GDPR took the internet by storm in 2018. You may remember that day when your entire inbox was flooded with privacy policy updates, or perhaps your business decided to expand its reach to the EU, and you were reminded that GDPR compliance had to be sound before beginning.
GDPR is the most impactful modern internet privacy law to pass in recent history. At its core, it is designed to protect internet users from exploitative data collection and breaches, and GDPR aims to give users more control over their information while forcing companies to adopt proactive data security and transparency habits.
We’re going to cover what any business owner, user, or marketer needs to know about GDPR. Consider this piece your foundation. Whether or not you choose to dig deeper will be determined by your needs.
Let’s get right to it.
What Is GDPR?
GDPR (General Data Protection Regulation) is a data protection law from the EU, and it’s dense — there are over eleven chapters and 99 articles. This can make it difficult for companies and users to understand, but its goal is to protect the personal data of users, modernize data collection, establish clear directives for data transparency, and give people more choice over what personal data they share.
GDPR is a replacement for the EU’s previous law, the Data Protection Directive (DPD), which was passed over two decades earlier in 1995. Think of GDPR as the modernization and expansion of DPD. DPD couldn’t have predicted the intricate and expansive ways data is used today, and it badly needed updating.
What Countries Does GDPR Apply To?
The law applies to any companies operating in or out of all EU member states and Ireland, Liechtenstein, Norway, and Switzerland.
Who Does GDPR Protect?
GDPR protects any of the users in the member states and additional countries. What’s important to note is that it protects those users regardless of whether the company targeting them is based in the protection zone or not. In other words, it protects users from any company worldwide that decides to do business with the users of those states.
Let’s look at that a bit more.
Who Has to Follow GDPR?
Any company that targets EU citizens must adhere to GDPR. That goes for companies based in EU countries but also any other company (including U.S. companies) who target or work with EU citizens in any internet-based capacity.
Let’s look at a few examples of companies that have to follow GDPR standards:
A U.S. eCommerce company using ads to retarget users from France.
A digital clothing company based in Brussels that collects information for shipping and fitting.
A digital subscription newsletter collecting email addresses in the EU.
Now, let’s look at a few examples of companies that wouldn’t have to follow GDPR standards.
A Brazilian coffee distributor selling bags on its own website, which is in Portuguese. Even if someone from the EU found it and bought from it, because the company isn’t actively pursuing EU citizens, it shouldn’t apply unless they were using advertising to bring EU users to their site.
A U.S. landscaping service that merely has their contact information on the site and doesn’t do any business in the EU. Because they aren’t collecting any EU user information, GDPR doesn’t apply. Any business that isn’t collecting or processing information in any form or fashion is exempt, although that is extremely rare.
Even though GDPR passed in May of 2018, companies have had since 2016 to prepare for GDPR. But even with that runway, following GDPR at first proved to be confusing and nebulous. Many companies struggled to understand exactly what was demanded of them, and many are still at risk of GDPR non-compliance.
Does Brexit Impact GDPR?
No. The UK government has decided to continue operating under GDPR law even after leaving the EU. In other words, treat the UK just like you would any other country protected by GDPR.
Now that we know the scope of GDPR, let’s talk more about what it protects: personal data.
What Personal Data Actually Means
Directly from the source, here is what GDPR means by “personal data”:
The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons.
In practice, these also include all data which are or can be assigned to a person in any kind of way. For example, the telephone, credit card, or personnel number of a person, account data, number plate, appearance, customer number, or address are all personal data.
That’s a complex way of saying any type of data that can be used to trace back to an identity is considered personal. This is purposefully broad — that way the law doesn’t need to be updated as often.
In modern practice, this includes data like:
Shipping information
Billing information
User behavior
Cookie data
Pixel Data
Purchase behavior
Name
Phone Number
Geographic data and history
Demographic identifiers
And more.
What Rights Do Users Have Because of GDPR?
GDPR gives additional privacy rights to users, and when these rights are violated companies can be held liable.
Here are the main rights users are guaranteed and that serve as the basis for GDPR compliance:
1. The Right to Be Informed
Users have the right to know what is and what will be collected by companies before the data is processed (collected).
2. The Right of Access
Users have the right to see any data that a company collects. This service must be delivered within a month and must be free.
3. The Right to Rectify (Correct) Information
Users have the right to submit a request to fix inaccurate data.
4. The Right to be Forgotten
Users have the right to withdraw their data consent and request that all data about them be deleted.
5. The Right to Restrict Data Processing
Users have the right to object to data processing and limit how their data is used.
6. The Right to Data Portability
Users have the right to collect their own data and have it delivered to them in a readable format that can easily be transferred to a different company.
7. The Right to Object
Users always have the right to object to specific data collection and marketing mechanisms that use that data.
8. The Right to Breach Disclosure
Users must be informed if their data has been breached within 72 hours.
For a complete list of user rights, here’s a direct link to the appropriate GDPR chapter.
It is the duty of the company to honor these rights effectively. The processes and practices companies have in place to honor these rights are the basis for GDPR compliance evaluation.
And as a user, you have these rights, so if a company is taking advantage of them, you have the full power to report them. Although in many cases a company (especially a small business) may not be aware, so reaching out to them first to talk about it before lawyering up is usually the best first step.
If it’s a major beach and you are whistleblowing, then you can file a complaint here.
What Happens if You Break GDPR?
GDPR stipulates that national authorities have the power to issue fines and limit data processing when GDPR regulations are breached.
According to the fines and penalties section of GDPR, severe violations can result in fines of up to 20 million euros OR up to 4% of the total global turnover of the preceding fiscal year, and smaller violations can still reach 10 million euros or 2% of global turnover.
The six biggest GDPR fines issued so far have been:
British Airways – 204.6m Euros
Marriott International Hotels – 110.3m Euros
Google Inc. – 50m Euros
Austrian Post – 18.5m Euros
Deutsche Wohnen SE – 14.5m Euros
1&1 Telecom GmbH – 9.5m Euros
Many of these fines were a result of breaches or failing to disclose exactly how companies would use user data when onboarding users.
And while GDPR fines tend to only make headlines when targeting big businesses, GDPR applies to all businesses, both small and large.
The point is, the EU is devoted to making GDPR a standard, and they have shown that they will hold businesses accountable to it.
How Are the Levels of Fines Determined?
There is a multitude of factors that determine how a fine is calculated, and the GDPR text outlines a few factors:
How widespread the damage is
What kind of personal information was released (in the context of a breach)
How quickly the company fixed it
The fidelity of the fix
The Intention of the violation
How prepared the company was for the violation
Was the company proactive in data protection practices?
Did the company cooperate effectively and quickly with all parties?
Did the company notify users of the damages as quickly as possible?
There are more specifics than these, but essentially the data protection board and officers in charge of issuing fines will be looking at how honest and proactive companies were before, during, and after a breach or violation. If at every step in the process a company was doing their best and had proof of that, then the fines will be lower. If the company clearly exhibited negligence, then the fines will likely be steeper.
In Practice: How to Approach GDPR Compliance
Companies must show good faith by achieving initial data compliance and then by incorporating GDPR principles into every part of their operation.
If you own or are in charge of GDPR for your business, then you need to make sure data collection is transparent, legal, and secure in every part of your business.
GDPR compliance must become a fundamental part of your operation. With every new product, you need to make sure data is being collected appropriately. GDPR compliance is about having a plan and devoting resources to actualizing that plan. If you are familiar with the world of PCI compliance in payment processing, GDPR compliance is somewhat similar.
In order to become officially compliant with GDPR, you may have to request a DPO (data protection officer) to oversee your data collection practices, although this is only necessary for companies processing large amounts of data OR if your company’s core business model relies on data collection.
Contrary to popular belief, decisive for the legal obligation to appoint a Data Protection Officer is not the size of the company but the core processing activities which are defined as those essential to achieving the company’s goals. If these core activities consist of processing sensitive personal data on a large scale or a form of data processing which is particularly far-reaching for the rights of the data subjects, the company has to appoint a DPO.
In other words, most businesses are fine simply following best practices for compliance, but if you fall under the definition above then you need to reach out and request a DPO.
GDPR compliance is ongoing and can only be the result of consistent effort. It is not a short checklist you can complete and move on. It must become fundamental and be a result of consistent, recurring tasks, and effort.
With this in mind, here are actionable guidelines you can incorporate to maintain GDPR compliance.
Core Guidelines of GDPR Compliance for Businesses
There is no perfect guide for GDPR compliance. It is a collection of efforts unique to each company designed to protect the privacy rights enshrined in GDPR. That being said, there are guidelines and best practices that are standardized across modern businesses.
Here are the major ideas of GDPR compliance, and then we will cover specific steps in the following section.
Data transparency, fairness, and lawfulness. Are you actively open and lawful with your data collection and storage?
Put limits on how and why you collect data. Do you have scheduled processes to remove old and unused data? How can you build the best product using the most specific and least demanding data collection practices?
Only collect the minimum necessary for your operation. If you don’t need it, then don’t collect it.
Devotion to data accuracy. How are you ensuring your data is clean and accurate for each individual?
Data security. How are you protecting against breaches? How does encryption play into your strategy?
Data deletion and portability. Can users easily delete their data? Can they request their data and then give it to someone else?
Data consent. Is your consent for data accessible and easy for users to understand? Is your service still usable without it? Are you transparent on what you collect and easily give users the ability to opt-out?
Privacy by design. Are safety and design fundamentally built into your product?
Data simplicity. Is it easy for users to understand what data you’re collecting? Can they collect for themselves and understand it?
These are the questions that make up a unique and effective GDPR compliance plan. The burden is on companies to build them into their own workflows.
6 Steps to Start Your GDPR Compliance Journey
It’s easy for GDPR to feel overwhelming. Here are a few ways for you to take action today.
Step 1: Start With an Analysis
Outline every aspect of your business that uses data and why. Examine how it’s collected and where it’s stored, and then make sure user rights are protected at every step. Clear opportunities to consent and opt-out must be present at every point.
Step 2: Create a Breach Contingency Plan
Your company must report a breach within 72 hours, and every minute that goes by after a breach will be scrutinized by officials. Make sure you have a specific plan to stop and disclose a breach.
Step 3: Log Everything You Do Around GDPR Compliance
As we said earlier, proof of ongoing effort toward GDPR compliance is critical to remain compliant and reduce fines. Create a centralized location for your efforts and log everything you do in detail.
Step 4: Ensure Partners Are Actively Working Toward Compliance
Even if a breach happens through third-party software, your business could be liable. It is your responsibility to evaluate the trustworthiness and security of your partners. Choose wisely!
Step 5: Create a Checklist for New Products, Operations, and Decisions
Anytime your business grows, makes a new product, or collects new data, it needs to be incorporated into your GDPR efforts. Make sure GDPR is in every conversation.
Step 6: Schedule Ongoing GDPR Training by Department
Make sure your tech teams, marketing teams, security teams, product development teams, and anyone else involved with data has scheduled GDPR training. This is one of the best bits of proof you can hand to data officers to show you have been proactive.
The Bottom Line on GDPR
The General Data Protection Regulation is the biggest modern user privacy law in existence. It is designed to make data security and fidelity the norm in companies and give users more agency over what data they give up and why — while also giving them protected rights to opt-out, remove, and object to any sort of data collection by internet companies.
While the GDPR can seem like a burden on businesses, it gets easier as you develop your own systems and is crucial to creating an internet ecosystem that users can rely on safely.
GDPR is an important step for user privacy, but there is so much more we can do.
GDPR is a good start, but it’s a band-aid for a flawed system. The best kind of internet is one where users have complete control over data and are compensated for it directly (and automatically). Companies make money from your data — why shouldn’t you?
See how Permission.io is making that dream a reality.