The EU General Data Protection Regulation (GDPR) came into effect in May 2018 and has given consumers a landmark win when it comes to their data protection. However, for many businesses there is still confusion as to what is needed. Some major companies are struggling to be GDPR compliant and for some, their websites can’t be accessed in Europe.
You only need to comply with GDPR if your company is based in the European Union, if you are targeting and offering goods or services to consumers in the EU, or if you are monitoring the behaviors of EU consumers. If your business does any of the above, you are legally required to be GDPR compliant.
Here’s a breakdown of everything you need to be GDPR compliant.
Defining personal data under GDPR
Personal data is a massive part of GDPR and it is important that we define it here as it is the crux of the law. Under Article 4 of the GDPR, personal data is considered to be any of the following:
- Names, email addresses, and phone numbers
- Photos (including profile photos, ID photos, and avatars)
- Audio and video recordings
- Social media IDs and URLs including any posts on social media
- Geolocation information
- Bank account and credit card information (including PayPal)
- IP addresses
- Any biometric data such as fingerprints, DNA, or a person’s face
- Passport and social security numbers
Additionally, there is a sub-category of sensitive data which requires further special processing:
- Children’s data
- Criminal record information
- Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
- Health-related data including genetic data
- Data concerning a person’s sexual orientation or sex life
- Trade union membership
The most important step when it comes to personal data under GDPR is to identify what kinds of personal data you are collecting, storing, and processing. Chances are that your business is collecting data in some way, and possibly also processing it as well. Data storage is usually limited to organizations that offer some kind of data storage service.
Processing personal data
Data processing as defined by GDPR is wordy and complicated. It is more or less the use of any EU personal data outside of personal reasons and can apply to consumers, employees, and contractors. For example, both sending promotional emails and payroll administration are defined as data processing under GDPR.
It is important that your business lawfully processes data, which according to GDPR means you either:
- Have the individual’s permission to process data (for example, the box you have to check when you sign up for a newsletter)
- Need it to fulfill a contract (like a shipping address to send an item to someone)
- Need it for compliance with a legal obligation (for instance, billing records)
- Need it for the performance of a task being carried out in the public interest
- Need it to protect the interests of a data subject
- Data processing is necessary for the purposes of the legitimate interests pursued by the controller
For each piece of data you process, you also need to justify why you need to do so. Regardless of whether you have consent to collect massive amounts of data, you are still liable for collecting data that you do not need.
Examine data storage
Data minimization is part of GDPR. If you don’t need some of the data you are collecting, stop collecting it. Additionally, you will need to know exactly where and how data is stored. As outlined in Article 15 of the GDPR, individuals have the right to access, edit, and delete their personal data at any point in time.
The right to be forgotten, as outlined in Article 17 of the GDPR, is a landmark law that now allows individuals under specific circumstances to remove certain specific search results about themselves. This law not only impacts companies like Google, but can also affect your business as well.
Under Article 17, businesses have an obligation to delete personal data if it is no longer being used for its original intended purpose. Unless the data needs to be saved for AML and KYC purposes, or the customer specifically opts in to the data being stored, sensitive information should be deleted.
Additionally, businesses need to give customers the option of withdrawing consent for their information to be stored. Unless there are overriding legitimate reasons for storing the data, businesses are obliged to erase the information or face severe legal consequences.
Thanks to GDPR, privacy policies need to be worded using clear and concise language that anyone can understand regardless of technical knowledge. It is also often the first place authorities will check to make sure that you are GDPR compliant.
Article 14 specifically deals with scenarios where personal data is not collected directly from the individual. An example of this is a Mailchimp-powered landing page to collect emails for your newsletter, which therefore acts as a data processor.
Make adjustments to your website
If you are collecting unnecessary data, any intake forms on your website should be updated. Do you really need a user’s birthday, gender, or age? Be discerning as to what you do and don’t need to collect.
You will also need to provide cookie consent on your website. Using clear language, what cookies and/or trackers you use and their purpose needs to be outlined. While GDPR guidance on this is slightly unclear and companies are following the rules differently, we recommend taking a cautious approach. Something else to keep in mind is that the EU will be enacting the ePrivacy Regulation in the near future, which will have further legislation on cookies.
Lastly, you will need to reevaluate your opt-in forms. Any checkboxes should be accompanied by a clear explanation of what personal data will be used for (for example, a monthly newsletter). Default opt-out processes (where users are automatically signed up for all emails) are no longer allowed, nor are passive opt-ins (where the box is already checked and user needs to unselect it to opt-out). Authorization needs to be explicitly given for each type of communication and data processing.
If you are dealing with any type of sensitive data as listed above, you will need explicit consent in order to process it. Here are the guidelines as to how explicit consent can be collected. Article 8 of the GDPR outlines specific provisions regarding children.
Other GDPR compliances to consider
Here are a few other compliance topics that your business may need to deal with:
Data transfer and disclosure – If you work with any data processors, they will need to ask for your approval if they transfer data outside the EU. This includes any subcontractors you or your data processors intend to work with.
Data Protection Impact Assessments (DPIAs) – These are mandatory for any organization involved in high-risk data processing. This includes new technologies, monitoring of publicly accessible areas, any profiling operations likely to affect individuals significantly, and more. It is outlined fully in Article 35.
Data Protection Officers (DPOs) – If your business regularly processes data on a large scale or processes sensitive personal data, you will need to designate a DPO. A DPO helps your organization stay compliant so that you will not be penalized.
Penalties for non-compliance
A study by advisory firm RSM from this summer has shown that 30% of European companies are not GDPR compliant, and that doesn’t include the many international companies that now fall under this law. There is still a long way to go before GDPR compliance is followed by every company. That being said, the penalties are very high for non-compliance.
The fines for not complying with GDPR are hefty. For smaller offences, the fine is either €10 million or 2% of annual global revenue, whichever amount is higher. For more serious offences, the fine is either €20 million or 4% of annual global revenue, whichever is higher.
In the first year that GDPR was in effect, authorities issued €56 million in fines and it is expected that that number will continue to rise. Authorities have shown that they are serious about GDPR compliance, and companies would be wise to follow the law.
Although we’ve done our best to outline what you need to be GDPR compliant, the laws are quite extensive and vary depending on what type of business you run. It may be worth your while to bring on a professional to look at your organization and see if changes need to be made to be GDPR compliant.
Additionally, with Brexit looming, the future regarding GDPR is also very unclear for businesses in the United Kingdom. The state of data protection laws in the UK hinges on whether or not a deal is reached between the EU and the UK.
GDPR isn’t going away any time soon, and the future will likely include stricter laws surrounding data protection. In fact, the state of California is rolling out a similar law in 2020. Data protection is a part of the future, and it’s vital that your company can keep up.