What is GDPR, the EU Data Protection Law?

GDPR, the European Union’s data law, went into effect in 2018.

The General Data Protection Regulation aims to protect all individuals within the 27 member states from having their personal information collected and misused by companies outside of Europe or elsewhere without consent.

The GDPR also gives consumers more control over how their data is collected and used.

While GDPR is a privacy and security law drafted by the European Union, it applies to organizations anywhere around the world whose websites may have EU citizens as end users.

This law stems from existing legislation in the 1950 Convention On Human Rights. The fundamental principle of this legislation states that “Everyone has the right to respect for his private and family life, his home, and his correspondence.” 

Similar to California’s CCPA, there was a growing concern for how personal data is being used with new technology, which drove the EU to form the GDPR, to stay ahead of the curve and help combat new tools of exploitation of its citizens.

What Does GDPR Protect?

GDPR protects the integrity of its citizens’ personal data. The European Union defines personal data as “any information that relates to an individual who can be directly or indirectly identified.” This includes:

  • Names
  • Email address
  • Location information
  • Ethnicity
  • Gender
  • Biometrics
  • Religious beliefs
  • Web cookies
  • Political opinions

How Is This Information Collected?

Personal data is typically collected in one of two ways.

The first is through direct consumer consent. This is when an entity directly asks for specific personal information. This consent must be given freely, and the request must come in a non-ambiguous and straightforward position.

The second method of data collection is via non-direct consumer consent. This collection method will pull personal data through website cookies or location tracking in specific apps/programs. This method is generally more of an “implied consent,” with the consumer being made aware before engaging in a particular service.

GDPR states that EU citizens (data subjects) have the personal right to:

  • Be informed — Data subjects have the right to be informed whenever collecting occurs.
  • Access — Subjects have the right to access their data to see what is being stored and by whom.
  • Rectification — Subjects have the right to edit, change, or update any wrong information pertaining to them.
  • Erasure— Subjects have the right to have any information collected on them to be completely erased.
  • Restrict processing — An alternative to complete erasure; subjects can restrict data from being collected.
  • Data portability — The ability to transfer or move their data as they see fit.
  • Right to object — This gives subjects the right to stop the organization from collecting
  • Data — Specifically their personal data.
  • Rights in relation to automated decision-making and profiling — In this case, the subject will not be subject to a decision based solely on automated processes.

Who Must Comply with GDPR?

GDPR pertains to any entity that collects personal data from EU citizens for commercial or professional activities regardless of whether that organization is inside of an EU member nation.

As far as entities in other nations, Article 3 of GDPR dictates that organizations must adhere to GDPR while collecting data with the intention of:

  • The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  • Monitoring their behavior as far as their behavior takes place within the Union.

The party collecting this information can be located anywhere globally, as long as the data being collected is from EU citizens.

GDPR does not protect any EU citizens living outside the Union.

On the other hand, it will protect foreign citizens who are living inside the European Union.

Exemptions from GDPR

  • Collection of personal data for “purely household or personal activity” is exempt from GDPR. For example, if you collected email addresses from family or friends to organize a party, you are safe from GDPR.
  • The second exemption is any organization with fewer than 250 employees. Small and medium-sized businesses aren’t entirely exempt from GDPR, but it does free them from record-keeping obligations in most cases.

What Are The Repercussions for Non-Compliance with GDPR?

The repercussions are flexible, depending on the organization’s size in collecting the data. GDPR is designed to make it costly for small and large businesses if they do not comply with the law.

Less Severe Violations

Anything deemed a “less severe infringement” could result in a fine of up to €10 million ($11,204,500) or 2% of the organization’s worldwide revenue. This applies mainly to any organization that collects and controls data and those that are contracted by others to collect data.

More Severe Violations

Any more severe violations to the core principles of GDPR are subject to fines up to €20 million ($22,441,460) or 4% of the organization’s worldwide revenue. These are also only administrative fines; subjects who have been violated also have the right to seek compensation directly from violators.

How Does the EU Decide the Severity Of Violation?

These penalties will depend upon the severity of the infraction, and each country’s regulating body may determine whether an infringement occurred in their jurisdiction.

The following criteria are used as guidelines when assessing GDPR violations:

  • The overall summary of the violation, how it happened, how many people were affected, what the damages were, and how long it took to resolve the issue.
  • Did the violator intend on breaking GDPR, or was the infringement unintentional?
  • Did the organization intend to mitigate any of the damages delivered from the infringement?
  • Did the organization have preventative measures in place to avoid violations?
  • Any comparative history to GDPR violations.
  • Whether or not the organization has cooperated with proceedings.
  • What type of personal data was violated.
  • Whether or not the organization notified a supervisory agency upon violation.
  • Is the organization certified (business license, etc.)?
  • Financial gain or losses from the infringement.

What Should Website Owners Do To Become Compliant?

Here are 7 steps that your business can take to become GDPR compliant when it comes to data processing:

  • Step 1: Keep the data subject informed and ensure that they have rights; processing must be lawful, fair, and transparent.
  • Step 2: Data collection should be for specified purposes only, and data should not be used beyond what is reasonably necessary to fulfill those initial requests.
  • Step 3: You should only collect and process the amount of data necessary for specified purposes.
  • Step 4: Keep personal data accurate and up to date.
  • Step 5: Personal identifying data should be used for only as long as necessary to fulfill the purpose it was collected.
  • Step 6: Use encryption when processing data to ensure its confidentiality and safety.
  • Step 7: To remain compliant with the GDPR, a website owner must demonstrate that they manage data properly.

To elaborate on that last point, your business must be able to prove its data collection processes are up to standard.

If at any point you are unsure if your data collection is up to code, most likely it’s not.

Your business can keep data storing compliant by:

  • Assigning data protection responsibilities to your team.
  • Documenting where your site visitors’ personal information will be stored. You should also identify who has access or permission.
  • Training staff and implementing technical security measures, to protect your consumers’ data and that of your company.
  • Making sure you have a Data Processing Agreement in place with any third parties who will be processing data on your behalf.

The European Union has strict laws that require companies to notify people in the event of a data breach.

In most cases, this means notifying those whose information was compromised within 72 hours after discovering a breach took place. This can be waived if you are using specific encryption software.

The GDPR is a complex law with many stipulations, but the main goal is to protect the privacy of all European Union citizens.

If you’re doing business in Europe or with Europeans, it’s essential to make sure your company is compliant with the GDPR.

Failing to do so could result in hefty fines.