As our world becomes increasingly digitized, data privacy has become a major issue. Our online behaviors leave behind data footprints that are recorded and processed, and companies have the responsibility to keep it safe.
To ensure that data is being handled ethically and responsibly, new global privacy laws have emerged.The General Data Protection Regulation (GDPR) is perhaps the most well-known and strictest of them.
Although it’s famous, many people still don’t understand the GDPR, if they need to comply, and how to meet GDPR requirements.
In this GDPR for Dummies guide, we’ll take this long piece of legislation and break it down into simple principles so everyone can understand the GDPR and take the necessary actions to comply.
What Is the GDPR?
The GDPR is a law created by the European Union (EU) to protect the personal data of its citizens. The law is meant to give citizens more control over the collection and use of their personal data.
Since it was passed in May 2018, the GDPR has been a game changer in setting the standards of global privacy laws. It affects businesses not just in Europe, but all over the world.
What Does “Personal Data” Mean?
The GDPR official definition of “personal data” refers to “any information relating to an identified or identifiable natural person.” This includes:
- IP addresses
- Phone numbers
- Social media posts
- Date of birth
- Bank account information
The GDPR has seven key principles regarding how businesses handle personal data:
- Data should be processed lawfully, fairly, and in a transparent manner
- Data should only be processed and used for its predetermined purpose
- Only the necessary amount of data should be collected
- Any data collected should be accurate
- Data should only be stored for as long as it’s needed
- Data should be kept secure
Why Is the GDPR Important?
Considering how much personal data is collected by companies such as Facebook and Google, they can make big profits by selling that information to advertisers and abuse internet users’ privacy rights for the sake of profit.
The GDPR outlines what companies are and aren’t allowed to do with personal information in order to keep digital business alive, without sacrificing user rights.
The law puts more power in the hands of the data subjects — anyone who has their data collected by a company — to control their personal information.
For example, EU data subjects have the right to:
- Ask companies about how their data is being used
- Obtain access to collected personal data
- Ask for inaccurate data to be corrected
- Request that data be erased when it’s no longer needed
Who Does the GDPR Affect?
The GDPR affects any business that collects data from EU citizens, regardless of where the business operates. No matter the size of your business, if you have a website that serves EU customers, you’re subject to the GDPR.
The GDPR does not apply if you own a small blog or website that doesn’t sell any products nor collect any personal information from EU residents.
The legislation applies to two types of data-handlers:
1. Data Controllers — a person or agency that determines the purposes of data collection, the type of data to be collected, and how the data will be collected
For example, if you own an online apparel store which collects user data such as visitor numbers, the channels that users enter the site from, how long they stayed each page, you are the data controller, since you can decide how all this information will be used.
Controllers have the highest level of responsibility in complying with the key GDPR principles listed above, and they’re also responsible for the compliance of their processors.
2. Data Processors — someone who collects or processes personal data on behalf of the controller. They do not own nor control the data they process.
Using the ecommerce example above, let’s say the business owners decide to share the data with Google Analytics to find out which pages are most popular and which pages are making visitors leave. Google Analytics, the third party, is the data processor.
Processors are required to maintain records of all data processing activities and keep personal data secure.
What Are the Penalties for Noncompliance?
Noncompliance with the GDPR may come with a steep price depending on the seriousness of the violation.
Less severe infringements could result in a fine of 10 million euros ($11 million) or 2% of the company’s global turnover, whichever is greater.
On the high end, companies could face a fine of 20 million euros ($22 million) or 4% of the company’s global turnover.
How Can My Business Comply with the GDPR?
Here are the main requirements of the GDPR that your company needs to meet:
1. Data Protection Impact Assessment (DPIA)
If your company’s data-processing activities are at high risk of affecting people’s rights and freedoms, you need to fill out a Data Protection Impact Assessment (DPIA).
2. Data Breach Response
Data breach refers to incidents that lead to personal data being lost, stolen, destroyed or changed.
If a data breach occurs, your company has 72 hours to inform your supervising authority, and you need to tell users as quickly as possible. To be proactive, companies should develop a data breach contingency plan.
4. Other Requirements
The actions that your company needs to take to become GDPR-compliant will depend on your company size and level of data processing.
More information can be found on the European Commission website. Here are some other general tips:
- Perform an audit on your data to determine its purpose (if it’s no longer needed, get rid of it)
- Obtain explicit consent for data collection (e.g., add an unchecked checkbox to sign-up pages asking if users consent to having their email address collected and used)
- Give users the right to access their existing data (this is usually through a DSAR form, examples of which you can find online)
- Establish security controls to protect personal data (make sure your security staff has an action plan for protecting user data)
- Only store data for as long as it’s needed (limit your liability by cleaning out unnecessary data)
- Depending on the size of your company and the amount of data your company processes, you may need to appoint a data protection officer (DPO), who’s responsible for handling all GDPR activities and paperwork (this is only necessary if you process data on a large scale)
GDPR Beginner’s Guide Summary
This GDPR dummies guide provides an overview of the GDPR and its importance. Here are the main takeaways:
- The GDPR is a law developed in the EU that regulates how personal data is collected, processed, and protected
- Any company that serves customers in the EU (including US businesses) are subject to the GDPR
- Non-compliance may lead to fines in the millions of dollars
- Companies should collect data carefully and be transparent to users about how their data is collected and used