The General Data Protection Regulation (GDPR) is a data privacy law that regulates the gathering, processing, and safekeeping of personal data for people within the European Union (EU) and the European Economic Area (EEA).
In this article, we will provide an overview of the GDPR, its applicability, an in-depth guide to achieving compliance, penalties for non-compliance, and more.
The GDPR is a privacy law implemented by the EU to ensure the security of personal data belonging to EU citizens and residents.
It took effect on May 25, 2018, and replaced the 1995 Data Protection Directive.
The GDPR reinforces individual control of personal data and simplifies regulations for all organizations serving the EU.
The GDPR mandates that businesses handling EU residents' personal data implement strict data protection measures and obtain explicit consent.
The GDPR applies to organizations within and outside the EU. Here's an overview of who's required to comply.
Under the GDPR, companies that process personal data of EU residents must comply with strict regulations regardless of their size or industry. This applies to the following:
The reach of the GDPR goes beyond European borders, extending to businesses worldwide that interact with EU residents. If your business collects EU data, you may be subject to GDPR compliance. Non-EU organizations must comply with GDPR if they engage in two primary activities:
Provide goods or services to EU residents. For example:
Monitor behavior of individuals in the EU. Here are two examples:
Intention is critical in determining GDPR applicability for non-EU organizations. The GDPR doesn't apply if you don't actively target EU residents. You are considered to be intentionally targeting EU individuals if you:
The GDPR requires your business to:
Below is a step-by-step guide for compliance.
Conduct a comprehensive data audit, known as a Data Protection Impact Assessment (DPIA), to document the personal data you collect, the reasons for collection, and the methods of processing. You will need to:
For example, Google's Privacy Policy states the reason for processing data:
Document the rationale for each processing activity. Article 6 of the GDPR explains six lawful bases, including:
Amazon uses consent as a lawful basis for sending marketing emails, advertising, transactions, etc., which it clearly states in its Privacy Notice:
As noted in Recital 78 of the GDPR, your company must integrate data protection int o its business practices from the very beginning, including the following:
Two appropriate technical measures to ensure data security include encryption and pseudonymization.
Encryption transforms data into a coded format to protect against unauthorized access. A common type of encryption is Transport Layer Security (TLS), which secures data during transfer over the internet. TLS is the upgraded version of Secure Sockets Layer (SSL), an older encryption protocol. You've likely encountered TLS when you see the padlock symbol beside your browser's URL, indicating that the website connection is secure.
Another form of encryption is Advanced Encryption Standard (AES), which is used to protect stored data. For instance, many cloud storage services use AES to encrypt your files, requiring a decryption key (similar to a password) to unlock and access the original data.
For example, Dropbox highlights its usage of TLS and AES to secure your data:
Pseudonymization replaces identifying information with artificial identifiers, including tokenization. For example, tokenization replaces sensitive information, like a credit card number, with a token such as "xxxx-xxxx-xxxx-1234." This process can be reversible, meaning the original data can be safely retrieved by converting the token back through a secure system.
Further, you must limit data access to only what's necessary for specific tasks:
Implement processes to respond to requests related to personal data. For example, individuals may request a copy of all personal data your organization holds about them or they may ask for their data to be deleted. Other common requests include data correction (to fix inaccurate information) or data portability (to transfer their data to another service).
According to Article 12 of the GDPR, you need to fulfill these requests within one month of receipt. If requests are complex, you may prolong this period up to three months.
To demonstrate this procedure, LinkedIn has a dedicated section in its help center that guides users on how to access their data:
There are also additional considerations to protect data subjects' rights:
Under the GDPR, your organization needs to appoint a Data Protection Officer (DPO) if it:
The primary responsibilities of a DPO include:
When working with third-party vendors who handle personal data, consider implementing Data Processing Agreements (DPAs).
A DPA is a legally enforceable agreement between your organization (the data controller) and a third-party vendor (the data processor).
Here is an example of a DPA between HubSpot and its customers (organizations using HubSpot's services). It outlines how HubSpot processes personal data on behalf of its customers and mentions its use of third-party vendors, known as sub-processors, which handle data processing activities:
The key elements of a DPA include:
You can develop a standardized template that covers all GDPR requirements, and continuously review and update existing vendor contracts to include these GDPR-compliant DPAs.
When transferring personal data outside the EU, organizations must implement safeguards, such as:
For example, Salesforce has multiple ways to ensure protection of personal data:
Businesses must log its data processing operations to showcase compliance and assist with regulatory examinations. Key records include:
Provide users with easy options to give or withdraw consent. Best practices include:
To demonstrate, Siemens provides a cookies consent banner with clear "Reject" and "Accept" options:
A clear, detailed Privacy Policy should outline the information listed above, including how your business collects, uses, and protects personal data. It's also a way to provide transparency and inform users about their rights under the GDPR.
The first section should detail the types of personal data your organization gathers, such as names, emails, IP addresses, or payment information, and how this data is collected, whether through forms or cookies.
For example, Apple provides a breakdown of the personal data it collects in its Privacy Policy:
The policy should emphasize the data subject rights as outlined in the GDPR, including the ability to access, correct, or request deletion of personal data.
Here is an example of how X outlines the type of information users have access to under GDPR:
Your business should also detail the lawful basis under which the data is processed (e.g., consent, legitimate interests, legal obligations, etc). For example, explain if you use consent for email marketing or legitimate interests for website analytics.
In addition, your company must also explain if personal data is shared with third-party service providers or transferred outside the EU. Be transparent about any safeguards in place, such as SCCs or BCRs.
For example, Meta summarizes its use of SCCs in its Privacy Policy, explaining how it relies on these clauses to transfer personal data outside of the EEA:
Finally, your Privacy Policy should explain the security measures your organization uses to safeguard personal data. This could include encryption, pseudonymization, or role-based access control, as described above.
Your Privacy Policy should be posted on the footer of every page of your website, on your account sign-up pages, in consent forms, and your mobile app's menu or settings.
For example, Moneris links its Privacy Policy in its website's footer:
Maintaining GDPR compliance requires long-term monitoring and adjustments. Your business should:
Organizations that fail to comply with data protection regulations can face financial penalties. As per Article 83 of the GDPR, these fines are categorized into two tiers based on the severity of the infringement:
There are also other enforcement actions that supervisory authorities can impose on non-compliant organizations:
The GDPR is an extensive EU law that strengthens personal data protection for individuals living in the EU. It impacts organizations globally that process EU residents' data, mandating strict security measures and explicit consent for data handling.
To comply with GDPR, your company must:
Failure to comply can result in severe penalties, including fines up to €20 million or 4% of global annual revenue. Regular audits, staff training, and adapting to regulatory changes are required to maintain GDPR compliance.