The GDPR. It’s an acronym likely to create a look of panic in many, but the EU’s General Data Protection Regulation (GDPR) doesn’t have to be scary. Data privacy laws can often strike fear in even the most confident business leaders and marketers, but they’re easy to understand when you break them down.
In this simple guide to the GDPR, we’ll take you through everything you need to know about this leading privacy law. We’ll cover the basics, take a look at compliance, and introduce an easy way to help you stay compliant with this essential legislation.
You might be wondering about how to stay compliant with the GDPR, but first, we need to cover the foundations. With a solid understanding of what this key privacy law involves, knowing how to work alongside it becomes easier.
In this section, we’ll take a look at the basics of the General Data Protection Regulation (GDPR). We’ll form an understanding of what it is, who it protects, what rights it gives, and what your responsibilities are as a business.
The General Data Protection Regulation, or GDPR as it’s more widely known, is a leading European Union data privacy law. While it’s designed for and protects EU citizens, its effects continue to reach worldwide since it came into effect on May 25, 2018.
Like most privacy law, it’s been created to help give people a greater understanding of how their personal data is collected and used, and more control over where and when that happens through the introduction of new rights. It’s designed to strengthen the data security of millions, and put robust requirements on businesses and organizations to uphold those rights.
It’s easy to look at the GDPR and think that it only applies to citizens of the European Union. While it does, that’s only half the story. To understand where the GDPR applies, you need to take a look at the relationship between an organization and the user.
If you operate your business from within the EU, the GDPR applies — even if the processing of data happens outside the EU, for example by using a third-party tool or service provider. This means that you should apply GDPR principles to how your entire business operates, even if most of your customers are outside Europe.
Organizations can also be affected by the GDPR if they’re not based within the EU. If you provide goods or services to people based in the EU, you need to make sure you’re compliant. As an EU citizen they’re covered by the GDPR and can exercise their rights and have certain expectations of how you handle their personal data, even if you’re based in Canada, the USA, or elsewhere in the world.
Following the United Kingdom’s exit from the EU, the GDPR no longer applies to the relationship between your business and people based in the UK. However, the Data Protection Act (DPA) applies and is the UK’s implementation of similar principles. The UK GDPR also applies, which works alongside the DPA and is closely related to the GDPR.
With it being almost impossible to know where your next customer comes from if you run an ecommerce business on a platform like Shopify, it makes sense to build your business around being GDPR compliant. Even if you don’t need to comply with GDPR, you might find other privacy laws apply. Brazil’s LGPD, Canada’s PIPEDA, and California’s CCPA are examples of key data protection laws that you also need to be mindful of.
At the heart of the GDPR is giving users (or data subjects) greater control over their own personal data. This has put a stronger focus on what personal data is, what it means to individuals, and how organizations should use it.
Personal data can mean different things to different people. Under the GDPR, personal data refers to any information that relates to an identifiable individual. Some examples of personal data include:
While an email address might not feel highly personal, combined with other identifiers it could be used to identify you and reveal information you don’t want disclosed. That’s why there is so much focus on keeping this personal data safe.
Almost every company uses personally identifiable information in some way. Whether you collect personal details to complete an order, or start a loyalty scheme for your customers, you’re working with data.
Under the GDPR, different roles have been established to cover the responsibilities of people that set the scope for use of personal data and those that process it. These roles are known as data controllers and data processors.
Put simply, data controllers are the people that make the decisions. They decide which data is collected, and what it will be used for. Most organizations have data controllers, as you have the overall power to shape how data is collected and processed in line with your business objectives.
Data processors work with personal data, but don’t have the decision-making power over how that data is used. This most often applies to people that process personal data as part of work for a client, where they carry out tasks but under the directive of another organization.
Being a data controller puts stronger requirements on you within the scope of GDPR. Not only do you have to make sure your own organization is compliant, but you need to make sure that any data processors you use are too. This means you need to think carefully about which subcontractors, freelancers, agencies, or partners you work with — and which software and tools you use for data processing activities.
One of the main pillars of the GDPR is that organizations need to demonstrate a legal basis for data collection and data processing. This means they can’t just use your personal data for any means — they need to show a genuine reason for doing so.
The six legal bases for processing personal data under the GDPR are:
Of these bases, the most popular option and the easiest to obtain is consent. Under the GDPR, consent should be given freely, and be specific, informed, and unambiguous. The consent should be communicated through a clear statement or agreement. It’s best to use plain language and avoid jargon, to satisfy the requirements around users being informed.
In some cases, providing consent will look like signing a contract with a clear, descriptive statement over how data is processed. At other times, it could be as simple as ticking a box when signing up for an email newsletter — provided it’s clear how that data will be used. Note that this consent still needs to be for a specific purpose, so you can’t use it as a “catch all” way to use personal data for any reason.
The GDPR introduced a whole host of new rights to people across the EU. It’s given them more power than ever to control how their personal information is collected, used, stored, transferred, and corrected.
Understanding your users’ and customers’ rights can help you to put processes in place that help you stay compliant. Here are the eight rights that EU citizens can exercise under the GDPR.
This right is all about giving people the information they need to make sensible decisions about their own personal data. Your users need to be informed of how their data is collected and processed. They also need to understand their options and rights around how to provide or withdraw consent, make challenges, or make changes to the data you hold on them.
Your users have the right to access the personal data that you hold on them. This right gives people the opportunity to view their data and ask questions of you around how it’s processed — such as which categories are involved and who can access this data. Often someone will exercise their right of access if they intend to pursue another right, such as the right to object or restrict processing.
This simple right follows on from the idea that people can view and access their data, and gives them the opportunity to make changes to it. Not only does it give users the confidence that you hold up-to-date information on them, but it means that your records are more accurate as a result.
Users can now exercise their right to restrict processing, even if consent was initially given. This gives them the chance to put a halt on you processing their personal data for any purpose. You might also find this right referred to as the right to withdraw consent, as in most cases you’ll then no longer have the consent you need to continue.
This key right gives users the opportunity to object to the processing of their personal data. While it may sound similar to the right to restrict processing, it’s much harder for companies to deny compliance with. To do so, they must demonstrate that they have legitimate interests that override the interests and freedoms of the user — or to establish, exercise, or defend a legal claim. The right to object gives people an easy way to break the relationship with an organization — for example if they no longer wish to remain on an email marketing list.
In some cases, organizations use automated decision-making or processing to carry out a task — for example, to evaluate someone’s loan or profiling them for a mortgage application. With this right, EU citizens can deny this automated processing and request a manual decision be made instead. While this may be more time-intensive, it provides a way for citizens with non-standard situations or requests to get a fairer decision.
At times, customers will want to end a relationship with an organization or business. The right to erasure, also known as the right to be forgotten, gives them the opportunity to request that any data held on them is deleted. In some cases this right can be overridden, for example to comply with legal requirements around how long data is stored for.
Instead of asking for their personal data to be deleted, EU citizens can instead invoke their right to data portability. With this right, they can ask for their personal data to be transferred to another organization, or back to themselves. This makes it easier for people to move between providers, and helps to reduce some of the friction between doing so. These data transfers should happen in a machine-readable format, to make things easier for all parties.
Understanding what the GDPR is and how it works gives you the foundation you need to make sure your business processes and documentation is compliant.
In this section, we’ll take you through how you can manage compliance with these key data protection principles — and the risks involved if you don’t.
This is a document that informs your users how you collect, use, store, and transfer personal data. It’s usually found on an organization’s website, but may be shared with users in additional ways — for example as part of a mobile or desktop app, or as a document as part of a contract signing process.
One way to help manage compliance across your business is to undertake a Data Protection Impact Assessment (DPIA). This provides an overview of the data collected, how it’s used, the scope, the associated risks, and how those risks will be managed.
Having a DPIA isn’t a legal requirement unless your operations are considered high risk. Examples of this include where you’re involved in the large-scale processing of personal data, or the systematic monitoring of public areas (e.g. with CCTV cameras).
While a Data Protection Impact Assessment isn’t required in most cases, it can still be a helpful exercise to go through. It makes you take a wider look at how your organization can achieve privacy by design, and which processes you need to help you take a robust approach to data privacy and security.
Under the GDPR, there’s a requirement for organizations to keep relevant and accurate records of data processing. This applies to almost all data processors and controllers, unless the data processing is casual.
If your organization is acting in the role of a data controller, you need to keep full records that cover the following:
While the record keeping requirements are less intensive for data processors, individuals in this role should still hold records that cover categories of processing, information on third country data transfers, data erasure time limits, and relevant security measures taken. If you process data for multiple organizations, it can be helpful to create templates to make filling out and updating this information easier.
Your users and customers can access their rights under the GDPR at any time. To do so, they are likely to put in a data subject request. This might be to understand what information you hold on them, to make updates to that data, to object to processing, or to request deletion of data.
If you receive a data subject request, you need to review and comply with it — usually within a 30 day period. This should give you enough time to interpret or clarify the request, seek out the correct information, and action the request. In complex cases, you may be able to approach the relevant authority to request more time.
In many organizations, finding all the personal data you hold on someone can be time consuming — especially if it’s held across multiple systems, files, and locations. It can also be hard to stay on track when it comes to responding to requests in time, if you don’t have a process or tool in place to help you out.
Even with strong security measures in place, it’s still possible for data breaches to remain a risk in today’s modern world. You can’t protect against every unknown, but you can have a robust approach to dealing with data breaches.
Under the GDPR, it’s a requirement for you to send a breach notification to your supervisory authority within 72 hours of you becoming aware of the breach. You won’t always know instantly, which is why the countdown starts from first awareness rather than when the breach itself happened. You should also keep a written or digital record of the breach, along with your response in dealing with it.
Not only will you need to inform the authority, but in most cases you’ll need to inform your users too. If the data at risk is unencrypted, there’s a requirement for you to inform your users within the same time period. In some cases you won’t need to — for example if the data was encrypted, or the breach is highly unlikely to affect users in a negative way. However, it’s best practice to be transparent when a data breach happens — especially if information reaches the press before your customers hear about it.
Complying with the GDPR is not only a legal requirement if it applies to your organization, but it’s also a good way to show your customers that you care strongly about their data privacy and rights.
It’s rare that companies take an opposing stance to complying with the GDPR. Most companies have their customers’ best interests at heart, but can still fall into non-compliance — for example through incorrect record keeping or failing to respond to a data breach.
If an organization is found to be in non compliance with the GDPR, they can be in line for fines of up to €20 million, or 4% of their global turnover — whichever is higher. Not only that, but they can be exposed to compensation claims for damages, and be subject to an intensive auditing program as a result.
There have been several high-profile and expensive fines handed out to organizations since the introduction of the GDPR. In 2020, both Amazon and Google were fined €35 million and €60 million respectively for depositing cookies without consent by France’s regulatory authority.
Non-compliance can be costly and damaging to your reputation, even if you’re a small business. While you’re unlikely to be facing fines in the high millions, there are still financial penalties and the exposure to damages costs to be aware of. Compliance should be a priority to help reduce your exposure to risk.
With the threat of huge fines and potential damages claims, it’s easy to understand why businesses are so keen to stay compliant with the GDPR.
Even in a small business, managing subject data requests can be a nightmare. Often you’re left looking for data across spreadsheets and tools, with no clear process to help you find everything you need — or to respond in the best way.
It’s only natural to have questions about the GDPR and how you can stay compliant with it. Let’s take a look at some frequently asked questions and explore the answers to them.
Not every organization needs a data protection offer (DPO). Under the GDPR, you’re required to appoint a data protection officer if you process large amounts of personal data or your data processing requires systematic monitoring at a large scale.
If you’re a small business or ecommerce store owner, chances are you won’t meet those requirements. That doesn’t mean you can’t have one though, and if appointing a data protection officer would make you feel more confident with your compliance it may be a worthwhile investment.
Under the GDPR, you should make it just as easy for people to withdraw their consent as it was for them to give it. This means you can’t introduce a lengthy, complicated process for someone to unsubscribe from your mailing list, if they only needed to press one button to join it. Instead, you should have a one-click unsubscribe that mirrors the signup process.
For more general data subject requests, consider using Enzuzo as your privacy platform. Once you’re all set up, you can add a simple form to your website where users can make requests to exercise their rights. These requests then appear in your dashboard, where you can easily action them and keep an eye on deadlines.
Don’t panic about the GDPR and what it means for your business. With a little knowledge and understanding around how it all works and what the risks are, you can take sensible steps to help you stay compliant and gain confidence around data privacy.