GDPR

The General Data Protection Regulation (GDPR) is the European Union's (EU's) latest data privacy and security law. It was adopted by the Council of the European Union and European Parliament on April 14, 2016, and came into effect on May 25, 2018. The GDPR superseded the EU's Data Protection Directive, which had been in effect since 1995.

Many consider the GDPR the most rigorous data protection legislation in the world. Although it is a European Union law, it affects all organizations worldwide that use personal data about EU residents. Failure to apply its regulations can result in harsh penalties.

In this article, we'll take an in-depth look at the GDPR. You'll learn who it applies to, what it requires, and how to ensure your business complies with it.

What is the GDPR?

The GDPR is a comprehensive set of rules that gives EU residents control over their personal data. Article 1 states its aim: "This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data."

The GDPR does this by strictly regulating how organizations process and store personal data collected from EU/EEA residents. It defines personal data as: "any information relating to an identified or identifiable natural person." Data processing is any operation involving personal data, from collection to storage and transmission.

This broad definition means the GDPR affects a wide range of businesses. The GDPR's 99 articles explain each party's rights and responsibilities and the penalties for breaching them. Organizations must implement clear policies and procedures to comply with the GDPR's requirements, which we will explore in more detail later.

Who does the GDPR apply to?

The GDPR may be an EU law, but its scope extends far beyond the EU's boundaries. It applies to:

  • Organizations within the EU: All EU-based organizations processing personal data must comply with the GDPR, no matter where the data processing takes place.
  • Organizations outside the EU: The GDPR applies if they offer goods or services, whether paid or free, or monitor the behavior of individuals in the EU. For example, the GDPR would apply to a company outside the EU that requires EU-based clients to complete an online form providing personal details to log into its website.

The GDPR applies to all EU member states. Although the United Kingdom has left the European Union, it has incorporated the GDPR into UK law. So, if your organization targets individuals in the EU or the UK, you must comply with the GDPR.

Key terminology

In addition to personal data and data collection defined above, the following terms are crucial to understanding the requirements of the GDPR:

  • Data controller: Any person or organization responsible for deciding why and how personal data will be collected (e.g., a government agency, bank, or hospital).
  • Data processor: Any person or organization that processes personal data for a data controller (e.g., a bookkeeping service, payroll company, or marketing agency).
  • Data subject: A person whose data is being processed (e.g., a customer or visitor to your website).
  • Consent: Individuals must consent to the processing of their data. Consent must be freely given, specific, and informed.
  • Special categories: Article 9 sets out seven special categories of personal data that have additional protection. These include data relating to political opinions, religious beliefs, and health.
  • Data Protection Officer (DPO): In some circumstances, data controllers and processors must appoint a Data Protection Officer (DPO). The DPO is responsible for ensuring an organization complies with the GDPR.

What does the GDPR require?

Businesses that make decisions about the processing of personal data are considered data controllers. According to the GDPR Article 5 (1, 2), data controllers must comply with the following six fundamental principles:

  1. Process data "lawfully, fairly, and in a transparent manner":
    • Lawful: Organizations must have a lawful basis for collecting data
    • Fair: Your use of the data must not be detrimental or misleading for the data subject
    • Transparent: Data subjects must know what data you’re collecting and why
  2. Collect data for “specified, explicit and legitimate purposes” and only process it in line with those purposes
  3. Minimize the amount of personal data collected and processed
  4. Hold data that is accurate, taking steps to ensure inaccurate data is erased or updated
  5. Store data that identifies data subjects for no longer than is necessary 
  6. Ensure data processing is secure and protected from unlawful processing or accidental loss

Each business must seriously consider how to comply with the GDPR and take action to avoid violating its regulations.

How to comply with the GDPR

The following steps outline the action your business needs to take to comply with the GDPR.

Establish a lawful basis for data collection

Under Article 6 (1) of the GDPR, your business must ensure it has a legal basis for any data it collects or processes. Data processing is only lawful if it meets one of the six criteria in this article.

Additionally, special considerations apply to data related to children and special categories of personal data, as outlined in Articles 7-11.

Step 1: Information audit

Begin by conducting a data audit to determine what data your organization possesses and who has access to it. The audit should cover:

  • The type of data your organization processes
  • Why you are processing it
  • Who in your organization has access to it
  • Which third parties have access and their locations
  • How you are protecting the data
  • Your retention policy and how you plan to erase the data

Step 2: Assess data processing activities

Under Article 30, businesses with more than 250 employees must maintain records of all data processing activities. If your company has fewer than 250 employees, you may still be required to do this if your data processing is "likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data."

Step 3: Carry out a Data Protection Impact Assessment (DPIA)

A DPIA is essential if your business is involved in high-risk data processing. The risk may be higher due to new technologies, storage methods, or the nature of the data you are processing. Although a DPIA is not always needed, it can help you identify risks and put measures in place to protect the data and your businesses.

Step 4: Communicate transparently with customers

Your business must ensure that it clearly and simply informs customers that it is collecting their data and explains how it will use it.

For example, Amazon's Privacy Notice achieves this by explaining the different types of personal information it collects online and in its brick-and-mortar stores. It also clearly explains how it collects information (including links to examples) and uses third-party information to update the personal data it holds for you.

Excerpt of Amazon Privacy Notice personal information collection clause

Implement data security protocols

Article 25 of the GDPR embeds the principle of data protection by design and default. This concept states that data protection is planned before any interaction with personal data and implemented at every stage of ownership.

Article 25 highlights two ways to achieve this - technical and organizational measures.

Technical measures may include:

  • Pseudonymization
  • Encryption
  • Access controls

Organizational measures may take the form of:

  • Appointing a Data Protection Officer (DPO) (if necessary)
  • Training staff on data privacy
  • Setting policies for access to data
  • Establishing data retention policies

Businesses must also prepare for when a data breach is detected. Under Article 33 (2), data processors must immediately inform the data controller when they become aware of a breach.

The data processor then has 72 hours to alert the supervisory authority. A culture of transparency is necessary to ensure breaches are promptly reported and steps taken to mitigate the damage.

Establish checks and balances

Compliance with the GDPR never happens by chance. To embed the principle of "data protection by design and by default" within your organization, assign someone to ensure GDPR compliance. This person can be a Data Protection Officer (DPO). While they are not a requirement for many businesses, it may be wise to appoint one anyway to monitor GDPR compliance.

DPOs are a requirement for public authorities and organizations that meet the following criteria:

  • Involved in large-scale or regular and systematic monitoring of personal data
  • Handle “special categories of data and data relating to criminal convictions and offences”
  • Process personal data as part of their core activities

For data processing to be a core activity does not mean the organization does nothing else. It applies to businesses that process personal data as an inextricable part of their work. For instance, this would include hospitals, which cannot safely provide services without access to health data.

If your business uses third-party data processors, there are two critical steps to take:

  • Investigate the data processor to ensure it can provide the right level of data protection
  • Sign a data processing contract with the data processor establishing each party’s responsibilities

If your organization is based outside the European Union and is not a public body, you will need a representative within an EU member state. Your representative will communicate with the supervisory authority on your behalf.

Communicate effectively with customers

Articles 15-17 of the GDPR establish your customers' rights to access, rectify, and erase the data you hold about them. Article 18 also sets out when and how individuals can restrict the processing of their data. For full compliance, companies must make it easy for customers to exercise their rights.

This example from the Teijin Group Privacy Policy for GDPR clearly shows how it complies with the GDPR on customers' rights to access, rectify, and erase their personal data. It establishes clear steps for accessing data and highlights its complaints procedure.

Teijin Privacy Policy Your Rights clause

Penalties for Not Complying with the GDPR

Breaching the GDPR can result in harsh fines for organizations. Each EU country's data protection regulator is responsible for administering fines. How much a business or non-profit must pay depends on 10 factors:

  1. Seriousness and type of breach
  2. Intention
  3. Steps taken to mitigate the impact
  4. Precautions taken
  5. History of infringements and compliance
  6. Cooperation with authorities
  7. Data category
  8. Notification of the authorities
  9. Certification
  10. Aggravating or mitigating factors

Fines

There are two levels of GDPR fines depending on the severity of the violation.

Tier 1: Less serious infringements could lead to a maximum fine of the higher of:

  • Up to €10 million
  • 2% of the previous year’s annual global turnover

Examples of tier 1 violations may include not appointing a DPO when required, failing to retain data processing records, or not having a data processing agreement in place. These violations tend to have limited negative consequences for individuals and do not pose a significant risk to data security.

Tier 2: Data protection regulators can levy fines of the higher of:

  • Up to €20 million
  • 4% of the previous year’s annual global turnover

In May 2023, Meta Ireland received the highest fine for a GDPR breach to date. The Irish Data Protection Commission (DPC) fined Meta €1.2 billion for Facebook data protection breaches. Specifically, the fine was for not taking sufficient measures to implement a judgment by the Court of Justice of the European Union (CJEU). Meta Ireland is planning to appeal.

Operational impact

Data protection regulators have the authority to conduct investigations. Organizations must prove they comply with the GDPR, which can be time-consuming and distract from normal business operations.

If they find evidence of GDPR breaches, regulators can force organizations to change how they handle personal data.

In the Meta Ireland example above, the company was required to stop transferring personal data to the US within 5 months of the judgment. Meta Ireland was also required to stop unlawfully processing and storing the personal data of EU/EEA users in the US within 6 months of the decision.

Litigation costs

Under Article 82 (1) of the GDPR, individuals and groups who suffer damage due to regulation infringements can pursue financial compensation. This applies to material damage, such as financial losses, and non-material damage, including reputation damage and emotional distress.

Non-compliance with the GDPR can result in expensive and drawn-out legal proceedings that divert resources from core business operations.

Reputational damage

Business relationships are built on trust. Disclosing to your customers or clients that their personal data was compromised due to a lack of compliance with the GDPR can cause serious damage to an organization's reputation. Customers may take their business elsewhere, and valuable word-of-mouth marketing may dry up.

Summary

The GDPR represents a fundamental shake-up of how organizations approach data protection, whether in the EU or beyond. The "Brussels effect" means the GDPR is already reshaping the way many countries tackle data security, with other jurisdictions debating legislation with similar requirements.

Key takeaways for businesses that handle EU-resident data include:

  • Establishing a GDPR-compliant Privacy Policy
  • Performing an information audit to ensure compliance with GDPR regulations
  • Introducing enhanced internal protocols for data security
  • Signing contracts with reputable data processors
  • Training staff on GDPR compliance and reporting data breaches

Non-compliance is not an option, and fines, legal liabilities, and reputational harm are inevitable outcomes. By focusing on GDPR adherence now, organizations demonstrate their dedication to customer privacy, foster trust, and enhance their reputation.