GDPR Explained: What is it and Why is it Important for Your Business
Table of Contents
Data privacy laws can be confusing and hard to keep up with, but we're here to help. The GDPR is one of the strictest and most widely-applicable laws, impacting almost 450 million residents of the EU. Understanding it and applying it to your business is critical.
In this GDPR guide, we will explore the key elements of the law and its implications both for businesses and individuals. We will also discuss why it is important for organizations to take GDPR seriously and implement measures to ensure compliance with the regulation.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation implemented by the European Union (EU) in May 2018, aimed at strengthening and standardizing data protection laws for individuals within the EU. It replaces the 1995 EU Data Protection Directive and applies to any organization, whether based in the EU or not, that processes the personal data of EU citizens.
The GDPR sets strict rules for handling personal data and gives individuals more control over their personal information. It also introduces significant fines for non-compliance, which can be up to 4% of a company's global annual revenue or €20 million (whichever is greater). This makes compliance with GDPR a crucial consideration for any organization that processes the personal data of EU citizens.
Where Does the GDPR Apply?
The GDPR applies to both businesses that are incorporated in Europe and those that provide goods or services to EU residents. Hence, an American corporation that sells products or services to customers in the EU or processed their personal information is liable under GDPR regulations as much as a German firm that sells only to domestic consumers.
Any international business like e-commerce websites, SaaS platforms, or global distribution companies is required to be GDPR compliant. It's also possible that the business needs to comply with other privacy laws too, such as Brazil’s LGPD, Canada’s PIPEDA, and California’s CCPA.
How Does the GDPR Define Personal Data?
Personal data can mean different things to different people. Under the GDPR, personal data refers to any information that relates to an identifiable individual. Some examples of personal data include:
- Email address
- Date of birth
- Race, gender, or religious beliefs
- Mailing address or billing address
- Payment information or credit card details
- Biometric data
- Healthcare records
- IP addresses and device information
The Roles of a Business Under GDPR
Almost every company uses personally identifiable information (PII) in some way. Whether your business collects personal details to complete an order or add a customer to a loyalty program, it's processing PII and therefore needs to be compliant with GDPR.
Under the European privacy law, different responsibilities for data controllers and data processors set the scope for use of personal data and those that process it.
Put simply, data controllers are the people that make decisions around personal data. They decide which data is collected, and what it will be used for. Most organizations have data controllers to shape how data is collected and processed in line with your business objectives.
Being a data controller puts stronger requirements on you within the scope of GDPR. Not only do you have to make sure your own organization is compliant, but you need to make sure that your data processors are too. This means you need to think carefully about which subcontractors, freelancers, agencies, or partners you work with — and which software and tools you use for data processing activities.
Data processors work with personal data, but don’t have the decision-making power over how that data is used. This most often applies to people that process personal data as part of work for a client, where they carry out tasks but under the directive of another organization. This dummies guide to GDPR has more information about data processors below.
Finding a Legal Basis for Processing Data
One of the main pillars of the GDPR is that organizations need to demonstrate a legal basis for data collection and data processing. This means they can’t just use personal data for any means — they need to show a genuine reason for doing so.
The six legal bases for processing personal data under the GDPR are:
- The data subject has given consent to the processing of their personal data for a specific purpose.
- Processing is necessary in order to carry out a contract or to take steps before entering a contract, at the data subject’s request.
- Processing is required in order to meet legal obligations.
- Processing is necessary in order to protect the vital interests of the data subject, or of another natural person.
- Processing is required to facilitate the performance of a task carried out in the public interest, or in the exercise of official authority.
- Processing is necessary for the purposes of legitimate interests. This only applies where that necessity isn’t overridden by the rights or freedoms of the data subject, for example, if that person is a child. This basis doesn’t apply to the processing of data by public authorities.
Of these bases, the most popular option and the easiest to obtain is consent. Under the GDPR, consent should be given freely, and be specific, informed, and unambiguous. The consent should be communicated through a clear statement or agreement. It’s best to use plain language and avoid jargon, to satisfy the requirements around users being informed.
In some cases, providing consent will look like signing a contract with a clear, descriptive statement about how data is processed. At other times, it could be as simple as ticking a box when signing up for an email newsletter — provided it’s clear how that data will be used. Note that this consent still needs to be for a specific purpose, so you can’t use it as a “catch-all” way to use personal data for any reason.
Your Customers’ Rights Under GDPR
The GDPR law introduced a whole host of new rights to people across the EU. It’s given them more power than ever to control how their personal information is collected, used, stored, transferred, and corrected.
Understanding your users’ and customers’ rights can help you to put processes in place that help you stay compliant. Here are the eight rights that EU citizens can exercise under the GDPR.
1. Right of Notification
This right is all about giving people the information they need to make sensible decisions about their own personal data. Your users need to be informed of how their data is collected and processed. They also need to understand their options and rights around how to provide or withdraw consent, make challenges, or make changes to the data you hold on them.
2. Right of Access
Your users have the right to access personal data that you’ve collected. Customers need to have the opportunity to view their data and ask questions directly around how it’s processed — such as which categories are involved and who can access this data. Often someone will exercise their right of access if they intend to pursue another right, such as the right to object or restrict processing.
3. Right to Rectification
This simple right gives customers the opportunity to make updates to the personal data information you’ve collected. Not only does it give users the confidence that you hold up-to-date information on them, but it means that your records are more accurate as a result.
4. Right to Restrict Processing
Users can now exercise their right to restrict processing (often referred to as the right to withdraw consent) for any purpose, even if consent was initially given. Upon this withdrawal, your business will no longer be able to access their personal data.
5. Right to Object
This key right gives users the opportunity to object to the processing of their personal data. While it may sound similar to the right to restrict processing, it’s much harder for companies to deny compliance with. To do so, they must demonstrate that they have legitimate interests that override the interests and freedoms of the user — or to establish, exercise, or defend a legal claim. The right to object gives people an easy way to break the relationship with an organization — for example if they no longer wish to remain on an email marketing list.
6. Right to Refuse Automated Decision Making
In some cases, organizations use automated decision-making or processing to carry out a task — for example, to evaluate someone’s loan or profile them for a mortgage application. With this right, EU citizens can deny this automated processing and request that a manual decision be made instead. While this may be more time-intensive, it provides a way for citizens with non-standard situations or requests to get a fairer decision.
7. Right to Erasure
At times, customers will want to end a relationship with an organization or business. The right to erasure, also known as the right to be forgotten, gives them the opportunity to request the deletion of any data held on them. In some cases, this right can be overridden, for example, to comply with legal requirements around how long data is stored for.
8. Right to Data Portability
Instead of asking for their personal data to be deleted, EU citizens can instead invoke their right to data portability. With this right, they can ask for their personal data to be transferred to another organization, or back to themselves. This makes it easier for people to move between providers, and helps to reduce some of the friction between doing so. These data transfers should happen in a machine-readable format to make things easier for all parties.
GDPR Data and Privacy Compliance
Understanding what the GDPR is and how it works gives you the foundation you need to make sure your business processes and documentation are compliant.
In this section, we’ll take you through how you can manage GDPR compliance with these key data protection principles — and the risks involved if you don’t. This guide to GDPR compliance will discuss things like the role of a data processor and how to protect personal data.
- Your identity
- Why you process data
- How you collect and process data
- The categories of data you collect and/or process
- How user data is shared, if at all
- Data subject rights
- How users can submit data subject requests
- Data retention period, if applicable
- Information on data transfers to third parties outside the EU
- Your Data Protection Officer’s name and contact information, if any
- Information on the collection and/or processing of children's data, if any
Data Protection Impact Assessments
One way to help manage compliance across your business is to undertake a Data Protection Impact Assessment (DPIA). This provides an overview of the data collected, how it’s used, the scope, the associated risks, and how those risks will be managed.
Having a DPIA isn’t a legal requirement unless your operations are considered high risk. Examples of this include where you’re involved in the large-scale processing of personal data, or the systematic monitoring of public areas (e.g. with CCTV cameras).
While a Data Protection Impact Assessment isn’t required in most cases, it can still be a helpful exercise to go through. It makes you take a wider look at how your organization can achieve privacy by design, and which processes you need to help you take a robust approach to data privacy and security.
Under the GDPR, organizations are required to keep relevant and accurate records of data processing. This applies to almost all data processors and controllers, unless the data processing is casual.
If your organization is acting in the role of a data controller, you need to keep full records that cover the following:
- Contact details for the data controller, and the data protection officer (DPO) if applicable
- Categories of personal data collected and processed
- Purposes of processing, including the legal bases for doing so
- Details of organizations that data is shared with, including third parties outside the EU
- Timescales for and processes involved with data retention and deletion
- Relevant agreements that cover data transfers to third countries outside the European Economic Area (EEA), for example data processing agreements
- Information on how you secure data and safeguard it, for example against cybersecurity threats
While the record keeping requirements are less intensive for data processors, individuals in this role should still hold records that cover categories of processing, information on third country data transfers, data erasure time limits, and relevant security measures taken. If you process data for multiple organizations, it can be helpful to create templates to make filling out and updating this information easier.
Responding to Data Subject Requests
Your users and customers can access their rights under the GDPR at any time via a data subject request to understand what information you hold on them, to make updates to that data, to object to processing, or to request deletion of data.
If your business receives a data subject request, you will need to review and comply with it — usually within a 30 day period. This should give you enough time to interpret or clarify the request, seek out the correct information, and action the request. In complex cases, you may be able to approach the relevant authority to request more time.
In many organizations, finding all the personal data you hold on someone can be time consuming — especially if it’s held across multiple systems, files, and locations. It can also be hard to stay on track when it comes to responding to requests in time, if you don’t have a process or tool in place to help you out.
Reporting a Data Breach
Even with strong security measures in place, data breaches are a risk to your business. You can’t protect against every unknown, but you can have a robust approach to dealing with data breaches.
Under the GDPR, it’s required to send a breach notification to your supervisory authority within 72 hours of becoming aware of the breach. You won’t always know instantly, which is why the countdown starts from first awareness rather than when the breach itself happened. You should also keep a written or digital record of the breach, along with your response in dealing with it.
In most cases, you’ll need to inform your users of the data breach too. If the data at risk is unencrypted, there’s a requirement for you to inform your users within the same time period. In some cases, you won’t need to — for example if the data was encrypted, or the breach is highly unlikely to affect users in a negative way. However, it’s best practice to be transparent when a data breach happens — especially if information reaches the press before your customers hear about it.
Pro Tip: a few methods for preventing data breaches from occurring in the first place include:
- Educating your staff on the dangers of phishing scams
- Store data in the cloud for regular data backups
- Invest in an IT team (or at the least a technical staff member) to keep pace with security needs
What Happens if You Don’t Comply With the GDPR
Complying with the GDPR is not only a legal requirement for businesses operating in the EU, but also a good way to show your customers that you care strongly about their data privacy and rights.
It’s rare that companies take an opposing stance to complying with the GDPR. Most companies have their customers’ best interests at heart, but can still fall into non-compliance through incorrect record keeping or failing to respond to a data breach.
If an organization is found to be in non compliance with the GDPR, they can be in line for fines of up to €20 million, or 4% of their global turnover — whichever is higher. Additionally, they can be exposed to compensation claims for damages, and be subject to an intensive auditing program as a result.
There have been several high-profile and expensive fines handed out to organizations since the introduction of the GDPR. In 2020, both Amazon and Google were fined €35 million and €60 million respectively for depositing cookies without consent by France’s regulatory authority.
Non-compliance can be costly and damaging to your reputation, even if you’re a small business. While you’re unlikely to be facing fines in the high millions, there are still financial penalties and the exposure to damages costs to be aware of. Compliance should be a priority to help reduce your exposure to risk.
Compliance with GDPR FAQs
What Are the Responsibilities for Businesses Under GDPR?
The EU expects businesses to protect and disclose the private data of their customers and website users. You can manage the GDPR requirements for your business by:
- Getting consent from users on your site with a pop-up when they arrive on the site to get their formal approval
- Keeping user data organized and accessible so that you can respond to customers requesting insight into their personal data that’s being collected.
- Allowing users to report changes to their personal data (known as right to rectification)
- Removing customer data from your systems when a user requests you to do so (known as the right to erasure)
- Transferring user data over to other organizations when requested (known as the right to portability)
- Notifying authorities and users when a data breach occurs within 72 hours from when your company is made aware of the issue
Do I Need a Data Protection Officer Under the GDPR?
Not every organization needs a data protection offer (DPO). Under the General Data Protection Regulation, you’re required to appoint a data protection officer if you process large amounts of personal data or your data processing requires systematic monitoring at a large scale.
If you’re a small business or ecommerce store owner, chances are you won’t meet those requirements. That doesn’t mean you can’t have one though, and if appointing a data protection officer would make you feel more confident with your compliance it may be a worthwhile investment.
How Do I Make My Website Compliant With GDPR?
How Can I Make It Easy for People to Withdraw their Consent?
Under the GDPR, you should make it just as easy for people to withdraw their consent as it was for them to give it. This means you can’t introduce a lengthy, complicated process for someone to unsubscribe from your mailing list, if they only needed to press one button to join it. Instead, you should have a one-click unsubscribe that mirrors the signup process. This GDPR compliance guide should have made the process easy to understand.
For more general data subject requests, consider using Enzuzo as your privacy platform to add a simple form to your website where users can make requests to exercise their rights. These requests then appear in your dashboard, where you can easily action them and keep an eye on deadlines.
Does the GDPR Still Apply to the UK?
With the United Kingdom’s exit from the EU, the GDPR no longer applies to businesses and people based in the UK. However, the Data Protection Act (DPA) applies and is the UK’s implementation of similar principles. The UK GDPR also applies, which works alongside the DPA and is closely related to the GDPR.
The GDPR also applies to citizens outside the EU.
What is a Privacy Impact Assessment (PIA)?
Compliance with GDPR requires a privacy impact assessment (or data protection impact assessment) to showcase how and why customer data is being collected, the data collection process, and how the customer data is being used. This assessment should articulate the risks involved with the collection of data as well as the means being taken to encourage personal data protection.
Your data controller should handle the assessment according to Article 35 of the GDPR.
What Are GDPR Fines?
Failure to comply with the EU’s data protection requirements will result in harsh penalties. Fines for GDPR violations cost up to €20 million or 4% of your organization's global turnover (depending on which is higher).
Read more about GDPR:
What does the GDPR require by law
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.