The Complete Guide to GDPR
The General Data Protection Regulation (GDPR) is a trailblazing privacy bill that established new data privacy requirements for all businesses operating or serving customers in the European Union (EU).
GDPR Overview
The General Data Protection Regulation (GDRP) was passed in 2016, coming into full force two years later in May 2018.
A landmark privacy bill that set the tone for all following data privacy legislation, the GDPR created clear data rights for EU citzens and established strict data privacy guidelines for any business operating or serving customers within the EU.
Fines for non-compliance have increased substanitally in recents years, so understanding GDPR requirements is key for any business that deals with consumer data within Europe.
With each new penalty the legal precedent behind GDPR enforcement grows stronger, yet many organizations don't fully understand what's expected and haven't yet met the necessary compliance requirements.
That’s why we at Transcend decided to publish this complete guide to the GDPR––covering requirements for compliance, consumer rights provided by the GDPR, enforcement, exemptions, and important articles that affect day-to-day compliance efforts.
At the end, we've also included a seven step GDPR compliance checklist to help your organization develop a scalable data privacy program that meets GDPR requirements.
What is GDPR?
GDPR stands for General Data Protection Regulation and applies to any organization operating in the European Union. One of the broadest and strictest privacy laws in force today, the GDPR was passed in 2016 and went into full effect on May 25, 2018.
The GDPR traces its roots back to the European Data Protection Directive, which was instituted in 1995.
This original directive outlined minimum security standards and data privacy requirements for corporations. However, each member of the EU was tasked with creating its own set of laws based on the guidance provided by the EDPD.
In 2011, Europe’s data protection authority determined the EU should develop a more robust set of data protection laws. Over the next five years, lawmakers developed a multitude of GDPR requirements, which were then passed by the European Parliament in 2016.
Complying with these requirements means understanding who the GDPR applies to, key definitions from within the legislation, and who, if anyone, is exempt. (Hint: Unlike many privacy laws in the US, the GDPR offers few significant exemptions.)
GDPR basics
Who does GDPR apply to?
The GDPR applies to any organization that operates in the European Union, as well as any organization offering goods or services to users within the EU–even if that organization is based elsewhere.
The legalese states that the GDPR applies to:
- "a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
- a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behavior of individuals in the EU"
Here is a full list of countries under GDPR.
For comparison, all US privacy laws have triggers based on the number of consumers whose data an organization handles, as well as the amount of revenue an organization brings in from the sale of data.
Ultimately this means that, unless your company doesn't want to do business in Europe, GDPR compliance should be a top priority.
However, as your organization works towards compliance, you'll quickly notice there's a ton of new vocabularly to learn. Read on for a few GDPR definitions that will help you get started faster.
GDPR enforcement
The European Data Protection Board (EDPB) is tasked with enforcing GDPR requirements across all EU member nations.
The UK continues to utilize the GDPR, despite its withdrawal from the EU. However, the Information Commissioner’s Office is tasked with enforcing GDPR regulations within the United Kingdom.
Exemptions
The GDPR provides minimal exemptions. To be exempt, a data processing entity must actively block its site within the EU to effectively limit data processing of EU residents.
Alternatively, a business located outside the EU that doesn't offer any goods or services within the EU and doesn't process or monitor personal data for EU citizens may also be exempt.
There are also minor exemptions for law enforcement, journalists (the GDPR cannot be used the limit press freedom), and academic research.
Notably, the GDPR does not make exemptions based on the size of a business, except in the case of ROPA creation. Businesses with under 250 employees, though still beholden to all other GDPR requirements, do not need to create and maintain records of processing activities.
Important definitions under the GDPR
Data subject
In the GDPR, data subjects are defined as:
"an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier."
Put simply, data subjects are individuals who can be identified by their personal data online.
Data subject request (DSR)
Data subject requests are when an individual requests to access, correct, or delete their personal data. DSRs are the practical outcome of an individual's right to access, right to rectification, and right to be forgotten, as discussed below.
Another common acronym is DSAR, which stands for data subject access requests and specifically refers to when an individual requests access to their personal data.
Data controller
Data controllers make the decisions about how personal data will be processed by their organization. The GDPR states that controllers are:
the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
In compliance terms, data controllers carry a lot of responsibility as their decisions determine whether or not an organization will hold to the rules laid out by the GDPR.
Data processors
Data processors carry out the decisions made by data controllers. Many data processors are third-parties, which are bound by similar rules as controllers but don't carry the same level of responsibility.
Article 28, discussed below, covers the GDPRs guidelines for relationships and contracts between data controllers and data processors.
Consent/cookie consent
Article 4 of the GDPR states that valid consent is “freely given, specific, informed, and unambiguous.” The data subject must agree, through an affirmative action or statement, to the processing of their personal data.
The ePrivacy Directive’s 2009 update, sometimes referred to as the "cookie law," dictated that websites were no longer allowed to place cookies onto a consumer’s device without express consent. As such, GDPR cookie consent regulations are minimal.
However, GDPR Recital 30 does clearly state that because cookies can be used to identify users, cookie use counts as personal data processing. This means that organizations using cookies to track and target EU residents are subject to the data processing rules outlined by the GDPR.
Records of processing activities (ROPA)
Required by Article 30, ROPA are comprehensive records outlining all data processing activities conducted by an organization, as well as all categories of data processing activities.
Though data mapping and ROPA have a lot of overlap, they're not fully the same.
Data mapping is not mandated by the GDPR, and the primary goal is to create a singular view of all the data moving through a company. Concerned only with the data and data categories an organization is processing, ROPA has a more focused scope.
Think of ROPA as a precursor to a full data map and remember–creating these records is a GDPR requirement.
Significant GDPR articles
The GDPR has 99 articles total, each one detailing different aspects of the obligations placed on data processers and controllers. Below we’ll focus on five GDPR articles that have significant impact on day-to-day compliance efforts.
Article 28 GDPR
Article 28 applies to data processors and their relationship with data controllers. Data processors are prohibited from performing data processing unless actively governed by a binding contract with a data controller.
In 2017, the Information Commissioner’s Office (ICO) published guidelines concerning contracts between data processors and controllers, stating that contracts must outline:
- Subject matter and timelines for processing
- How and why the data is being processed
- Types of data and categories of data being processed
- The controller’s rights and obligations
In short, processors must protect data subjects' rights by outlining a clear and binding contract with their data controller.
Article 30 GDPR
GDPR Article 30 states that data controllers are required to maintain detailed records of all processing activities (ROPA).
Each controller must maintain records containing the following information:
- Name and contact details for the controller
- Why the data is being processed
- Categories of personal data and data subjects
- Categories of any recipients of the data
- List of personal data transfers to third countries or international entities
- The envisaged time frame for data erasure
- Details on how the data is being secured
Learn more about ROPA and the practical application of Article 30.
Article 32 GDPR
Article 32 requires that data controllers and processors implement “appropriate technical and organizational measures” in order to protect consumer information.
These recommended security measures include:
- Anonymizing and encrypting personal data
- Ensuring processing systems and services remain confidential, available, resilient, and have their integrity maintained
- Ensuring access to personal data can be restored as soon as possible after a technical or physical incident
- Implementing a process that evaluates the efficacy of security measures
Data security is a prime concern for the EU, as data breaches and cyberattacks have increased in volume and severity over the last few years.
Article 6 GDPR
Article 6 defines what constitutes lawful processing, creating a legal foundation for many of GDPRs core principles.
According to Article 6, data processing is lawful if:
- A data subject gives consent
- It's required to exercise a contract to which the data subject has agreed, or if it’s a necessary precursor to entering the contract
- It’s necessary to maintain compliance with the controller’s legal obligations
- It protects a data subject’s vital interests
- It’s required to perform a task that supports the “public interest”
- The controller can provide a “legitimate interest” for processing, unless that interest contradicts an individual's “fundamental rights and freedoms”
Article 6 also allows member states to introduce “more specific provisions," if desired.
Article 9 GDPR
Article 9 provides additional guidance for controllers handling “special categories of personal data.”
Special data includes information that may reveal a data subject’s political opinions, religious beliefs, trade union memberships, or ethnic origins. This section also addresses the collection of biometric and genetic data.
Article 9 strictly prohibits the processing of these types of personal information, but does provide several exemptions to this requirement. For instance, if the data subject provides explicit consent to the processor, then the information may be collected.
GDPR data subject rights
The GDPR gave all EU citizens excercisable data rights. Among other things, these rights enable individuals to deny the collection of their personal data and make legally binding requests about how and why their data is processed.
Consumers under the GDPR enjoy the following data rights.
Right to be informed
Users have the right to know whether data is being collected, how it will be used, whether it will be shared with third parties, and how long it will be stored. Organizations must disclose this information openly and in clear language.
Right of access
Data subjects have the right to request access to any personal data being processed by an organization. After receiving a request, organizations have 30 days to respond.
Right to rectification
Data subjects can request that an organization correct their personal data if they discover the data being processed is incomplete or inaccurate. Similar to the right of access, organizations have 30 days to comply.
Right to be forgotten
Also called the right to erasure, the right to be forgotten lets EU citizens request that their personal data be deleted. However, data controllers can refuse requests if there's a legitimate reason to retain the data, such as the individual having an open line of credit with the controller.
Right to restrict processes
Data subjects can request changes or limitations to the way an organization processes their personal data.
Right to data portability
The right to data portability refers to a user's ability to easily transfer their data from one database or service to another. Upon request, data controllers must provide users with their data in an easily transferable format, such as an emailable file.
Right to object
Data subjects can challenge an organization's stated reasoning for processing their personal data and object to the processing itself. To continue processing data after an objection, the organization must make a compelling case that the processing is done on legitimate grounds.
Rights in relation to automated decision-making
Individuals can request a review of decisions made using automated decision-making, especially if the decisions being made affect the way their data is being processed.
GDPR fines and penalties
Violating the GDPR can mean massive financial penalties, which are standardized across all EU nations. GDPR fines are divided into two separate tiers.
Minor infringements can trigger fines of up to 10 million Euros or 2% of a firm’s worldwide annual revenue, whichever is higher. However, severe violations can incur fines as high as 20 million Euros or 4% of worldwide annual revenue.
The GDPR defines serious violations as acts that “go against the very principles” of the right to be forgotten and the general right to privacy.
Typically, fine amount is based on the size of the organization. While the fines are meant to be punitive, the GDPR does not seek to crush a company by delivering a fine that far exceeds its ability to pay.
Since the GDPR was enacted in 2018, the 3 largest fines were levied against:
- Amazon — 746 million Euro fine in 2021
- WhatsApp — 225 million Euro fine in 2021
- Google — 90 million Euro fine in 2021
By levying such severe fines against these entities, the EDPB made it clear they intend to strictly enforce the GDPR throughout Europe.
7 step GDPR compliance checklist
Though understanding GDPR is important, maintaining GDPR compliance should be the top priority for most businesses. Uphold your user’s data rights and avoid hefty fines by following the seven step GDPR compliance checklist below.
1. Discover and document personal data across all your data systems
Any organization that has over 250 employees and/or conducts risky data processing activities, must create and maintain accurate records of processing activities (ROPA).
Even if a company has less than 250 employees, data protection impact assessments, in which a company identifies or evaluates the potential risks involved with their data processing activities, is recommended.
Data mapping, though not required, is one of the best methods for maintaining a full and accurate view of all the data your organization touches. This is particularly true for companies who rely on multiple third-party data processors.
In the end, the more your organization knows about what data you collect and how it’s being used, the easier GDPR compliance will be.
2. Establish a lawful basis for your data processing
GDPR Article 6 establishes a framework for lawful data processing. Read up on these provisions, ensure your processing activities fall within them, and thoroughly document your reasoning.
This step in particular can be tricky given the complexity of data processing and the relative newness of the laws involved. If you aren’t sure your organization's basis for data processing meets Article 6 guidelines, we recommend contacting a lawyer that specializes in data privacy law.
3. Publish a clear, easily accessible privacy policy
When it comes to privacy policies, the GDPR's compliance checklist says it best:
You need to tell people that you're collecting their data and why (Article 12). You should explain how the data is processed, who has access to it, and how you're keeping it safe. This information should be included in your privacy policy and provided to data subjects at the time you collect their data.
Your privacy policy must also be written in clear, concise language, and provided in an easily accessible format. In other words, attempting to hide your processing activities behind legalese or unnecessarily complex language does not count as an acceptable privacy policy.
4. Audit your security and address vulnerabilities
With cyberattacks and data breaches on the rise, it's imperative that data collectors and processors ensure security for any and all personal data. Recommendations include:
- Encrypting and anonymizing data
- Publishing a security policy and cultivating a culture of security
- Conducting data protection impact assessments when necessary
Additionally, in the event of a data breach, organizations must have a detailed response plan in place. A rapid response can minimize the impacts of the breach, preserve business continuity, and mitigate the effect on consumers.
5. Consider third-party processors carefully
Many data controllers employ third-party data processors, but ensuring the quality and reliability of these processors is integral to compliance. A data breach or act of non-compliance will reflect back on your organization, even if you weren’t actively involved.
That’s why Article 28 lays out such detailed guidelines for data controllers engaging with third-party processors, as well as what needs to be included in any data processing contracts.
That contract not only provides clarity about the terms of your data processing agreement, but can provide important documentation in the event of a potential violation.
6. Designate appropriate officers and representatives
Data collectors and processors should develop a command structure to facilitate the implementation and maintenance of their privacy programs. To maximize program efficiency, it's recommended to appoint experienced officers and representatives to spearhead key privacy efforts.
Organizations outside the EU must appoint a representative from within an EU member state. This person will be responsible for communicating on your behalf to data protection authorities.
7. Implement automated privacy infrastructure
Automated privacy infrastructure is essential to upholding data rights in a scalable, sustainable way. Your organization must be able to:
- Respond to requests for access and erasure
- Change inaccurate or incomplete information at an individual's request
- Stop processing personal data upon request
- Identify and package an individual's personal data in an easily accessible and transferable format
- Protect an individuals rights in regards to automated decision making
Performing these tasks manually, though possible, is unsustainable in the long term. Privacy regulation is here to stay, so finding a privacy platform that connects all relevant data systems in order to automate privacy requests should be a priority.
About Transcend
Our mission is to make it simple for companies to give their users control of their data by encoding privacy across their tech stack.