Implementation of the General Data Protection Regulation (GDPR) in May 2018 revolutionized how businesses in the European Union (EU), and any companies that sell to the EU, protect and handle user data. GDPR compliance is not optional, and companies that do not handle personal data correctly may face severe fines.
At the same time, the GDPR also became a model for newly developed privacy laws worldwide.
What is the GDPR?
As its name suggests, the GDPR is a set of data protection regulations. GDPR replaced the EU’s previous Data Protection Directive, which had been in force since 1995.
GDPR focuses on businesses’ obligations to protect personal data and privacy and also regulates data exportation data outside of the EU.
Although the GDPR is a significant step in improving data protection and consumer rights surrounding privacy, the regulation has several drawbacks. The most notable is the use of vague terminologies, such as “reasonable protection,” which doesn’t provide businesses with specific guidance about what they must do.
However, upon the launch of the GDPR, the EU and authorities in EU member states said they would help businesses work toward GDPR compliance rather than immediately finding those who weren’t.
To date, there have been barely any significant cases of the GDPR breaches coming before European courts. It’s unlikely anyone will fully appreciate the scope of the GDPR until this occurs.
Why was the GDPR developed?
In short, the EU developed the GDPR because 1995’s Data Protection Directive was no longer fit for purpose. The previous regulation was adopted and implemented before the eCommerce boom and the growth of internet use in general. The data businesses collected 25 years ago pales in comparison to what they manage today. Furthermore, concerns around storage and the transferring of data also drove the development of the GDPR.
The GDPR was primarily aimed at protecting consumers’ data and privacy. However, EU leaders also hoped that it would lead to businesses being more diligent around data in general, reducing both data breaches.
What types of data does the GDPR protect?
GDPR covers most personal data that your business collects about your customers. Particularly anything that can potentially uniquely identify an individual. GDPR compliance is applicable regardless of the platform that collects the data, which means you must secure data you gather from a handwritten form in the same way you secure data you collect from your website.
If you do any of the following, then you must comply with the GDPR – Note the below list is not exhaustive:
- Collect email addresses for lead generation or sending email newsletters.
- Maintain a customer database yourself or using a CRM platform.
- Include addresses on invoices for suppliers, clients and any other businesses or individuals you deal with.
- Use website analytics tools to collect marketing data.
- Use a cloud storage platform like Google Drive for storing users’ data.
The GDPR specifically covers the following types of information you might hold about users:
- Basic identity information, which includes users’ names, addresses, email addresses, user-generated data like social media posts, and any other information shared online.
- Metadata collected via websites, including user locations, IP addresses, cookie data and RFID tags.
- Any health, genetic or biometric data you hold about users.
- Racial and ethnic data.
- Political views and opinions, including voting history.
- Sexual orientation and gender identity.
- Any other information that can be used to uniquely identify a living individual.
Yes, the GDPR does specifically note a “living” individual. GDPR no longer applies to identifiable data when a person dies. Still, it is expected businesses maintain the confidence of a person who gave specific permissions relating to their data before their death.
Additional rules and regulations apply in some EU countries, governing things like the use of CCTV.
Who does the GDPR affect?
The GDPR is an EU-specific directive. However, its application means it is effectively a global regulation if you’re based in the United States or elsewhere and sell to customers who live in the EU.
If you store, process or otherwise use and transfer data about EU citizens living in the EU, you must be GDPR compliant, regardless of your location.
The GDPR outlines the following specific criteria:
- Companies with a presence in an EU country. In addition to businesses primarily based in the EU, if you are based in the U.S. but have a satellite office in the EU, you would need to comply.
- Businesses that do not have a presence in the EU but process EU citizens’ data. For example, if you’re a U.S.-based eCommerce retailer and ship to the EU, you need to be GDPR compliant.
Who is responsible for GDPR compliance within a business?
The GDPR gives explicit definitions of three roles that you must perform to ensure GDPR compliance.
- Data controllers must define how your business processes personal data and how you use such data. Your data controller is also accountable for ensuring any external contractors you work with are GDPR compliant.
- Data processors can be an internal person or group that maintains and processes data and records or a partner like a SaaS company that you use for data management. The GDPR explicitly holds data processors accountable for data breaches or GDPR non-compliance. You must be aware of the GDPR compliance processes of any external partners because if they’re found guilty of a violation, you can also be penalized.
- Data processing officers (DPOs) should be designated to manage your data security strategy and monitor your GDPR compliance. The GDPR states you must have a DPO if you meet specific conditions, but the conditions effectively mean every business needs one.
Companies do not necessarily need to make specific hires for these roles. An existing team member can perform any function, so long as they’re aware of their responsibilities. However, it is common for those in senior positions or existing departments, such as legal compliance, to take on these responsibilities.
What rights does the GDPR give to consumers and users?
The GDPR explicitly states eight rights applicable to all users in respect of their data. If GDPR applies to your business, based on the scenarios outlined earlier, you must respect and meet these rights as part of being GDPR compliant.
The eight rights and what they entail are:
1. The right to access
The right to access gives individuals the right to ask you for access to whatever data you hold about them. Individuals can also ask how you use, store or process data and if and how you transfer it to other companies. You must provide any individual who requests this data an electronic copy of the data you hold and any additional information requested at no cost.
2. The right to be informed
The right to be informed means you must tell individuals you will gather and process data before doing so. This right also means you must get explicit consent before doing so. This was a particularly significant change from the Data Protection Directive, in which implied consent was considered sufficient. Individuals had to opt-out of data processing, rather than you needing to ask them if they were happy to opt-in.
3. The right to data portability
The right to data portability gives users the right to transfer their data from one location to another, whenever they wish.
4. The right to be forgotten
The right to be forgotten gives users the right to withdraw consent for you to store and use their data and request you delete the data you hold on them.
5. The right to object
The right to object gives users the right to object to how you use their data and request you immediately stop. Be aware there are no exceptions to this right. There is no avenue for you to continue using data or imply consent remains. You must immediately action any such request.
6. The right to restrict processing
The right to restrict processing lets users ask you to stop all or a specific type of data processing while enabling you to continue to hold their data if they’re happy for you to do so.
7. The right to be notified
The right to be notified in case of any data breach that compromises their data. You must inform users of such a breach within 72 hours of discovering it yourself.
8. The right to rectification
The right to rectification, which allows users to ask you to update or correct any data you hold on them, or that you complete any gaps in their data records.
Although the rights give consumers the ability to closely manage how you use their data, none of the rights need to present significant challenges to your business.
How is the GDPR enforced, and what are the penalties for non-compliance?
Although the GDPR is an EU directive, enforcement is dealt with by various supervisory authorities around the world. Most countries within the EU have national data protection bodies, while non-EU countries work in conjunction with the EU to ensure compliance.
Penalties for non-compliance are tiered, with only repeat or serious one-off breaches likely to lead to the maximum fines, which are the greater of:
- 4% of global turnover.
- $24.4 million.
While your business may need to invest to ensure you are GDPR compliant, you are unlikely to spend anywhere near as much as what you’ll pay in penalties for non-compliance.
Seven best practices for GDPR compliance for U.S.-based companies
If you’re a U.S.-based company that sells to EU individuals, you must be GDPR compliant. With data protection laws and enforcement in the U.S. not having the greatest reputation, following the GDPR across your business could help you stand out from your competitors.
Follow these seven best practices to help you remain GDPR compliant:
2. Undertake team training
Even if team members don’t work directly with data you collect from customers or website users, ensure they’re aware of GDPR and what you’re doing to ensure compliance.
3. Have a data breach plan and test it!
You regularly test things like your fire alarms, so make sure you test your data breach plan, too. Who is responsible for reporting data breaches, who must they report them to, and who should communicate with individuals whose data has been compromised?
4. Keep your “data inventory” up to date
If you can show you have explicit consent to store and use data, this should be easy. If you keep backups of user data, ensure you also deal with these if individuals ask you to delete their data. You don’t want to incur a penalty because you forgot to delete data in a backup, which you then needed to use!
5. Stay on top of your security infrastructure
The easiest way to do this is to find security software and platforms that are GDPR compliant and use them in your business.
6. Ensure any partners are compliant
Remember, if you use something like a CRM platform to store data, and the service provider is found in breach of GDPR, you are liable for a penalty, too. Do your homework and make sure your partners state in any contract that they’re GDPR compliant.
7. Maintain the same levels of data protection if transferring or using data outside the EU
This will be a vital concern for U.S. companies. The GDPR states you must maintain the same data protection levels for EU citizens even if the data is transferred or used outside the EU. With this in mind, it makes sense to follow the GDPR across your entire business. Especially, if you will store data collected from EU and U.S. customers in the same place.
How to use LogPoint for GDPR compliance
LogPoint makes it easier for your business to meet the GDPR’s requirements, giving both you and your customers confidence in how you store and use personal data. We can help you store data, together with monitoring your networks and applications, ensuring you can identify potential data breach issues or attempts to access your data. Our analytics also allow your security team to proactively monitor all potential issues, including the creation and altering of data files.
Learn more about how we can help you with GDPR compliance or review our use cases for a specific example of how you can use LogPoint in your business.