GDPR
The General Data Protection Regulation (GDPR) is the data privacy and security law of the European Union (EU).
The GDPR is often considered the toughest data privacy law in the world, so it is important that your business has an understanding of what it requires. This article will provide an overview of:
- Whether the GDPR applies to your business
- Practical guidance on how your business can ensure compliance
- Penalties for non-compliance
Who Does the GDPR Apply to?
The GDPR applies to you if:
- Your business is established in the EU, or
Your business is established outside of the EU, and one of the following two scenarios applies:
- Your business intentionally offers goods or services to EU citizens or residents. For example, if you operate a business in the US which offers a good or service which can be delivered to the EU or where payment can be made in Euros, the GDPR will apply, or
- Your business monitors the behavior of EU citizens or residents. For example, if your business uses cookies or tracks the IP addresses of individuals in the EU, the GDPR will apply.
As you can see, it is very easy for your business to be operating within the scope of the GDPR, even if it is not based in the EU. Even if the GDPR does not apply to your business it may still be worth complying, as the GDPR serves as a model for regulations in other jurisdictions, including in the US.
What Does the GDPR Require?
The GDPR requires:
- Having a compliant Privacy Policy displayed to the public
- Compliance with the principles of the GDPR
- Processing data only when you have a lawful basis to do so
- Honoring data subject rights granted by the GDPR
- Conducting Data Protection Impact Assessments (DPIA)
- Notifying authorities and/or users of any Data Breach
- Implementing Privacy by Design
- In some cases, appointing a Data Protection Officer (DPO)
- Monitoring International Data Transfers
The next section will provide specific examples of how your business can meet these requirements.
How to Comply with the GDPR
Have a Compliant Privacy Policy
The most important action your business needs to take is ensuring it has a GDPR-compliant Privacy Policy. This Privacy Policy needs to be written in plain language (no complicated legal terms) and easily accessible to the public.
Article 13 and 14 of the GDPR detail the specific clauses you will need in your Privacy Policy to be compliant. In summary, your Privacy Policy should at least address:
- The type of the personal data your business collects
- Your business' lawful bases for collecting the data
- How the data will be processed
- How long the data will be processed for
- With who the data is shared
- How your business will protect the data
- Your users' rights, and how they can access them
Comply With the Principles of the GDPR
The GDPR requires compliance with the following protection and accountability principles outlined in Article 5:
- Lawfulness, fairness and transparency - Processing must be lawful, fair, and transparent to the person whose data you are collecting (known in the GDPR as the data subject). Maintaining a GDPR-compliant Privacy Policy will help achieve this.
- Purpose limitation - Your business must only process data for legitimate purposes. These purposes must be specifically identified in your business' Privacy Policy.
- Data minimization - Your business should only process data which is necessary for the legitimate purposes specified in your Privacy Policy.
- Accuracy - Your business must keep personal data accurate and up-to-date.
- Storage limitation - Your business may only store personal data for as long as necessary for the legitimate purposes outlined in your Privacy Policy.
- Integrity and confidentiality - Your business should make sure that processing is done in a way which ensures appropriate security. This should be done using both technical and organizational measures.
Your business is responsible for being able to demonstrate compliance with all of the principles outlined above. This is known in the GDPR as the principle of accountability.
Process Data Appropriately
Your business should not process data in any way unless you have one of the following lawful bases to do so, as outlined in Article 6:
- The data subject has given you specific consent. We will discuss the level of consent required below.
- Processing the data is necessary for the purposes of entering into a contract with the data subject. For example, if your business is in financial services, you may need to complete background checks of the individual prior to entering into a contract with them.
- Your business has a legal obligation to process the data. For example, a court orders you to deal with personal data in some way.
- You need to process the data to save someone's life.
- Processing the data is necessary to perform a task in the public interest, or you have a legitimate interest in processing someone's data. The public interest and legitimate interest are the most complicated justifications for processing data. It may be in your business' best interests to seek legal advice before relying on one of these justifications.
Your business' bases for processing data must be clearly communicated to your users in the Privacy Policy.
Consent will only be a valid basis for processing data if:
- The consent is "freely given, specific, informed and unambiguous." This means your business cannot pressure the individual into providing consent.
- The request for consent is "clearly distinguishable from other matters" and written in "clear and plain language." This means that the request for consent cannot be hidden amongst other complicated legal requirements.
- The consent is not withdrawn. Users must have the ability to easily withdraw consent. If consent is withdrawn, you must immediately stop processing their data.
- If the user is a child under 13, the consent is provided with the permission of a parent or guardian.
- There is a written record of the consent.
- The consent is specific to the relevant data processing activity, and is a result of a clear deliberate action from the user, such as ticking a checkbox or clicking an 'I Agree' button. Pre-ticked checkboxes or a statement that consent is assumed may not be sufficient.
Honor the Data Subject's Rights
If your business infringes on any of your users' rights provided for by the GDPR, it will be non-compliant with the GDPR and may be subject to penalties. Below is a brief summary of some of these rights:
- Right to be informed: Data subjects have the right to be provided with information about your data processing activity. This is achieved by having a Privacy Policy which is easily accessible to the public.
- Right of access: Individuals have the right to ask for information about your business' processing of their personal data, and request a copy of the data your business is processing. This is called a Subject Access Request.
- Right to rectification: If any of the data you process is inaccurate, Article 16 says that an individual has the right to ask you to correct it. A good way to do this may be to allow the user to update the data themselves (for example, through a profile settings page).
- Right to erasure: There are certain circumstances outlined in Article 17 of the GDPR in which your business may have to erase an individual's personal data. This is commonly known as the "right to be forgotten." If you no longer have a lawful basis for processing the data or you no longer need the data for the purposes it was collected, the data subject has the right to request that you delete their personal data.
- Right to restrict processing: Article 18 of the GDPR gives individuals the right to request that you stop processing their data in a particular way.
- Right to data portability: Article 20 of the GDPR provides that an individual may request a copy of their personal data so that they can take it to another organization.
- Right to object: Article 21 of the GDPR says that an individual has the right to object to your processing of their personal data. While you can overrule this objection if you have a legitimate reason for processing, this does not apply if the individual objects to direct marketing. If an individual objects to your business' direct marketing activities, you must immediately stop processing their data for this purpose.
- Rights in relation to automated decision making and profiling: Article 22 says that it is a right of the customer to not be subject to a decision based solely on "automated processing", subject to exceptions.
If your business receives a request made in relation to any of the above rights, you must take action and communicate to this user "without undue delay" and in any case within one month from the request. This can be extended by a further two months if the request is particularly complex.
These rights must be clearly communicated to your business' users through your Privacy Policy.
Conduct Data Protection Impact Assessments
If your business processes data in a way that poses a high risk to the rights and freedoms of your users, you must conduct a Data Protection Impact Assessment (DPIA). A DPIA is an analysis which determines whether the benefits of your business' processing activity outweigh the threats to your users.
Handle Data Breach Notifications
If a data breach occurs, the GDPR provides that your business must notify the data protection regulator in the relevant EU member state, as soon as possible, and no later than 72 hours after your business becomes aware of the breach.
If the breach is such that it could result in a high risk to the rights and freedoms of your users (e.g. the data is sensitive), you must also notify the user as soon as possible.
Implement Privacy by Design
Your business must consider data privacy and security at all stages of the business process. This concept is described in the GDPR as "Privacy by Design." These measures should not be considered only retrospectively.
Security should be secured using both "technical and organizational measures." Technical security measures are those built into your business' IT systems to ensure security, such as two-factor authentication or encryption. Organizational security measures relate to the way your business is structured, such as having a compliant Privacy Policy and conducting regular training.
Appoint a Data Protection Officer (DPO)
Your organization is required by the GDPR to appoint a DPO if any of the following three circumstances apply:
- Your organization is a public authority (e.g. government, law enforcement, courts, higher education institute or publicly owned company),
- Your organization conducts "regular and systematic monitoring of data subjects on a large scale." Examples of systematic monitoring are actions like location tracking, CCTV surveillance and behavioral advertising, or
- Your organization collects special categories of data (e.g. on race, religion, sexual orientation, political opinions or health) or data in relation to criminal convictions or offenses
You may choose to appoint a DPO even if you are not required to. Appointing a DPO could assist your organization with its accountability for compliance with the GDPR. The DPO's responsibilities include:
- Monitoring your organization's compliance with the GDPR
- Providing independent advice to your organization's leadership on data security matters
- Cooperating with the relevant authorities
- Conducting DPIAs
Do International Data Transfers in a Compliant Way
If your business is required to transfer personal data outside of the EU, the GDPR states that your business must:
Use one of the following mechanisms:
- Standard Contractual Clauses (SCCs)
- Adequacy Decisions
- Binding Corporate Rules (BCRs)
- Derogations
Disclose your international data transfer practice in your Privacy Policy (including which of the above mechanisms your business is using).
Penalties for Not Complying With the GDPR
There are "two tiers" of GDPR fines.
The less serious instances of non-compliance could result in a fine of up to €10 million, or 2% of your business' worldwide annual revenue, whichever amount is higher.
The more serious breaches (including those relating to the data subjects' rights, conditions for consent or the principles outlined in Article 5 of the GDPR) could result in a fine of up to €20 million, or 4% of your business' worldwide annual revenue.
The size of any fine will be determined by the data protection regulator from the relevant EU country depending on the severity of the breach, after taking into consideration factors such as the gravity and nature of the breach, intention, mitigation and history of compliance.
Summary
The GDPR is a clear indication from the EU of the importance it places on protecting its citizens' and residents' data privacy and security. As a result of this, it places extensive obligations on organizations who process personal data.
This article is designed to ensure that your business understands the following:
- The GDPR can apply even if your business is established outside of the EU.
- If the GDPR applies to your business, to comply you must be aware of your business' obligations and your users' rights.
- There are severe penalties for non-compliance with the GDPR.
You should be aware that this is only a brief summary of what we consider to be the key provisions of the GDPR. Your business should seek legal advice from an attorney about how you should ensure compliance, specific to your business operations.