Table of Contents
No matter your industry, being a responsible business owner regarding consumer privacy is critical to success. We’ve often spoken about the importance of privacy compliance when collecting or sharing consumer data. More importantly, privacy rules can vary widely not just by country, but even by state here in the United States.
According to the United Nations, roughly 137 nations have some form of privacy legislation. Of those, the EU’s General Data Protection Regulation (GDPR) is considered one of the most stringent with very specific expectations for how any commercial entity collects, manages, and provides controls for consumer data gathered from its citizens. Having a GDPR compliance plan isn’t just a nice goal, it’s a requirement to avoid legal action.
In this post we'll tell you how to be compliant with GDPR. We start off by showing you how the GDPR defines personal data, followed by the important clauses you must be aware of to achieve GDPR compliance.
How the GDPR Defines Personal Data
As marketing gurus will always tell you, “data is king.” The EU is also acutely aware of this. More importantly, the EU wants to hold you accountable for how you collect it from people, as well as what you do with it, and how people can control what you do with their data. This falls under Article 4 of the GDPR which defines personal data.
What is Personal Data?
In truth, “personal data” has a broad definition as the term can apply to any information a commercial entity collects from an individual for processing. More specifically, this information would allow your business to explicitly identify that individual.
Case law supports this very broad definition as even in previous judgments, companies have found themselves under fire for how certain data was managed. This has included logging employee start and end work times, breaks, and IP addresses. Similarly, responses on tests or even someone’s private email correspondence falls within the personal data category. In the United States, logging clock-in and out times, or breaks might not be considered data that rises to the level of needing better protections. But, in the EU it does.
Of course, more traditional personal data is also included in this category. This can include but is not limited to:
- Physical address
- Email address
- Social security/personal identification number
- Banking/financial information
- Race or ethnicity
- Sexual orientation
- Professional or social affiliations (group memberships, political parties, etc)
- Health records
Who isn’t Covered by GDPR’s Personal Data Definition
All of the above only applies to anyone considered a living natural person. The GDPR doesn’t extend its personal data protections to legal entities like corporations, institutions, or foundations. The distinction is important because GDPR also doesn’t extend past a person’s natural life. If an individual dies, their information is no longer protected under the GDPR.
Data Privacy and GDPR
The biggest takeaway businesses should take from the GDPR’s stance on data privacy is that your firm needs to be transparent, compliant, consistent, and accessible. The old days of a Wild Wild West internet where businesses ran virtually unchecked, gathering data under one guise and then using it differently, are gone. Several of the GDPR articles are dedicated to the above tenets mentioned.
Article 12: Transparency and Communication
Not only does your business need to clearly define what data is being collected, but you also need to tell consumers how it’s being processed. Is it staying solely in-house, or do you plan to share it with trusted third parties? This is the key concern addressed in Article 12 of the GDPR.
Articles 13 & 14: When Collecting Personal Data
Throughout the entire data exchange process, commercial entities are expected to provide clear instructions for how the data is being collected, where it’s being processed and for what reason, who will have access to the information, direct contact for redress, and if this information is being shared either domestically or internationally.
Additionally, your firm must outline the timeframe for data storage, the consumer’s right to access their information, and where the information is being held. Finally, you also need to notify consumers if the data is a contractual requirement for engaging with your firm versus optional, as well as if any data is processed to render automated decisions and the methodology behind such practices.
All of the above is part of Article 13. For U.S. entities collecting data from EU citizens, the last caveat of international versus domestic sharing is a critical point. Along with the GDPR, there is an additional set of expectations known as the Trans-Atlantic Data Privacy Framework which further outlines the EU’s expectations for how EU citizens’ data is used when sent to foreign entities in the U.S.
While Article 13 refers to communications for data that are voluntarily supplied by a consumer, Article 14 covers the same concerns — but when that data isn’t shared directly by a consumer. This would apply to third parties that receive data from a commercial entity partner that did receive such information voluntarily. Simply put, third parties have the same expectations as listed in Article 13.
Article 15: Right of Access
American companies should be fairly familiar with this concept as it’s been heartily adopted by many state jurisdictions in the U.S. Article 15’s right to access means that consumers have the right to review any data you collect from them along with how a commercial enterprise is processing that information.
Similar to Article 13, entities need to outline:
- Why the information was collected
- The types of data being recorded
- The recipient(s), the expected timeline for data storage
- If that data is being used to render decisions (and why/how)
- The consumer’s rights to access, modify, or delete such information or usage plans.
Again, companies must be transparent regarding whether the data is being transferred to foreign entities, and provide a copy of such information as long as it doesn’t reveal the personal data of others.
Article 16: Right to Rectification
Mistakes can and do happen. Whether a consumer incorrectly entered their name or is using a service that relies on an accurate mailing address, your commercial enterprise needs to give them the right to access and amend those details. Article 16 outlines that such requests need to be handled promptly.
Article 18: Right to Restrict Processing
A major takeaway from the GDPR’s overall goal is that the international consortium believes that its citizens from participating member states have the right to control how their data is being used. Article 18 reiterates this by specifying in which scenarios a consumer can control how their information is processed.
Entities need to understand that Article 18 gives consumers the right to either prevent data from being processed (bullets 1, 2, and 4) or from being deleted (bullet 3). This includes:
- Inaccurate information — until the data can be corrected
- When processing is unlawful
- When personal data is no longer needed by the commercial entity but the data subject needs it for legal purposes
- When the data subject has refused to have their information processed
Article 20: Data Portability
Data portability refers to how easily a consumer can access their information. Article 20 reinforces Article 13 which defined a consumer’s right to receive a copy of the data that was collected. Article 20 takes it further by clarifying that such information must be provided in an easily legible machine-readable format. Likewise, consumers have the right to designate additional controllers (commercial entities) that can receive copies of that information.
Article 21: Right to Object
Article 21 further reiterates a mainstay of much of the GDPR’s data privacy expectations — that consumers have the right to say no to a commercial entity processing their data. The processor is expected to immediately cease activities once an objection is lodged.
Note that the GDPR is explicit regarding in which scenarios Article 21 applies. This includes:
- Direct marketing purposes
- Intelligence gathering services
- Scientific, historical, or statistical purposes
GDPR Consent Requirements
If it hasn’t been made clear yet, the EU and its GDPR guidelines are intended to ensure that data is only being given through consent and that consumers are thoroughly informed of the parameters by which their data is being used. As outlined through the various articles above, the EU is very explicit in its expectations for commercial enterprises when requesting, using, or sharing data from its citizens.
Although the concept of data usage consent isn’t new, it is slightly different than in the U.S., where opt-out tends to be the standard for actions such as data sharing or joining mailing lists rather than requiring an opt-in. While the EU doesn’t require that businesses obtain consent explicitly through an opt-in format, it does maintain that commercial enterprises must explicitly outline how they plan on using consumer data.
Article 6: Justifications for Data Processing
Explicitly, “consent” hinges on a commercial enterprise’s ability to meet the expectations of Article 12 and clarify in direct terms what data is being collected and why such information is necessary. Beyond getting a consumer to agree to share their personal data with your firm, your business must also meet what’s known as a legal base or justification for why that information is needed. This is mentioned in Article 6 of the GDPR.
The key justifications include:
- Satisfying a contract where the consenting consumer is a participant
- Legal requirements that rely on the consumer’s personal data
- Data processing for emergency purposes
- Data required for a public policy purpose
- An interest to process personal data (such as if a consumer wants to create an account with your retail store or online portal)
The final bullet point tends to be the most flexible option that gives businesses the most freedom. However, in some instances such as when collecting information from minors, such data access may automatically be prohibited.
Keep in mind that whatever reasons are provided for why the data is being requested needs to be strictly maintained. This means that a business cannot request consent to collect emails under the guise of only verifying that a person is real, and then begin using the emails for marketing outreach campaigns. Any usage that is outside of the original claimed scope of use will invalidate the consent and leave the business liable for a GDPR fine.
Also note that at any time, EU citizens have the right to amend or revoke consent. Although consent is technically indefinite from the time that a consumer gives it to a business, that individual has the right to change their mind. For example, if a person signs up for an account with your business using personal data and also agrees to let you target them with offers based on their location or interests, they have the right to later block your business from using their data to cater ads based on their personal data.
Likewise, at any point, they can choose to terminate their account with your company, and your business would need to take proper steps to responsibly dispose of their personal data.
GDPR Compliance with Cookie Banners
U.S. businesses are probably most familiar with cookie consent as it is one of the few internet data components that’s also heavily regulated at the state level in the U.S. Cookies are bits of data used to track consumers as they navigate through your website. They can be used for retargeting (such as sending customer emails related to an abandoned cart or product page) or even to understand traffic sources if you’re working with marketing partners or managing paid campaigns.
While the GDPR is very specific regarding how commercial enterprises must provide notice and manage data, it doesn’t heavily regulate cookie usage. Instead, this falls under the ePrivacy Directive which is a 2002 piece of legislation that was later updated in 2009. Informally known as the “cookie law” it defines the guidelines companies must use to specify what information is being collected, how it’s used, and what steps a consumer can take to access, amend, or delete their data.
The Cookie Law of 2002
Unsurprisingly, the Cookie Law led to a massive change in how cookie consent was managed in the EU via cookie consent pop-ups. After the passage of GDPR, these landing page pop-ups became a mainstay internationally as even foreign (non-EU) entities adopted this web integration to maintain compliance. Although essential cookies aren’t regulated under the ePrivacy Directive or GDPR, other types such as those designed for tracking, marketing, or retargeting are.
If you leverage cookies for anything other than the most essential of website needs, you need to:
- Receive consumer consent before deploying cookies
- Clearly explain how you’re using consumer data and what is being tracked
- Document that consent was given and store proof of receipt
- Still provide access to your website even if a consumer rejects cookie usage
- Provide an easy pathway for consumers to amend or cancel their consent after it’s initially given
Understandably, not every business owner is adept at managing cookie consent and storing proof, or handling data requests (DSARs). However, Enzuzo is a turnkey solution that helps you build a compliant cookie consent banner that integrates easily with most major ecommerce platforms as well as store consent logs and handle DSAR queries.
- Introduction: Include key legal business details, compliance with privacy regulations, and specific legal terms used in the policy
- Personal Data Collection and Use: State what information is being collected and if your business is also sharing data with third parties.
- How and Why Data is Being Used: This outlines the parameters of your data processing and for what purposes.
- Retention and Deletion: Tell consumers how long you intend to store their personal data and how you’ll responsibly remove or anonymize it.
- Children’s Data: If you collect data from minors, you’ll need to state so here and specify the age that qualifies as a child. If not, be clear that you don’t collect data from minors.
- Personal Data Rights: This is where you provide clear details for consumers to access, amend, or remove their information.
- Complaints: GDPR and other privacy laws require a dedicated internal contact to be listed for lodging consumer complaints. Likewise, you may also need to include the direct governing oversight authority for different jurisdictions.
- Contact Information: Finally, people need to have a way to contact your business whether to file a complaint or request access to their data. Failing to include this constitutes non-compliance.
GDPR’s Right to Be Forgotten: Data Erasure Policy
Access is a core principle of GDPR. In particular, consumers have the right to ask for a copy of the data they provide to your business, and for it to be deleted. However, in some specific cases, a company doesn’t have to comply with deleting personal data. The Right to Be Forgotten is covered in Article 17 and is a companion to Article 15 which gives consumers the Right of Access.
Consumers can request for personal data to be deleted from a business’ logs if:
- The data is no longer needed for processing
- The consumer withdraws consent or there are no legal grounds for processing the data
- The consumer objects to processing — thereby removing legal grounds to continue processing
- The data was unlawfully processed
- The data must be deleted to comply with EU or member state laws
- The data was collected for information society services
Once a request for data erasure is logged, a company needs to comply. This also includes informing third-party data-sharing organizations that personal data must be removed as well.
To stay compliant, your business will need a contact form option that gives consumers the ability to request for their data to be deleted or erased. Along with collecting contact information, you’ll also need to verify the individual’s identity, give them a space to outline what information needs to be deleted and why and receive consent that they are requesting such actions to be taken.
Overriding the Right to Be Forgotten
As we mentioned earlier, in some instances, the Right to Be Forgotten can be overridden. Usually, this is regarding freedom of expression or information, when complying with legal obligations, for purposes of public health or interest, or in the establishment of legal defense.
GDPR Compliance in Remote Work
Remote work is the new normal thanks to the COVID-19 pandemic, but it also raised major concerns regarding data privacy. Distributed teams can mean less overhead since you don’t need an office. But it can also present more opportunities for data breaches if people are working over unsecured networks or on unsecured devices.
To maintain compliance with GDPR and protect your business from costly data hacks, you need to prioritize cybersecurity. Ensuring that distributed staff are only sending and receiving data over encrypted networks is critical. Encryption software is available for desktop and mobile devices for PCs, Mac, and Android operating systems.
Don’t forget that unencrypted files, along with devices and networks that aren’t password protected represent easy entry points for potential hackers. This includes printers, anything connected to LAN or WiFi networks, and even mobile phones. Make VPN installation a requirement and if necessary, provide subscription support to ensure that every distributed worker is properly protecting their network and data.
Finally, remember that email phishing still occurs — along with malware. Make sure your employees are aware of the most common hacking attempts and remind them not to open emails from unknown senders or download programs from questionable websites.
GDPR Compliance Checklist
Being GDPR compliant hinges on providing proper notice of the types of personal data your business is collecting, how you intend to use it, and the methods consumers can reliably use to access, amend, or request for it to be deleted. Remember that this includes cookies too. If you don’t have an EU GDPR compliance officer in-house, then a consent management and data compliance service like Enzuzo is essential to staying in line with the directive’s expectations.
Still, creating an internal compliance checklist that reviews the following is a smart step to ensuring you’re compliant. Be sure that your business is:
- Transparent about the data being collected
- How data is being processed and which entities (both internal and external) are accessing it
- Legal justification for processing the data
- Properly protecting data for storage through encryption and an internal security policy to prevent unauthorized access
- Maintaining data security standards when sharing with third parties
- Appoint an internal lead that will oversee GDPR compliance
- Appoint a data protection compliance officer if necessary
- Providing easy access for consumers to access, review, amend, or request deletion of data and consent for processing
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.