What Is the GDPR?

As online technology has become integrated with every aspect of our lives, personal data now flows around the globe on a gargantuan scale. The explosive growth of so-called "Big Data" went largely unchecked until the European Union's (EU) adoption of the the General Data Protection Regulation (GDPR). Since going into effect in 2018, the GDPR has inspired other jurisdictions to pass similar laws, such as the California Consumer Privacy Act.

The GDPR is a comprehensive data privacy law, meant to fundamentally change the way organizations think about personal data by making them be more mindful of how they collect, use, and share that information. The first step in that direction is understanding how the law works and what it requires.

The Scope of the GDPR

The GDPR usually applies in one of two ways. First, it applies to organizations that are “established” in a country that has adopted the GDPR. These countries include the entire European Economic Area (all EU member nations plus Norway, Lichtenstein, and Iceland) and the United Kingdom (collectively, “EEA/UK”). Second, it applies to organizations that are not established in the EEA/UK but offer their goods or services there. 

Note: We use the term “organizations” to describe entities that might be covered. The GDPR can apply to individuals, businesses, governments, nonprofits, and anyone else that processes personal data outside of a purely household or personal context.

1. Organizations Established in the EEA/UK 

If an organization is established within the EEA/UK, the GDPR applies to all of their data-processing activities regardless of where its data subjects (the people whose data is being processed) are located. For example, if an online business is based in Ireland, it must follow GDPR rules with respect to all of its customers and website visitors even if they are located outside of the EEA/UK.

“Establishment” in the EEA/UK is defined as “the effective and real exercise of activity through stable arrangements” in that territory. Typically, this means a permanent, physical presence of some kind, such as having a headquarters, branch, or subsidiary located there.

2. Offering Goods or Services Within the EEA/UK

The second way an organization can be required to comply with the GDPR is when, even if it is not established in the EEA/UK, it does offer its goods or services there. Such an organization is only required to comply with the GDPR with regard to its processing of the data of European data subjects.

There is no hard rule about what it means to “offer goods or services” in the EEA/UK, but it does require a degree of intention beyond just having a website that is visible to people in Europe. A number of factors may be considered, such as posting prices in the local currency, translating content into European languages, and offering shipping options to the EEA/UK.

Example: An ecommerce business is based in the United States, but also has French and German-language versions of its website where it displays prices in euros. That business is offering its goods to data subjects within the EEA/UK, and will have to comply with the GDPR with regard to any personal data it collects about European data subjects.

What Kind of Data Is Covered by the GDPR?

The GDPR regulates the collection and use of “personal data,” a term that is defined broadly as “any information relating to an identified or identifiable natural person.” This encompasses a wide variety of information, including:

• Identifiers (email address, postal address, birth date, etc.)
• Characteristics such as age, gender, and ethnicity
• Information collected by cookies and other tracking technologies
• IP addresses
• Geolocation
• Financial information (credit card number, annual income, etc.)
• Web browsing and search history
• Website interactions
• Profiles created from other personal data

The list could go on. If you’re not sure if something is personal data, just ask yourself, “Does this information relate to a specific person?” If so, it is personal data.

Controllers and Processors

Two critical terms that any organization seeking to be GDPR compliant must understand are “controller” and “processor.” These are the two categories of parties that actually handle personal data and have legal obligations under the law.

Controllers are the principal actors in the GDPR legal framework; they “determine the purposes and means of the processing of personal data.” In other words, controllers are the ones calling the shots, though in some circumstances they may do so jointly with others.

Processors, on the hand, only handle personal data on behalf of a controller, typically as a vendor or subcontractor. They may only do so under a written contract that contains specific protections for personal data.

Example: Company A is a retail company that collects email addresses from customers in order to send them promotional communications. It hires Company B, an email vendor, to do the actual sending. With regard to the email addresses, Company A is the controller and Company B is the processor. Company B can still be a controller in its own right over other personal data, e.g., the contact information of employees at Company A, cookie data from its own website visitors, etc.

Key Issues for GDPR Compliance

While it’s far from a comprehensive compliance checklist, these major points should give organizations a good idea of what GDPR compliance entails.

Legal Basis for Processing

Organizations may not process any personal data without first identifying a legal basis for each type of processing activity. The GDPR recognizes six lawful bases:

• Consent - Organizations may process personal data with the explicit consent of the data subject. Such consent must be affirmative, informed, unambiguous, and confined to a specific purpose. This means data subjects must perform some sort of positive action like checking a box (as opposed to a “by continuing to use this site you agree to…” model of consent) and organizations may not rely on general consent to a long list of processing activities. It must also be freely given, so imbalances of power such as between employer and employee are problematic for valid consent.
  
  For certain processing activities, such as the use of non-essential website cookies or processing of “special categories” of personal data (data pertaining to ethnic origins, health information, sexual orientation, and other sensitive subjects), consent is the only appropriate legal basis.
• Performance of a Contract - Data processing is lawful if it is necessary for the performance of a contract to which the data subject is a party. This also applies to steps taken at the request of the data subject prior to entering into a contract.

• Compliance with Legal Obligations - Processing is lawful if it is necessary for the controller to comply with its legal obligations. The legal obligations must arise from either EU law or the law of nations in which the GDPR applies. For example, a business established in Italy may collect and maintain personal data that is necessary for record-keeping related to domestic taxes.

• Protection of Vital Interests - Processing that is necessary for the protection of the vital interests of the data subject is lawful. An example of this is the monitoring of personal data during a pandemic.
• Public Interest - This covers processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. For private organizations, examples of this kind of activity include journalism, academic research, and providing services for people with disabilities.

• Legitimate Interests - Processing is lawful when necessary for the purposes of the legitimate interests pursued by the controller. For most organizations this legal basis becomes a catch-all category for processing activities that don’t fall under one of the other bases. However, data subjects can object to such processing, and the controller has the burden to prove that its legitimate interests are not overridden by the interests and rights of the data subject. 

Data Subject Requests

One of the GDPR’s most conspicuous features is that it grants data subjects the right to make privacy requests to controllers. 

• Right of Access - Data subjects have the right to confirm whether a controller is processing personal data about them and, if so, access that personal data.
• Right to Rectification - If a controller has inaccurate personal data about a data subject, the data subject has the right to correct those inaccuracies.

• Right to Erasure - Also known as the “right to be forgotten.” Data subjects can request the deletion of their personal data.

• Right to Restriction of Processing - In some circumstances, data subjects can request the restriction of its processing. Restricted processing most commonly refers to the storage of personal data, for example while the data subject pursues a legal claim or the controller’s lawful basis is being disputed.

• Right to Data Portability - Upon request, controllers must provide personal data to a data subject in a format that is machine-readable and commonly used, so that it may be easily transferred to another controller.

• Right to Object  - Data subjects can object to the processing of their data when it is processed for the controller’s legitimate interests or for direct marketing. In the case of legitimate interests, the controller may resume processing if it demonstrates compelling grounds which are not overridden by the interests of the data subject. Processing for direct marketing must cease upon objection. 

• Right Not to be Subject to Automated Decision-Making - Controllers may engage in automated decision-making, including profiling, but if the decision-making produces legal or similarly significant effects for the data subject, they have the right to request human intervention and other safeguards.

International Data Transfers

One issue that has emerged as a contentious issue since the adoption of the GDPR is that of international data transfers. The GDPR prohibits the transfer of personal data outside of the EEA/UK unless adequate safeguards are in place to protect the data from intrusion by public authorities. These safeguards include:

• Adequacy Decisions - Some countries have been deemed as having an adequate level of protection such that data may be transferred there without concern. These countries are: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, and Uruguay. The United States is noticeably absent from this list.

• Standard Contractual Clauses (SCCs) - The European Data Protection Board has created a series of standard contracts that data importers and exporters can enter into that should provide sufficient safeguards.

• Alternate Frameworks - In the absence of an adequacy decision, national leaders may still work out an alternate legal framework to ensure the privacy of data subjects’ personal data in other countries. The now-defunct EU-US Privacy Shield was an example of such a framework.

International data transfers are contentious because a vast amount of personal data is processed in the United States, which has not been the subject of an adequacy decision. This was formerly facilitated by the EU-US Privacy Shield, a voluntary certification program that allowed this data to keep flowing. However, an EU court case in 2020 invalidated the Privacy Shield framework as being insufficient to protect data from intrusion by the U.S. federal government.

This decision has left thousands of organizations scrambling to find an alternate solution. Most of them have adopted an updated version of the official SCCs, but these impose difficult requirements on data exporters and there is reason to doubt whether they will stand up to legal scrutiny. American and EU officials are attempting to create a new legal framework similar to the Privacy Shield that will resolve the issue.

Privacy Disclosures

A major component of compliance with any of the modern data privacy laws is posting privacy disclosures on websites, mobile apps, and anywhere else an organization collects personal data. The GDPR disclosures must be tailored to each organization’s data practices and include the following information.

• The contact details of the controller and its data protection officer (where applicable)
• The purposes and legal bases for processing personal data
• The legitimate interests pursued by the controller
• A list of any recipients or categories of recipients of personal data
• Whether the controller intends to transfer the data to a third country, and what safeguards are in place
• The period for which the personal data will be retained
• The existence of the data subject’s privacy rights
• The existence of the right to withdraw consent
• The existence of the right to lodge a complaint
• Whether the provision of personal data is a statutory or contractual requirement
• The existence of automated decision-making which produces legal or similarly significant effects for the data subject

Penalties for Failing to Comply with the GDPR

Each country has its own data protection authorities tasked with enforcing the GDPR within its borders. Across Europe, these authorities have been quite aggressive in their enforcement, going after small and large organizations alike. The maximum fine for violations is €20,000,000 or 4% of global turnover (whichever is higher), and some companies have already racked up multiple fines of tens of millions of euros.

Simplified GDPR Compliance

The GDPR is a comprehensive law with many requirements. This leaves many small and medium-sized businesses in a tight spot: they have GDPR commitments but don’t have the resources to handle compliance. 

TrueVault Polaris is designed to help SMBs become GDPR compliant on their own, at a fraction of the cost of hiring lawyers or consultants. Similar to online tax software, Polaris works through an intuitive question-and-answer interface, allowing businesses to get compliant in as little as a few hours. Polaris also includes the necessary tools, from opt-out management to privacy-request workflows, to help you stay compliant with minimal effort. Contact us today to learn more.