sphere. However, the GDPR makes it an official legal requirement regarding data subjects within the EU/EEA.
You must make data integrity a part of each product design stage and proactively keep it in mind throughout all facets of development.
Conditions for Legally Processing Personal Data
To lawfully process personal data under the GDPR, you must state your legal basis for each category of information you use.
The GDPR outlines the following legal bases as compliant reasons for data processing:
Consent
You can rely on consent only if you offer data subjects control and genuine choice for accepting or declining the terms offered without detriment to your processing activities.
You must also follow specific conditions outlined by the GDPR to have a valid lawful basis for collecting personal information. Because this is a common legal basis for businesses, we cover it in greater detail in the next section.
Contractual performance
If the processing is necessary for the performance of a contract that includes the data subject, then this is a legitimate reason for processing user information.
Legitimate interest
If processing the data is necessary for your legitimate interests, then this legal basis applies unless these legitimate interests override the rights and freedoms of the data subjects.
Vital interest
This applies in life or death situations and refers to processing necessary data to protect the vital interests of a data subject.
Legal requirement
This legal basis applies when processing is necessary to fulfill a legal obligation.
Public interest
This applies when processing data is necessary to perform a task in the general public’s interest and typically applies to public or private entities that perform tasks in the public interest.
Ensure you clearly explain and prove your legal basis for each type of personal information you collect in a GDPR-compliant privacy policy.
It’s important to highlight that there is no hierarchy between the legal bases except for “Legitimate interest,” which shall only be used as a last resort when no other legal basis can be relied upon.
Moreover, you must determine the lawful basis before processing personal data. It’s important to get this right the first time. Switching the legal basis is likely to be inherently unfair to the data subjects and may lead to breaches of accountability and transparency requirements.
Consent Under the GDPR
Consent is one of the legal bases for processing personal data under the GDPR, but your business must be able to demonstrate several specific conditions outlined by the regulation.
The GDPR defines valid consent in Chapter 1, Article 4, and to help you understand this definition a little better, I’ve broken it into its essential parts:
- Freely given: Your users must have a genuine choice and control to agree to your data collection practices and cannot be forced or coerced.
- Specific: If a user consents to your processing activities, you cannot combine that affirmative choice with other things or convolute it ways that may confuse the data subject.
- Informed: Your users must know what they agree to, which means providing an easy-to-read explanation regarding what data you’re collecting, why you need it, how you will use it, and with whom you will share it. This is closely related to the principles of fairness and lawfulness explained above.
- Unambiguous indication: Users must signal that they agree to your data processing practices through an active motion or declaration, such as selecting a checkbox or an appropriately labeled ‘Agree’ button. This consent cannot be convoluted with agreeing to other things, like marketing emails or newsletters. Therefore, it must be clear that the data subject consents to a particular processing activity.
- Affirmative action: Users must take obvious action to express that they agree to your data processing activities. Have them select a clearly labeled ‘Agree’ button, actively fill out a form, or select an unmarked checkbox to express approval.
The GDPR outlines the following conditions for consent in Chapter 4, Article 7, which you must meet to use consent as a valid legal basis for processing data:
- You must be able to demonstrate that you got consent from your users to process their data.
- If they give consent via a written declaration and it also concerns other matters, you must present it in a way that’s easily distinguishable, intelligible, and formatted in an accessible format.
- Your users’ have the right to withdraw their consent at any time, and this process must be as easy as opting into giving their consent.
- Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
The information must be accessible and written using language the average person can understand. Users should know what they’re agreeing to, and the use of their data must not go beyond what was specified.
To describe consent under the GDPR in a nutshell: endless pages of legalese and pre-checked boxes don’t cut it anymore.
Data Storage and Security Guidelines
According to the GDPR, businesses are responsible for keeping personal data safe from cybersecurity breaches or leaks, which would lead, in particular, to unauthorized access, unavailability of personal data, or loss of integrity.
It also states that entities should only store the information as long as necessary to complete the initial purposes presented to the data subjects.
It’s up to you to consider the risk level of the data you’re collecting and apply the appropriate safeguards while considering the implementation costs and the nature, scope, context, and purposes of the processing.
However, Chapter 4, Article 32 of the GDPR recommends taking the following measures:
- Pseudonymization and encryption of the data.
- Ensure ongoing confidentiality, integrity, availability, and resilience of processing systems.
- Provide the ability to restore the availability and access to data in the event of an incident.
- A process of testing, assessing, and evaluating the effectiveness of the technical and organizational measures
Data Protection Officers (DPOs)
According to Chapter 4, Article 37, you need to appoint a DPO if:
- A public authority carries out the data processing.
- The activities and purposes of the data controller or processor require systematic monitoring of data subjects at a large scale (e.g., profiling).
- You process sensitive categories of data on a large scale (like criminal convictions, health data, political opinions, details about gender, etc.).
Some questions may arise out of the conditions listed above.
- What is a public authority? This must be determined under the national law of each member state.
- What are core activities? This should be interpreted as the key operations necessary to achieve your goals, irrespective of whether you act as a controller or processor.
-
What is a large scale? When analyzing whether the processing is performed on a large scale, the following elements should be considered:
- The number of data subjects concerned – either as a specific number or as a proportion of the relevant population.
- The volume of data and/or the range of different data items being processed.
- The duration or permanence of the data processing activity.
- The geographical extent of the processing activity.
Appointing a person to oversee all data-protection-related procedures is key to achieving GDPR compliance.
DPOs are not personally responsible in case of non-compliance, and they must be independent when carrying out their work. DPOs must also have a direct line of communication to the higher management, e.g., to the company’s CEO.
Data Protection Impact Assessments (DPIAs)
You may have to assess certain risks in advance if your data processing — whether you use new technology or due to the nature, scope, and context of the processing activity — results in a high risk to the rights and freedoms of data subjects.
You should therefore pay close attention to this aspect of the GDPR.
Your business must perform a Data Protection Impact Assessment (DPIA) as outlined in Chapter 4, Article 35 of the regulation, and seek advice from an appointed Data Protection Officer (DPO) to process highly sensitive data.
If the DPIA determines that processing the data is too high risk for the rights and freedoms of the data subjects, you must consult a supervisory authority as outlined in Chapter 4, Article 36.
GDPR Requirements for Businesses
Businesses must follow several requirements to comply with the GDPR adequately. I’ve broken them into steps to help simplify the process for you.
Step 1: Perform a Privacy Audit and Determine Your Legal Basis
When starting, I suggest you take the time to run a privacy audit on your website or company, in general, so you know all the personal data it’s collecting from users.
You should further determine the categories and types of data you collect and the legal reasons for doing so.
Get ready to write this all down; it must go in a privacy policy that you present to your data subjects wherever data processing occurs on your site. Equally important, this information will allow you to map all your data, which you may need later to create your records of processing activities per Article 30 of the GDPR.
Step 2: Obtain Proper Consent from Data Subjects
This step applies if consent is the legal bases you use for processing personal data.
To legally ensure you’re following all GDPR consent requirements, you must:
- Present your users with a compliant consent banner that allows them to opt in or out of your data processing activities.
- Ensure an accurate privacy and cookie policy are linked to your consent banner since EU/EEA data subjects have the right to access this information (we’ll cover the GDPR privacy policy guidelines next).
- Give them a way to easily change their minds or withdraw consent anytime, like through a consent preference center.
- Keep a log of their consent choices to prove you obtained their consent.
Step 3: Make and Share a Compliant Privacy Policy
You must present a privacy policy to your data subjects when you obtain personal data from them that includes the following details, as outlined in Chapter 3, Article 13:
- Your business identity, contact information, and representative, if it’s applicable
- The contact information for your Data Protection Officer, if applicable
- The intended purpose for processing the data and your legal basis for doing so
- An explanation of any legitimate interests that you or any third parties you work with may have for processing the data, if you rely on this legal basis (i.e., Article 6.1(f) of the GDPR)
- The recipients of the personal data, or categories of recipients, if they exist
- If you intend to transfer personal data to a third country or international organization, and the safety measures in place to protect the data
- The period for which you will store the data or the criteria used to determine that period
- The rights of the data subjects, including the right to lodge a complaint
- The existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR
Step 4: Use Data Processing Agreements to Meet the GDPR Contractual Obligations
If you rely on any third parties to process data on your behalf, they become the data processor, and your business remains the data controller, and you’ll both need to sign a GDPR-approved contract.
You must also ensure that the data processor you are about to engage in provides sufficient guarantees to implement appropriate technical and organizational measures to safeguard the personal data entrusted to them.
Businesses commonly use a Data Processing Agreement or DPA to meet these guidelines, outlined in Chapter 4, Article 28. You must require the third-party data processor to:
- Only process personal data as instructed by the data controller
- Commit to confidentiality regarding personal data.
- Take all security measures outlined by the GDPR.
- Not engage with another processor without the written authorization of the data controller.
- Assist the data controller by taking technical and organizational measures to fulfill requests from data subjects who wish to act on their privacy rights.
- Assist the data controller in complying with all security processing guidelines and prior consultation requirements outlined by the GDPR.
- Delete all personal data or return it all to the data controller after the contract term ends.
- Make all information available as necessary to demonstrate GDPR compliance, and immediately inform the data controller if they feel an instruction infringed upon the regulation or other Member State laws.
Step 5: Follow All GDPR Safety and Security Requirements
All businesses under the GDPR must securely store and protect personal data, but companies that collect data on a large scale or process high-risk categories of data must also employ a DPO and complete the DPIAs I covered in this guide.
Nonetheless, I want to remind you that the appointment of a DPO and the performance of DPIAs is seen as good practice for your accountability under the GDPR, even if you don’t process large-scale or high-risk categories of personal data.
GDPR compliance is different for every company because everybody uses unique data processing practices.
How Do GDPR Rules Affect Users & Consumers?
The GDPR affect users by giving them more rights and control over how their data is used and guarantees that businesses will inform them promptly if their information is compromised.
Summary of New GDPR Consumer Rights
The GDPR gives data subjects the following rights in Chapter 3, Articles 12 – 23:
- The Right to Be Informed (Articles 13/ 14): The GDPR emphasizes transparency in data collection practices, meaning individuals have the right to be fully informed about the collection and use of their data.
- The Right to Access (Article 15): Individuals can request to view any personal data collected from them. You must explain to them why you collected the information and who you’ve shared it with. You must provide these details as soon as possible but no later than one month and free of charge.
- The Right to Rectification (Article 16): If data collected about an individual is inaccurate, the individual can request a correction (rectification). The organization processing the data must respond as soon as possible, and within one month, they must correct the information accordingly. A data subject can also request the completion of incomplete information. You may also have to inform other third parties with whom you have shared personal data about this request.
- The Right to Erasure (Article 17): Individuals can request that you permanently delete their information if the data is no longer relevant or because the user withdraws their consent. You may also have to inform other third parties with whom you have shared personal data about this request.
- The Right to Restrict Data Processing (Article 18): An individual can request to limit how their data is processed when certain conditions apply, such as if the processing is unlawful or if the individual has objected to it. You may also have to inform other third parties with whom you have shared personal data about this request.
- The Right to Data Portability (Article 20): When users request to view their data, they must receive it in a clear format. The controller who provides this information cannot prevent or impede the data subject’s ability to give the data to another controller. In essence, personal data must easily transfer to another organization.
- The Right to Objection (Article 21): Individuals can object to the processing of their data in certain situations, such as direct marketing.
- Automated Individual Decision-Making (Article 22): Individuals have the right not to be subject to an automatic decision-making process that has significant legal effects.
This regulation is also one of the primary reasons you see consent banners popping up with links to detailed cookie policies and privacy notices.
Fun fact: after its effective date, the use of pop-up consent banners increased across Europe by 16%.
People like to complain about the abundance of these pop-up banners, but personally, I don’t mind them.
I like having the choice over how my personal information gets used, and clicking a button repeatedly on the internet doesn’t feel like that big of a nuisance, if you ask me.
Summary of GDPR Data Breach Notifications
The GDPR requires businesses to notify the appropriate supervisory authority and, under certain scenarios, the data subjects concerned if their personal data gets compromised by technical errors or other data breaches.
In my opinion, this is one of the most critical impacts introduced by the GDPR as it holds companies accountable for their security practices — or lack thereof — while giving users greater peace of mind.
According to Article 33 of the text, businesses have 72 hours to inform the appropriate supervisory authority after discovering a breach.
The notification to the supervisory authority must include details about the nature of the breach, the probable consequences, and the measures the controller plans to take to mitigate the harmful effects.
The data subjects themselves must then be notified “without undue delay” if the data breach is likely to result in a high risk to their rights and freedoms. This is further described under Article 34 of the GDPR.
The Worldwide Effect of the GDPR
The GDPR provided a template for how data privacy legislation considers territorial boundaries in a digital world, essentially changing the privacy landscape across the globe.
The GDPR has an extraterritorial scope, meaning its rules apply beyond traditional territorial borders. This is why businesses in other countries must follow the GDPR requirements despite being outside the EU or EEA if they provide services to data subjects in the EU/EEA, even if this is free of charge or they are monitoring their behavior, e.g., profiling.
In just five years, over 100 countries have implemented new data protection laws to regulate the flow of personal data, with more legislation to come, many of which directly parallel this European regulation.
How Are U.S. Companies Affected by the EU GDPR?
Lots of U.S. companies are impacted by the GDPR because, despite being located in America, they fall under the legal threshold of the regulation and must comply with all of its guidelines.
In the early days of the GDPR, I remember some US companies taking a tentative approach to targeting advertisements for European users. In contrast, others chose to cut off their EU/EEA customer base entirely.
But years later, it turns out those who tried to comply remained stronger, especially when the California Consumer Privacy Act (CCPA) entered into force in 2020 — a state law with privacy measures inspired by the GDPR, followed by Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Texas, Utah or Virginia.
The U.S. now has several privacy laws passed in different states, with more bills on the horizon.
Now is the ideal time for businesses to become more familiar with how the GDPR affects the U.S. and implement a global data security strategy.
What Does GDPR Mean for the Future?
With the GDPR leading the charge to regulate data flow, I believe the future of privacy will be shaped by those who prioritize data protection today.
Data has immense value to businesses, but consumers and government entities alike increasingly call upon companies to safeguard that data’s source and ensure privacy is taken seriously — or face the consequences.
Just take a look at some of the alarming data privacy statistics emphasizing that consumers expect more transparent privacy practices from businesses moving forward:
- 76% of users believe companies must do more to protect their data online (Global Consumer State of Mind Report 2021)
- 92% of Americans are concerned about their privacy when using the Internet. (TrustArc)
- Only 25% of users believe companies are responsible with their data. (Pew Research Center)
After years of lack of transparency regarding data privacy, it’s evident that customers are demanding more thorough protection of their personal information, even those in territories like the US, which falls outside the GDPR scope.
GDPR FAQs
Below, I answer some of the most frequently asked questions Termly gets about the regulation.
What are the seven principles of the GDPR?
The seven principles of the GDPR are:
- Lawfulness, fairness, and transparency
- Purpose limitations
- Data minimization
- Accuracy
- Storage limitations
- Integrity and confidentiality (aka, security)
- Accountability
What is the U.S. equivalent of the GDPR?
The U.S. doesn’t have a federal law equivalent to the GDPR. But political leaders are currently debating over the American Data Privacy and Protection Act (ADPPA), which would be the first.
Some state laws share similarities with the GDPR, including the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (CDPA).
What is the main focus of the GDPR?
The main focus of the GDPR is to protect the data privacy of individuals within the EU/EEA uniformly so each member state doesn’t need to create its own data protection measures, producing regularity in the laws across the Union.
What are the key points of the GDPR?
The key points of the GDPR include granting rights to data subjects in the EU/EEA to access, amend, correct, rectify, object, or delete their personal information, and obliging businesses to only process personal data as necessary for specific legal purposes, with privacy by design and by default (PbD) built into every part of the process.
What is personal data under the GDPR?
The GDPR defines personal data in Chapter 1, Article 4 as information relating to the identity of a natural person, either directly or indirectly, and includes details like:
- Name
- E-mail address
- ID numbers
- Location data
- Online identifiers
- Genetic data
- Mental data
- Economic data
- Cultural or social identity
What counts as processing personal data under the GDPR?
According to the legal definition as it appears in Chapter 1, Article 4 of the GDPR, all of the following actions count as processing personal data:
- Collecting
- Recording
- Organizing
- Structuring
- Storing
- Adapting
- Altering
- Retrieving
- Consulting
- Using
- Disclosing by transmission
- Disseminating
- Otherwise making available
- Aligning or combining
- Restricting
- Erasing or destroying
Summary
The GDPR is a strict privacy law, but it’s possible for businesses to easily achieve compliance.
You’ll need an updated privacy and cookie policy, a properly configured consent management platform, and a DSAR form to help users submit privacy requests.
Termly can help! Get started with our GDPR-compliant privacy policy generator and consent management platform for free.
Reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP Director of Global Privacy