GDPR

The General Data Protection Regulation (GDPR) is a data privacy law that regulates the gathering, processing, and safekeeping of personal data for people within the European Union (EU) and the European Economic Area (EEA).

In this article, we will provide an overview of the GDPR, its applicability, an in-depth guide to achieving compliance, penalties for non-compliance, and more.

What is the GDPR?

The GDPR is a privacy law implemented by the EU to ensure the security of personal data belonging to EU citizens and residents.

It took effect on May 25, 2018, and replaced the 1995 Data Protection Directive.

The GDPR reinforces individual control of personal data and simplifies regulations for all organizations serving the EU.

The GDPR mandates that businesses handling EU residents' personal data implement strict data protection measures and obtain explicit consent.

Who Does the GDPR Apply to?

The GDPR applies to organizations within and outside the EU. Here's an overview of who's required to comply.

EU-based Organizations

Under the GDPR, companies that process personal data of EU residents must comply with strict regulations regardless of their size or industry. This applies to the following:

  • All companies, non-profits, and public bodies established in the EU
  • Sole traders and individual professionals handling personal data of EU residents
  • EU subsidiaries of non-EU companies

Non-EU Organizations

The reach of the GDPR goes beyond European borders, extending to businesses worldwide that interact with EU residents. If your business collects EU data, you may be subject to GDPR compliance. Non-EU organizations must comply with GDPR if they engage in two primary activities:

  1. Provide goods or services to EU residents. For example:

    • A US-based e-commerce site with prices in Euros
    • A Canadian hotel accepting bookings from EU tourists
  2. Monitor behavior of individuals in the EU. Here are two examples:

    • An Australian company using web analytics on EU visitors
    • A Chinese app tracking EU users' location data

Intention is critical in determining GDPR applicability for non-EU organizations. The GDPR doesn't apply if you don't actively target EU residents. You are considered to be intentionally targeting EU individuals if you:

  • Customize your website or services for EU markets
  • Use EU languages (such as Italian, French, Swedish, etc.)
  • Use EU currencies (such as Euro, Bulgarian Lev, etc.)
  • Mention EU customers or users in your marketing

What Does the GDPR Require?

The GDPR requires your business to:

  1. Focus on data protection: Establish measures to safeguard personal information.
  2. Ensure transparency: Clearly communicate the methods and purposes for acquiring and using personal data.
  3. Respect individual rights: Honor rights granted to data subjects, including access and erasure.
  4. Maintain accountability: Demonstrate compliance through documentation and responsible practices.
  5. Report data breaches immediately: Alert authorities and affected users of breaches within 72 hours.
  6. Limit data usage: Collect and process only necessary data for specified purposes.
  7. Secure international transfers: Ensure adequate protection when transferring data outside the EU.

How to Comply With the GDPR

Below is a step-by-step guide for compliance.

1. Understand Your Data Processing Activities

Conduct a comprehensive data audit, known as a Data Protection Impact Assessment (DPIA), to document the personal data you collect, the reasons for collection, and the methods of processing. You will need to:

  • Include digital and physical documentation
  • Record how data is obtained (e.g., web forms, surveys, third-party sources)
  • Identify types of personal data collected (e.g., names, emails, addresses)
  • List reasons for collecting each type of data
  • Monitor the flow of data inside your company
  • Note how long each type of data is kept
  • Identify any vulnerabilities or areas for improvement

For example, Google's Privacy Policy states the reason for processing data:

Google Privacy Policy: Information Google Collects clause

2. Establish a Lawful Basis for Processing

Document the rationale for each processing activity. Article 6 of the GDPR explains six lawful bases, including:

  • Consent: Data subject provides clear, informed consent for processing, which can be withdrawn at any time.
  • Contract: Processing is required to execute a contract with the data subject.
  • Legal Obligation: Data processing is necessary to meet legal requirements set by EU or member state legislation.
  • Vital Interests: Processing is required to safeguard the fundamental interests of the user or other individual in life-threatening circumstances.
  • Public Task: Data processing is required to carry out tasks serving the public interest or to exercise official powers granted to the controller.
  • Legitimate Interests: Data processing is essential to address the legitimate requirements of the data controller or another organization, while upholding the data subject's rights.

Amazon uses consent as a lawful basis for sending marketing emails, advertising, transactions, etc., which it clearly states in its Privacy Notice:

Amazon CA Privacy Notice intro section - Updated for 2024

3. Implement Data Protection Measures

As noted in Recital 78 of the GDPR, your company must integrate data protection int o its business practices from the very beginning, including the following:

  • Design Stage: Consider privacy and data protection issues at the design phase of any new product, service, or process.
  • Default Settings: Ensure the highest privacy settings are applied by default.

Two appropriate technical measures to ensure data security include encryption and pseudonymization.

Encryption transforms data into a coded format to protect against unauthorized access. A common type of encryption is Transport Layer Security (TLS), which secures data during transfer over the internet. TLS is the upgraded version of Secure Sockets Layer (SSL), an older encryption protocol. You've likely encountered TLS when you see the padlock symbol beside your browser's URL, indicating that the website connection is secure.

Another form of encryption is Advanced Encryption Standard (AES), which is used to protect stored data. For instance, many cloud storage services use AES to encrypt your files, requiring a decryption key (similar to a password) to unlock and access the original data.

For example, Dropbox highlights its usage of TLS and AES to secure your data:

Dropbox cloud storage security information

Pseudonymization replaces identifying information with artificial identifiers, including tokenization. For example, tokenization replaces sensitive information, like a credit card number, with a token such as "xxxx-xxxx-xxxx-1234." This process can be reversible, meaning the original data can be safely retrieved by converting the token back through a secure system.

Further, you must limit data access to only what's necessary for specific tasks:

  • Assign access rights based on employee roles
  • Periodically review and update access rights
  • Keep logs of data access and monitor for unusual activity

4. Establish Data Subject Rights Procedures

Implement processes to respond to requests related to personal data. For example, individuals may request a copy of all personal data your organization holds about them or they may ask for their data to be deleted. Other common requests include data correction (to fix inaccurate information) or data portability (to transfer their data to another service).

According to Article 12 of the GDPR, you need to fulfill these requests within one month of receipt. If requests are complex, you may prolong this period up to three months.

To demonstrate this procedure, LinkedIn has a dedicated section in its help center that guides users on how to access their data:

LinkedIn Download account data information

There are also additional considerations to protect data subjects' rights:

  • Implement an identity verification process to prevent unauthorized data disclosure (e.g., a multi-step verification process).
  • Maintain detailed logs of all requests and responses to uphold accountability and assist with auditing.
  • Clearly communicate the process for making these requests in your Privacy Policy and on your website.

5. Appoint Key Personnel

Under the GDPR, your organization needs to appoint a Data Protection Officer (DPO) if it:

  • Conducts extensive, regular surveillance of individuals (such as tracking online activities)
  • Processes large amounts of special categories of data or criminal data

The primary responsibilities of a DPO include:

  • Informing the organization and its employees about obligations under the GDPR
  • Maintaining compliance to GDPR standards and other laws governing data protection
  • Acting as the primary contact for data subjects
  • Cooperating with the supervisory authority

6. Review and Update Third-Party Contracts

When working with third-party vendors who handle personal data, consider implementing Data Processing Agreements (DPAs).

A DPA is a legally enforceable agreement between your organization (the data controller) and a third-party vendor (the data processor).

Here is an example of a DPA between HubSpot and its customers (organizations using HubSpot's services). It outlines how HubSpot processes personal data on behalf of its customers and mentions its use of third-party vendors, known as sub-processors, which handle data processing activities:

HubSpot Data Processing Agreement: intro section

The key elements of a DPA include:

  • The purpose and nature of data processing
  • A summary of responsibilities for both parties, including data security measures
  • How to handle data subject requests
  • The protocol for reporting data violations

You can develop a standardized template that covers all GDPR requirements, and continuously review and update existing vendor contracts to include these GDPR-compliant DPAs.

7. Manage International Data Transfers

When transferring personal data outside the EU, organizations must implement safeguards, such as:

  • Standard Contractual Clauses (SCCs), which provide legal grounds for data transfers.
  • Binding Corporate Rules (BCRs), which are company-wide policies that permit global corporations to share data internally, even with branches in non-EU nations.

For example, Salesforce has multiple ways to ensure protection of personal data:

Salesforce Cross-border security information

8. Maintain Detailed Records

Businesses must log its data processing operations to showcase compliance and assist with regulatory examinations. Key records include:

  • Data Processing Activities: Types of personal data, purposes, categories of data subjects, recipients, retention periods, and security measures
  • Consent Log: Records detailing the methods and timing of obtaining user consent
  • Data Breach Documentation: Details of breaches and responses
  • Data Subject Requests: Records of requests received and actions taken
  • Training Records: Information on staff training sessions

9. Implement a Consent Management System

Provide users with easy options to give or withdraw consent. Best practices include:

  • Implementing easily visible consent banners or pop-ups
  • Using clear language to outline the methods of data collection and usage
  • Providing simple toggles or checkboxes for consent options
  • Offering a straightforward process for users to withdraw consent

To demonstrate, Siemens provides a cookies consent banner with clear "Reject" and "Accept" options:

Siemens cookie consent notice

10. Create a Privacy Policy

A clear, detailed Privacy Policy should outline the information listed above, including how your business collects, uses, and protects personal data. It's also a way to provide transparency and inform users about their rights under the GDPR.

The first section should detail the types of personal data your organization gathers, such as names, emails, IP addresses, or payment information, and how this data is collected, whether through forms or cookies.

For example, Apple provides a breakdown of the personal data it collects in its Privacy Policy:

Apple Privacy Policy: Personal Data Apple Collects from You clause

The policy should emphasize the data subject rights as outlined in the GDPR, including the ability to access, correct, or request deletion of personal data.

Here is an example of how X outlines the type of information users have access to under GDPR:

X: How to access and download data page excerpt

Your business should also detail the lawful basis under which the data is processed (e.g., consent, legitimate interests, legal obligations, etc). For example, explain if you use consent for email marketing or legitimate interests for website analytics.

In addition, your company must also explain if personal data is shared with third-party service providers or transferred outside the EU. Be transparent about any safeguards in place, such as SCCs or BCRs.

For example, Meta summarizes its use of SCCs in its Privacy Policy, explaining how it relies on these clauses to transfer personal data outside of the EEA:

Meta Help Center: Standard Contractual Clauses section

Finally, your Privacy Policy should explain the security measures your organization uses to safeguard personal data. This could include encryption, pseudonymization, or role-based access control, as described above.

Your Privacy Policy should be posted on the footer of every page of your website, on your account sign-up pages, in consent forms, and your mobile app's menu or settings.

For example, Moneris links its Privacy Policy in its website's footer:

Moneris website footer with Privacy Policy link highlighted

11. Regular Review and Update

Maintaining GDPR compliance requires long-term monitoring and adjustments. Your business should:

  • Stay Informed: Subscribe to GDPR newsletters and official EU data protection websites and follow updates from your national data protection authority.
  • Conduct Regular Audits: Conduct regular DPIAs to identify and mitigate data protection risks.
  • Revise Documentation: Consistently assess and refresh Privacy Policies, consent forms, and data contracts.
  • Adapt to Changes: Implement changes in technology or business processes in response to new GDPR interpretations or court decisions.
  • Train Staff: Provide regular GDPR training for employees.
  • Monitor Emerging Risks: Stay alert to cybersecurity threats and protection issues.

What Penalties Occur if You Do Not Comply With the GDPR?

Organizations that fail to comply with data protection regulations can face financial penalties. As per Article 83 of the GDPR, these fines are categorized into two tiers based on the severity of the infringement:

Lower Tier Fines

  • Up to €10 million or 2% of worldwide annual revenue (whichever amount is greater)
  • Applies to less serious violations, such as failure to maintain records or not notifying authorities of a data breach

Higher Tier Fines

  • Up to €20 million or 4% of global sales for the year (whichever amount is higher)
  • Applies to more severe breaches, including violations of data subject rights or unlawful processing of personal data

There are also other enforcement actions that supervisory authorities can impose on non-compliant organizations:

  • Warnings and reprimands for infringements, including formal notices
  • Temporary or permanent suspension of data processing functions
  • Suspension of data transfers to third countries or international companies
  • Users impacted by GDPR infringements can pursue compensation for damages

Summary

The GDPR is an extensive EU law that strengthens personal data protection for individuals living in the EU. It impacts organizations globally that process EU residents' data, mandating strict security measures and explicit consent for data handling.

To comply with GDPR, your company must:

  • Conduct a Data Protection Impact Assessment (DPIA) to understand and document its data processing activities
  • Justify data processing activities with valid legal grounds
  • Implement security techniques (like encryption) to secure personal data
  • Create a dedicated system to manage data subject requests
  • Appoint key personnel, such as a Data Protection Officer (DPO)
  • Implement strong security standards for international data transfers
  • Maintain detailed logs of data processing activities

Failure to comply can result in severe penalties, including fines up to €20 million or 4% of global annual revenue. Regular audits, staff training, and adapting to regulatory changes are required to maintain GDPR compliance.