If you are a business that collects or saves data about customers or website visitors who reside in any European Union country, then you fall under the EU’s jurisdiction — no matter where your business is located. Violating the GDPR can result in fines of up to 20 million Euros, which is why compliance is serious business for any business. To ensure you can protect both your business and your customers, regularly review our GDPR compliance checklist (as summarized below). Read our full article to learn more about the GDPR and other tips for avoiding violations that could destroy your business. If you’re running a business of any size, you can’t afford to be in the dark about this piece of legislation. Read on to find out everything you need to know to avoid running afoul of the GDPR.
What is the GDPR?
On May 25th, 2018, a new EU law was enacted that impacted how businesses process personal data. The General Data Protection Regulation replaced the 1995 Data Protection Directive 95/46/EC (DPA). The new law was in response to how technological and consumer expectations changed in the decades since the DPA went into force. The GDPR works to ensure the security of personal data. It does so by requiring websites to be transparent about data collection and to obtain consent from a website visitor before any collection takes place.
What rights do individuals have under the GDPR?
The GDPR refers to protected individuals as “data subjects” and to a person, business, or website that requests access to data as a “data controller.” Under the GDPR, data subjects have eight core rights:
While data subjects have the rights and protections under the GDPR, businesses have the burden to comply with the legislation for any information collected from data subjects.
What is the GDPR consent requirement?
Consent is the cornerstones of the GDPR, and businesses are the ones that must get (and be able to prove) consent. The consent requirement puts the user in control of how their data is collected and processed. Under the GDPR, consent must be clear and informed, specific, and freely given. Websites have long used cookies (tiny blocks of data a website stores on your device) to gather and store a visitor’s personal data for marketing and/or sharing with third parties. Before the GDPR, this collection was invisible to a website visitor. Under the GDPR, however, a website must now get permission first. That is why, whenever you visit a new website today, you get a pop-up message about cookies, as illustrated by the screenshot below.
The GDPR also strongly advocates for “granular consent.” This term refers to the various parts of how user data is going to be used, as well as ensuring that the user gets to clearly choose which activities they wish to consent to. The GDPR also states that the use of a service should not be detrimentally affected if a user refuses to consent. In other words: a user cannot be punished (by blocking access to a website) if they decline to consent to data collection. The GDPR goes a step further by also requiring a way to manage a user’s revocation of consent. This can be verbal (over the phone, for example) or a digital method (like an email). One example of this is the inclusion of an “unsubscribe” link in every marketing email you get from a company. Businesses have to make it easy for a consumer to revoke consent.
Which Businesses are Affected by the GDPR?
The EU casts a wide net when it comes to which businesses must comply with the GDPR. If you collect, store, share, or do anything with the data of an individual from an EU state, you have to abide by the rules of the GDPR. It doesn’t matter where your business is located, either. Even if you’re based outside the EU, if you interact with EU residents, you’re covered by the GDPR. The legislation also applies to businesses of any size and any type.
GDPR and small businesses
GDPR applies to companies of all sizes, including single-person businesses. Yet even the drafters of this complex legislation recognized that small- and medium-businesses (SMB) would be overly burdened with a one-size-fits-all approach to the extensive requirements. To alleviate that, the GDPR carved out a few special concessions for SMBs with less than 250 employees. Smaller companies are not required to maintain records of processing activities unless those activities are a regular part of business and unless they concern sensitive data that could threaten a data subject’s rights. If your business falls within this category, it is still a good idea to understand and follow basic GDPR principles. At the very least, all SMBs should:
Understand their GDPR responsibilities Understand their data Define a data consent policy Dispose of old data Store data securely Train staff how to properly handle data Subject access request (SAR) Document h0w your business manages data Appoint a data protection officer (DPO)
What if my business is not in the European Union?
As noted earlier, the reach of GDPR is extensive. The law extends beyond the EU and includes your business if you interact with EU residents within an EU state. In practical terms, any business, anywhere in the world, falls within GDPR jurisdiction if they interact with anyone in an EU state. Find out which countries are part of the GDPR below.
What Types of Data Does the GDPR Affect?
The GDPR was designed to protect “personal data.” But what, exactly, does that phrase mean? The GDPR has created two classifications of personal data, and these are important to differentiate in your business, as they also relate back to the levels of expected protection. The two classes of data are:
1. Personal data (GDPR Article 4/1)
If you can identify an individual from any piece of data, it is deemed to be personal. Data that can be used to do this is known as an “identifier.” So, for example, this would include, a name, address, and date of birth, as well as an online identifier like your IP address. Personal data also covers economic, cultural, or physiological information.
2. Sensitive personal data (GDPR Article 9)
It is important to differentiate between the personal data described above and “sensitive” personal data, as the GDPR has set out stringent rules to protect it. Sensitive personal data includes genetic data, biometric data, and data that describe life preferences, e.g., religion, racial or ethnic origin, and trade union membership.
What Happens if I Violate the GDPR?
The GDPR proved it isn’t messing around when it unveiled the possible fines for a data breach violation. To say non-compliance fines can be expensive is an understatement. Companies like H&M and Grindr have previously been fined hefty fees for GDPR violations. There are two levels of fines enforced through the GDPR and their supervisory authorities. These are: As you can see, the penalties for violating the GDPR are harsh. Sometimes they are even catastrophic for a business.
Does My Business Need a Data Protection Officer (DPO)?
One way to protect a business from a potential GDPR violation is by hiring a Data Protection Officer (DPO). This is an individual employed by your organization to advise and carry out some of the duties concerning the GDPR. The DPO can be an employee or a consultant. For example, under certain conditions, the GDPR specifies that a Data Protection Impact Assessment (DPIA) must be carried out. A DPO can advise and help with this. The GDPR stipulates that you MUST use a DPO if any one of the following applies to you:
You are a public authority or body You process data on a large scale You process “special category” data
Even if you don’t fall into any of the categories above, having the advice of a privacy specialist, like a DPO, can be useful in helping with how to apply the GDPR requirements.
List of Countries in the EU: Which Countries Does the GDPR Apply to?
By now, you are no doubt wondering which countries can ensnare you in GDPR compliance. Here’s a list of the countries that are part of the GDPR. Of course, the EU is a fluid entity. New countries are regularly joining the arrangement. Likewise, some members today may no longer be members tomorrow. Businesses must stay abreast of EU member developments to ensure GDPR compliance.
How did BREXIT impact the GDPR?
One very recent example of the fluid nature of the European Union is the UK’s recent withdrawal from the compact. BREXIT — the informal name for the move to free the United Kingdom from the European Union — finally went into force on January 31, 2020. On that date, England, Scotland, Wales, Northern Ireland, and their associated islands were no longer members of the EU. Although no longer a part of it, the BREXIT withdrawal did not impact how the GDPR functions in any way. However, when the GDPR went into effect, the UK quickly adopted its own UK Data Protection Act in 2018 — which is still in effect today. The new law adopted the GDPR into national law and included almost all the original provisions, plus a few additions. Practically speaking, the only impact BREXIT had on individual data protection is which regulating authority will prosecute you for a violation.
How to Be GDPR Compliant
GDPR should not be thought of as a one-off tick box exercise. Instead, it is a process of understanding the how’s and why’s of personal data processing in your business. A large part of GDPR involves documenting processes and mapping or classifying data. Besides complying with the GDPR, this can be a useful thing to do as a general security awareness exercise. As you assess your GDPR compliance, you may also spot security vulnerabilities. Fixing these will benefit your organization, your customers, and your clients. Ultimately, coming into compliance with GDPR may take some effort — but it will be worth it to avoid hefty fines and to show that your organization respects user privacy preferences.
A GDPR compliance checklist you can use today
Ensuring your compliance with the GDPR can be an overwhelming task. Having a GDPR compliance checklist to walk you through what you must address simplifies the process. Of course, GDPR compliance can get complicated, and there is no one-size-fits-all approach. How you comply with the GDPR depends on the size and complexity of your business. It is always a good idea to work with a professional to ensure full GDPR compliance and avoid hefty fines. But to get you thinking about GDPR compliance, here are the main areas to cover.
Staying Compliant with the GDPR
The EU’s General Data Protection Regulation laws can be a scary web of requirements for any business to navigate. But even so, the GDPR is not something to ignore. Business-destroying fines for violations show just how serious the European Union is about individual data protection in today’s highly online world. Whenever you engage with a resident of an EU state, no matter where your business is located, you have to comply with the GDPR’s requirements. Start with our GDPR compliance checklist to identify areas where you might need to strengthen your GDPR efforts. Whether required or not, appoint a Data Protection Officer. Finally, work with legal experts to ensure your business is compliant with the EU’s rules on data privacy and security. Read our full article to find out more about the GDPR, including ways to ensure you don’t violate this serious law.
Understand their GDPR responsibilities, including how to report a data breach Understand their data Define a data consent policy Dispose of old data appropriately Store data securely Train staff how to properly handle data Incorporate a procedure for handling an individual request for the data you have about them — known as a Subject Access Request (SAR) Document how your business manages data Appoint a Data Protection Officer (DPO), even if one is not required
Read our full article for a GDPR compliance checklist you can use and other tips on how to be GDPR compliant. Read our full article that includes a GDPR compliance checklist and shares other important information about the GDPR.
Personal data — any information that identifies an individual Sensitive personal data — genetic data, biometric data, and data that describes life preferences (e.g. religion, race, etc.)
Read our full article to learn everything you need to know about the GDPR and how to stay compliant with it. Our GDPR compliance checklist covers this and all other responsibilities your business has under the GDPR.