General Data Protection Regulation (GDPR) – A Simple Primer
General Data Protection Regulation (GDPR) is new legislation governing personally identifiable information (PII) and privacy of citizens of the European Union (EU). It goes into effect from May 25th 2018.
Every organization that collects and uses data in Europe needs to know how to get GDPR compliant quickly. It’s urgent and important because non-compliance could be costly.
This simple guide to GDPR was written to help you with this.
DISCLAIMER: This GDPR report is based on the best research I could manage. However, I do NOT promise that it is thorough, complete, or even entirely accurate. I am NOT a specialist in this field. The content is drawn from multiple sources and provided here for informational purposes only.
It is NOT meant to offer personalized answers, advice, recommendations, or binding opinions. It is NOT a substitute for professional business advice. If you need professional help to implement GDPR in your business, talk to a consultant or hire a specialist – do NOT base it upon this information alone. If you want legal certainty, don’t rely on me, please consult a lawyer.
[ . ] – Check this box to confirm that you have read and accept this disclaimer.
Did you check the box?
Well, in a pre-GDPR world, it wouldn’t matter.
I could just say “Proceeding beyond this point presumes that you accept these terms” – and it would be fine.
Not any longer!
For the kind of Personally Identifiable Information it is meant to safeguard, GDPR requires explicit permission to be obtained from your users.
So let’s talk about this in more detail.
What is General Data Protection Regulation (GDPR)?
GDPR is new regulation that requires organizations that collect and use data to protect the personal data and privacy of EU citizens for transactions within member states. GDPR was adopted by the European Parliament in April 2016 and will be effective from 25th May 2018.
Who needs to know about GDPR?
General Data Protection Regulation (GDPR) is relevant to any business, non-profit or other organization that stores, processes or uses personally identifiable information (PII) on EU citizens in Europe.
If you collect data on EU citizens you must comply with the new customer data protection law. Companies in the European Union, or even websites and apps that gather data on EU citizens are subject to GDPR.
Should I even bother about GDPR?
If you collect, store or use personal data from European citizens – even something as simple as a person’s name and email address – you’re bound to comply with GDPR.
It applies also if you have data about customers, subscribers, suppliers, employees or others who are EU nationals.
I’m only a small firm. Does GDPR still apply?
Yes. But smaller firms – defined as having 250 or fewer employees – have less to do than bigger ones to comply with GDPR. For instance, you won’t have to keep records of your data processing activities, or provide documentation for why or how long you collect or process personal data.
Which business sectors will be most affected by GDPR?
The technology sector, online retailers, software firms, financial services, retail packaged goods and online services (SaaS) companies are most likely to need extensive changes to be GDPR compliant.
By when should you be GDPR compliant?
Companies should be GDPR compliant by 25th May 2018.
Why did GDPR happen?
Primarily due to growing public concern over privacy. High profile hacking and data abuse cases like the Facebook and Cambridge Analytica brouhaha have rightfully led to a push for new standards regarding customer rights over their data.
How big a deal is public concern over privacy?
Better-informed consumers demand greater transparency and responsiveness from people in charge of storing their personal data. And with every new data breach, concern is rising.
In a recent survey,
- 80% of respondents were worried about banking and financial data loss.
- 62% say they would blame a company rather than hackers if their data was lost in a breach of security.
- And over 70% would boycott an organization that didn’t pay adequate attention to safeguarding their data.
How will GDPR help enhance a customer’s privacy?
Companies will be forced by GDPR to change how they collect, store, process and safeguard personally identifiable information (PII).
Companies can only collect and store data with explicit consent, and for no longer than necessary for the purpose for which the data was processed.
Companies should erase personal data upon request by the customer (also called the “right to be forgotten”) and be ready to export this data in a clear and simple format upon demand by a user.
What’s new about GDPR?
GDPR expands the range of what makes up personally identifiable information (PII). Things like a person’s IP address and cookie data are to be safeguarded in just the same way as their name, address or social security number. Fines are heavy for data breaches and non-compliance with GDPR norms.
What is personally identifiable information (PII)?
Personally identifiable information (PII) is data that can be used to correctly identify a specific individual.
Traditionally, social security and phone numbers, postal and email addresses have been considered PII. Technology has expanded this definition. Now one’s IP address, login ID, biometric data, digital images and even social media posts and behavioral data are classified as PII – and must be protected under GDPR.
What privacy data does GDPR protect?
a. Basic identity data: name, address, social security number
b. Web data: geo-location, IP address, cookie, RFIP tags
c. Health and genetic data
e. Racial and ethnic demographic data
f. Political affiliation
g. Sexual orientation
What does General Data Protection Regulation (GDPR) require from you?
The GDPR guidelines say that companies should offer “reasonable protection” for personal data and privacy to EU citizens. There are 5 broad areas your GDPR compliance efforts will cover:
a. Data Control
- Process data for authorized purposes only
- Maintain data accuracy
- Restrict the exposure of subject identities
b. Data Security
- Safeguards during data storage and further processing
- Implement default data protection
- Encrypt and otherwise secure data based on risk perception
c. Right to Erasure
- Retain data for limited duration, not indefinitely
- Erase data completely when subjects revoke consent
- Delete data at the end of a contract or agreement
d. Risk Mitigation
- Assess risks to privacy and security
- Implement security measures and demonstrate GDPR compliance
- Train and assist third-party partners to also comply
- Prove full data control
e. Breach Notification
- Notify appropriate authorities within 72 hours
- Detail consequences of the breach
- Communicate information about the breach directly to affected subjects
Do different countries have specific GDPR requirements?
No, all 28 EU member states have the same GDPR framework, so companies only have to meet that single standard across the EU.
Will companies outside the EU face problems from GDPR?
Nearly two-thirds of US companies feel GDPR forces a rethink of their European strategy. Many more feel the changes give their European competitors an undue advantage.
Do I need GDPR for non EU customers?
If you live outside the EU and can segment your audience to deal with people in the EU separately, then you won’t need to implement GDPR standards for non-EU customers. You must be GDPR compliant in relation to ‘data subjects’ in the European Union, though.
What if I’m in the EU but sell to customers outside the EU?
If you’re inside the EU, you must comply with GDPR in all respects.
How does GDPR affect third-party contractors?
With GDPR, there’s an equal liability for both data controllers (who own the data) and data processors (who may be outside organizations helping manage the data). If any third-party is not GDPR compliant, you are also not compliant.
How does GDPR address problems created by a data breach?
Under GDPR, there are strict rules to report any data breach – within 72 hours of detection. All entities in the chain must comply. Customers affected by a breach should be informed about their rights.
Contracts that companies have with data processors (like cloud providers, SaaS vendors, payroll providers, etc.) should clearly spell out responsibilities and define how data will be managed and protected. They should know who to call and how to respond if they are hacked. The policies, procedures and response structure should be in place.
PRINCIPLES OF GDPR
What are the principles behind GDPR?
1. GDPR is about lawfulness, fairness, and transparency.
2. It’s also about purpose limitation, gathering only data necessary for the purpose.
3. Data should be accurate.
4. Storage limitation ensures data isn’t kept for longer than needed for the purpose.
5. GDPR also puts adequate security measures in place.
What do you mean by lawful, fair and transparent?
Under GDPR you are forced to be upfront with what you’ll do with people’s data. If you collect emails for a lead magnet, you should have a link to your privacy notice right at the point of collection that transparently explains what you’ll do with that data.
You should detail
- what you’re collecting
- why you need the data
- whether you’ll transfer it to third parties
- who they are, and what they’ll do with the data
The idea is to let people make informed choices about sharing their data with you… and that’s possible only when you reveal what you’ll do with the data.
What is purpose limitation?
Being clear about the purpose for which you’re gathering data. Once you do this, you cannot later on just decide to use it for other purposes… without first seeking fresh consent.
What do you mean by minimum data necessary?
For a lead magnet sign up box, you need a person’s name and email address. But do you need their marital status? Or waist measurement? Of course not.
The general principle is to keep data to the minimum needed to serve the purpose you’re asking it for.
Can I ask for data that helps segment my audience?
GDPR doesn’t require you to segment audiences, but if doing so can tailor what you offer to their interests better, then it fits the principle driving the regulation.
The consent should be explicitly gathered. A statement like “To ensure we send you better targeted information, please tick the boxes to tell us which category you represent” will work for this purpose.
Why does data accuracy matter?
If your data is old and outdated, results will be poorer. For an email list with inaccurate data, bounce rates will be higher. That data should be deleted, or the errors corrected by getting in touch with subscribers in another way.
How to get consent in a manner that is GDPR compliant?
Consent is GDPR compliant when it is freely given, specific, informed and unambiguous. Individuals should signify by a statement or clear, affirmative action their permission to process personal data.
What is explicit consent?
Explicit consent is obtained in a manner that leaves no room for misinterpretation, through a clear written or spoken statement. In this process, you should explain clearly
- why you are collecting personal data
- nature of the data being gathered
- how the data will be used
- if it will be made available to third parties
- details of any data being transferred
- all the risks of such transfers
Can I use ‘pre-ticked’ boxes?
No, not under GDPR. You cannot have an opt-out consent process. It should be opt-in. Clear affirmative action means you cannot use pre-ticked boxes.
So you cannot say “If you don’t want to receive our marketing messages, click here.” It has to be, “If you want our marketing messages, click here.”
How does this matter to the customer/subscriber?
GDPR is all about giving data subjects genuine choice and control over their personally identifiable information (PII) and what they permit you to do with it.
What are the requirements of valid consent?
Under GDPR compliant norms, consent requests should be:
a. Unbundled – Consent may not be a pre-condition for signing up for a service, or linked to other terms and conditions.
b. Granular – Consent must be obtained separately for each component. e.g. if you want to get permission to share data with third parties, it should be a separate tick box the customer should check for giving consent.
c. Named – Consent should name other organizations or third-parties that rely upon the permission, and categories that will not be acceptable.
d. Documented – Records of consent should be maintained, showing what the person agreed to, what they were told, when, and how they consented.
e. Easy to Withdraw – Let users know they can withdraw their consent at any time, and explain the procedure (which should be easy)
Is an ‘Unsubscribe’ link enough for email marketers?
It’s good practice to have an opt-out link at the end of all your emails. But GDPR requires more. Every two years, you should offer a specific opt-out of your email list. You should also send out occasional reminders about subscribers’ freedom to withdraw consent and leave your mailing list, if they wish to.
Your email notification might say, “I hope you still enjoy what I’m sending you. If not, remember you can always opt-out by clicking the link below.”
How to safeguard yourself with regard to consent?
No secret police force is tracking this stuff and looking to catch you out! But if someone complains, or a competitor tries to trip you up, the responsibility is yours – as a data controller – to prove that you have consent.
Maintain records of consent. You should be able to prove that they gave consent on a specific date. Keep evidence of your privacy notice at the time. File away a copy with the dates on it to help prove the terms under which consent was granted.
Is all consent equal?
Sensitive data related to racial or ethnic origin, political views, religious persuasion, genetic data, biometric details or health that could infringe on the rights and freedom of subjects is held to a higher standard of consent and protection.
Do I need legal grounds for GDPR compliant data collection?
If you don’t have a legal ground for collecting and processing data, you run the risk of complaints, investigations and fines.
For example, if you don’t have GDPR approved consent standards for your existing email list subscribers, then you need fresh consent from them prior to 25th May 2018. Otherwise, you don’t have lawful grounds to process their information – and would have to opt them off your list!
Organisations should be able to prove they have good reason to gather and process personal data.
Is it always necessary to get explicit consent?
No. There may be some other lawful basis to collect and process data, like:
a. Contract with an individual. For instance, if someone sends you an email asking for a quote, you can respond by email without seeking consent.
b. Compliance with legal obligations. If an employer must collect employee data to pay any applicable taxes, consent isn’t necessary to do that.
c. A Public Task
d. Vital/legitimate interests. When data processing is in your (or your organization’s) legitimate interest, you can forego consent.
However, this is a gray area. You must balance it against the need to maintain privacy of an individual’s personal data. This needs careful assessment. The key is whether someone might REASONABLY expect to hear from you.
So if you want to send your existing customers marketing emails relevant to what they bought from you, it’s in your legitimate interest to do so. And they would reasonably expect to receive such communication. Plus, you’ll include an opt-out at the bottom of the email.
But what if they are customers you had 20 years ago? If you’ve not stayed in touch, they won’t reasonably expect to hear from you now. So you’ll need fresh consent to market to them.
The gray zone is for those in between, who purchased from you, say, 18 months ago. What do you do? Bottom line – Put yourself in the customer’s position. If they won’t expect to hear from you, then you’d need consent to start marketing to them again.
What falls under data processing?
Data processing may include anything you do with data – even just storing it. Maybe you have historic customer or subscriber lists you do nothing with. That still comes under the scope of GDPR.
How to deal with data processors?
If you control data that you send to someone else to process, you must safeguard this data and ensure the chain of protection is in place.
When you send data to a virtual assistant to process, or for another company to provide you with a service, the third party must also be GDPR compliant – and you should have a contract that spells out these terms. Otherwise, you are not allowed to use them.
Is the data controller liable for mistakes by the data processor?
If a data controller does everything necessary, asks all the right questions of a data processor, and has agreements in place to outline their responsibilities, then when something goes wrong the data controller is not liable – the data processor is.
On the other hand, if data controllers ignore the issue and work with a negligent processor, then they are liable for any consequences.
Who is a data processor?
Maybe it’s a virtual assistant, payroll provider, bookkeeper, a cloud-based accountancy software, a mailing list service like Infusionsoft, MailChimp, or AWeber, a web-based service like Google or Facebook – all are data processors because they process your information.
How to get started with GDPR?
To begin with, you should find out
- what data you have
- why you are holding it
- how you got it
- what your lawful ground for processing it is
- where and how it is processed
- how long you’ll retain it
- how secure it is (encryption, accessibility)
- on what basis you share it with third-parties
How to go about becoming GDPR compliant?
a. Get top management to see the urgency in getting GDPR compliant
b. Involve all stakeholders. This isn’t an IT-only project. Anyone who uses customer PII needs to be a part of it.
c. Assess your risks. Know what data you store, and what risks attend its use. Find out how much PII your shadow IT is collecting and storing. Ignoring this carries the greatest risk of non-compliance.
d. Hire a DPO (data protection officer). Even a virtual DPO consultant would do.
e. Craft a data protection plan. Make sure it complies with GDPR requirements.
f. Don’t overlook mobile data. Employees access your organization’s PII on mobile devices. It carries unique risks. For instance, if employees can install personal apps on their work devices, and those apps access or store PII, they must do it in GDPR-compliant fashion. Controlling this is difficult.
g. Report your GDPR progress periodically to show that you’re taking action.
h. Implement risk mitigating measures.
i. Small organizations might need to ask for help, if they need assistance with getting GDPR compliant.
j. Test your response plan in the event of breaches. The 72 hour time limit to report and respond can pose challenges.
k. Establish a process for ongoing evaluation. Staying in compliance with GDPR is just as important as getting there.
What happens if you are not GDPR compliant?
The EU is well known for its readiness to slap stiff penalties for regulatory non-compliance. GDPR allows fines for non-compliance of up to 20 million Euros or 4% of global annual turnover, whichever is higher.
I’m a small business. Can I ignore GDPR safely?
Even without getting hit by heavy fines, you’ll suffer from reputation damage if you don’t comply with General Data Protection Regulation (GDPR) norms. And as new privacy laws, rules and regulations evolve, staying compliant will be advantageous.
If you don’t engage in shady practices or process huge volumes of data, you’re unlikely to show up on a regulator’s radar – unless there are complaints against you.
Is there a business-case for being GDPR compliant?
Protection of PII privacy is becoming a cultural norm. If you’re the exception who doesn’t care about it, you’ll lose customers. It’s better to embrace this shift, put best practices into place, and work to respect people’s data.
Will all companies be GDPR compliant by the deadline?
The consensus view among larger US companies is that upto half of them will not be GDPR compliant in time on all requirements.
How will GDPR penalties be assessed?
It’s hard to tell. Fines will likely differ based on the impact and damage that a breach has on individuals. Regulators will probably act quickly on a few companies that aren’t compliant, just to send a message. For now, a good-faith attempt to be in compliance should protect against harsh penalties.
How will GDPR change the way businesses think about data?
Many companies think about their data, and how they mine it, as an asset. That perception could change. With GDPR requiring explicit consent of customers, and firms needing to understand, manage and secure how their data flows, mindlessly sucking up huge volumes of data could come with a whole new set of liabilities.
Within a company, who is responsible for GDPR?
Responsibility for GDPR compliance is shared between a data controller, data processor and the data protection officer (DPO).
Data controllers decide how and why PII is processed, and make sure outside contractors comply.
Data processors (internal or third party) are liable for breaches if contracts are correctly drawn up. Otherwise, both your company and processing partner could be jointly liable for penalties.
The DPO will oversee data security strategy and compliance with GDPR. A DPO is mandatory for companies that process or store large volumes of PII on EU citizens, handle sensitive data, regularly monitor data subjects, or are public authorities.
Will being GDPR compliant have a business advantage?
Three quarters of respondents to a survey believed GDPR compliance will give them a competitive edge by boosting consumer confidence.
What is the future of GDPR and similar regulation?
Data privacy can no longer be ignored. As more scandal breaks out like the Facebook and Cambridge Analytica one, the clamor for appropriate data protection will only grow louder.
It is inevitable that enhanced data protection laws will soon be enacted in other parts of the world, including in the United States. Countries will be rated as being adequate or not, with regard to data privacy protections. And if one is good enough at data protection, transfers will be permitted freely to it.
Is there a checklist of things to do before being GDPR compliant?
a. understand what is personal data and what’s not
b. carry out an inventory of the data that you already have
c. think hard about your lawful ground for processing that data
d. if you need to get fresh consent, then do it before the 25th of May (email re-engagement campaign, Facebook retargeting, etc)
e. think about whether you need to add any tick boxes to your website for data collection and add suitable opt in wording to your sign up box
f. put a system in place for storing records of consent
g. get a new privacy notice, and send it to your subscribers
i. understand the basis on which you’re transferring data out of the EU
j. prepare for enhanced user rights, offer a system for data subject requests
k. appoint a Data Protection Officer, if necessary
l. put in place a system for data breach notification
k. if you’ve got employees, then make sure you’re training them up on GDPR
I hope you found this General Data Protection Regulation (GDPR) primer helpful in some way.
If you need professional help to implement GDPR in your business, talk to a consultant or hire a specialist – do NOT base it upon this information alone. If you want legal certainty, don’t rely on me, please consult a lawyer.