GDPR stands for General Data Protection Regulations, which was implemented by the European Union (EU) in 2018. GDPR is an individual-centric regulation, where the law protects citizens within the EU by guaranteeing them certain rights relating to their personal data.
In the day and age of technology, nothing is more valuable than data. Every day, millions of people willingly exchange their data for services on the internet. It goes without saying that because our data is so valuable, there is a need to have it protected. Data protection is getting more and more important as more and more of our private information is being made available online every day (whether knowingly through social media sharing or inadvertently through using online services or privacy breaches).
The purpose of GDPR is to protect the data of EU citizens and residents. Article 3(2) of the GDPR states that organisations which 1) control and process a large amount of data of citizens within the European Economic Areas (EEA), and; 2) offer goods and services to citizens within the EEA are liable under the GDPR.
This means that the GDPR applies to all EU based entities (businesses and companies) even if the data are being used or stored outside of the EU.
Despite it being an EU regulation, organisations all around the world have scrambled to comply with it. This is because the GDPR is applicable not only within the EU but also applies to entities offering goods and services and collect and process the data of EU customers.
If you are running a business that sets out to target EU customers - i.e. offering goods and services to people in the EU, then the GDPR would apply. However, it would not apply if you are not catering to EU customers but a few EU citizens may still be using your goods or services. In particular, it should not apply if you are mainly offering goods and services locally (outside of the EU and not targeting EU citizens) through an online platform.
There is no hard and fast rule on what percentage of revenue you are generating from the EU before GDPR kicks in. Rather, the regulator would look more at any indication of intent to target EU customers. For example, whether the business offers payment in Euro or advertise on European websites. If so, your business should be GDPR compliant.
This is particularly important if your website has tracking functions such as cookies to monitor the behaviour of your users. In practice, it may be difficult for EU regulators to come after you if you are not based in the EU, but technically you should comply with GDPR if you carry on business with EU customers.
There are two main exceptions for individuals, small and medium-sized businesses to rely on to be exempted from GDPR:
The first data protection law was implemented in 1973 in Sweden. Soon after, countries all around the world followed suit, with over 80 countries around the world having different guidelines in place to protect the data of their citizens. The GDPR is by far the most progressive regulation and has a huge impact on how global online businesses are being conducted. No other regulation has created as much global buzz as the GDPR, and governments from around are trying to follow the leads of the EU. California has already implemented its version of GDPR - California Consumer Privacy Act (CCPA), following the key principles of GDPR.
Even if GDPR does not strictly apply to your business now, it is good to start implementing the 7 principles of GDPR, which lie at the heard of the GDPR regime, as best practice. Sooner or later they will be adopted globally as universal principles for data protection by the countries / jurisdictions that you may operate in.
The 7 Principles of GDPR are set out in Article 5:
1. Lawfulness, Fairness and Transparency
2. Purpose Limitation
3. Data Minimisation
5. Storage Limitation
6. Integrity and Confidentiality
That personal data should be collected and processed lawfully and fairly. There must be full transparency in the process of collection and processing.
This means that you should give transparent notice to your user on what you are going to be using the data for, and use the data legally and fairly (only for the purpose your user has agreed to).
That personal data should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
This again relates to using the data fairly. The purpose of using the data should be specific and the use should be limited to the stated purpose. Further processing can only be done if not incompatible with the initial purpose.
That only the minimum amount of personal data should be collected in an adequate and relevant manner. The personal data should be limited to what is necessary for the purposes for which they are processed.
Similar to the limitation of purpose, you should limit to collecting the minimum amount of personal data required for your purpose. You may need to create a data minimisation policy to justify the amount of data collected is adequate and relevant.
That personal data which is stored should be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
If you are not keeping or it is not necessary to keep your database up to date, you should delete outdated and inaccurate data promptly.
That personal data is only kept for a limited amount of time and in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
You should set policy on the period of storage of personal data and justify such time limit with proper documentation, in particular, if the data need to be achieved in the interest of the public, science or research.
That personal data should be kept securely and processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
You will need to implement protective security measures such as anonymisation or pseudonymisation systems to protect the identity of your data subjects.
That accountability and compliance should be ensured and that GDPR policies should be followed by the controller.
You are responsible for, and be able to demonstrate compliance with GDPR. That is why you should have a suite of privacy, data protection and cookie policies. You should also justify all your data protection measures and document them in writing.
These seven principles form the basis and rationale for most laws within the GDPR and are fast becoming the universal data protection principles internationally. So when in doubt, it is advisable to follow the seven principles in making decisions regarding data protection.
Consumers provide personal information and other private data to different organisations whilst using the internet when they register. Even if they have not registered, most websites have cookies to track the behaviours of consumers.
These data, while essential to use and operate the internet, serves a wholly different purpose to organisations. Upon gathering data, organisations can analyse and interpret it to form information which they can then use for different things.
Some organisations may tailor their services to the user based on their information, others may sell targeted advertisements, and some organisations may even sell this information and data to third parties. These strategies are ultimately how organisations gain traction, maintain user satisfaction, and even make a profit.
In the past, most websites made it mandatory for consumers to accept all terms and conditions and privacy policies before being allowed to use their service. These terms are obviously very one-sided with little privacy protections for the consumers.
The GDPR gives some of these rights back to the consumers through the following:
Consumers have the right to request access to their personal information and any supplementary information from any organisation that is holding the information.
Consumers can request for their information to be amended or updated if they are accurate.
Consumers can request for their information to be deleted or removed upon the withdrawal of consent, or where the data is no longer relevant or accurate.
Consumers can request for their personal information to be provided to them, and have them transferred to another provider.
Consumers who signed up to websites before GDPR were frequently spammed by marketing emails. GDPR requires explicit marketing consents by consumers (usually through an unchecked checkbox during registration) for the consumers to be sent marketing materials. The consent must be written in plain language and a lack of response by consumers does not indicate consent.
GDPR impose sweeping fines and penalties for non-compliance. For small businesses looking to break into the global market, the GDPR will seem daunting due to its harsh penalties and plethora of duties. Large businesses have teams of lawyers and IT professionals who can tackle GDPR compliance and avoid it perfectly well, something small businesses may not have.
Be mindful of the below information and pitfalls will help create a pathway and direction to best comply with the GDPR without the resources that a large enterprise may have. Read on to learn how to protect your business and protect your users’ data!
Another reason why organisations take GDPR compliance so seriously is the consequences which come with a violation. Noncompliance with the GDPR can lead to:
In avoiding the above penalties, the following policies are especially important to note:
The GDPR refers to organisations as either “controllers” or “processors”. Controllers refer to organisations which collect data, and processors refer to organisations which process data on behalf of the controller. Simply put, if you collect and/or process data of citizens in the European Union in a commercial capacity, rather than an individual capacity, the GDPR applies to you.
One thing to note is the definition of personal data under the GDPR. Rather than the traditional “personally identifiable information” definition, it has famously adopted a broader approach in order to protect European Economic Area citizens.
Personally, identifiable information refers to data which can be traced back to a particular person, such as their name, social security number, or their email. Under the GDPR, aside from the above “direct” information, indirect information is also protected. This includes their IP address, any cultural or political identifiers and opinions, and even what time they come into work. Generally, as long as a person can be either directly or indirectly identified with the data given, it is protected under the GDPR.
Do note that the GDPR only applies to natural persons and not legal persons. This means that you may collect data of a corporation in the European Economic Area without compliance with the GDPR. However, you may not do the same for a person in the European Economic Area.
When discussing data processing under the GDPR, there are a total of six lawful reasons in which you may process data. Personal data can only be processed if:
It is important to note that if you seek the informed consent of the data subject, the consent must be explicit. The data user must know specifically how their data is to be collected and used and agree to the collection and processing of their data. The data user must also be allowed to withdraw their consent at any time.
As such, not allowing a user to use the service if they do not agree to have their data collected and processed may be a violation under the GDPR. Having an opt-out structure to seek the consent of users as well as bundling different forms of collection as one general collection would also violate GDPR regulations.
As stated previously, the GDPR offers a multitude of rights to European Economic Area citizens regarding their data privacy.
One such right is the right of access. It means that the data user should be allowed access, upon their request, to their own data, how it is being processed, with whom the data is being shared with, and how the data was acquired.
Their data must also be in a “transferrable format”. This means that the data user must receive their data in a structured format which is clear and readable, and in a common electronic format.
Thus, if a European Economic Area customer request to look at all the information you have been storing on them, the request must be obliged with. The request must also be delivered clearly and in a readable manner instead of providing raw data or encrypted data.
A right which is relatively unique and new to the data protection world is the right of erasure, which is similar to the right to be forgotten, but more limited. It allows the data user to request that their data be deleted within 30 days after the request is submitted.
This means that if a European Economic Area citizen wishes for their information to be erased from your database, the request must be complied with and their data and information must be removed.
The GDPR simultaneously places several duties on controllers and processors.
First of all, under the GDPR, pseudonymization is required for all stored data. The goal of this is that if there is a data breach, the data that is compromised cannot be linked back to a specific individual due to the process that was taken to make the data pseudonymous. This can be done through methods such as encryption or tokenisation.
Interestingly, the GDPR requires that data protection be a part of the business process. As such, any security measures to protect data must be at a high level.
In the event of a data breach, data controllers and processors are required under the GDPR to notify relevant authorities within 72 hours. Generally, if there is a high risk of an adverse impact, the individual data subjects must also be notified. However, no notification is needed if the data is sufficiently protected such that the data is unreadable.
One special duty on companies and enterprises is that of having a data protection officer.
Generally, a data protection officer must not only have knowledge of the data privacy laws of the EU and the country of business, but they are essentially in charge of the data. That means that the DPO should have ample knowledge of both the law and IT security.
If your company or enterprise is outside the EU, not only is a Data Protection Officer needed, but also an EU-based representative to act as a contact point. Their role is fundamentally similar to the Data Protection Officer, and it is possible for the Data Protection Officer to simultaneously act as the EU contact point.
Reading up to here, the GDPR seems to confer many duties and potential penalties and it may seem like a daunting task to scramble for compliance.
Generally, it is advisable to start with an internal audit of your data. Analyse what data you collect, how much of it is collected, and what the data is used for. Doing so will provide you with a framework of what you can continue collecting, and what to cease collection of.
Following that, figuring out who should be responsible for what data is a sensible step. Doing so will allow you to divide work evenly throughout the enterprise and understand if you are a processor or controller if you need to outsource your data to a responsible and GDPR-compliant data processor. This is the best stage to appoint your data protection officer.
The heavy lifting will then be technical, focusing on finding the best way to pseudonymise and organise data. Even if it is technical, it is important for everyone to maintain communication and stay on the same page. Doing so will allow for the best results - full compliance with the GDPR in terms of data security, and happy customers.
Particularly for small businesses, GDPR can be a daunting and risky challenge which may hinder business development. However, compliance with the GDPR can be done well and properly as long as proper measures are taken to ensure compliance and communication and teamwork within the enterprise is ample.
Please note that this is just a general summary of GDPR for Small Businesses under common law and does not constitute legal advice. As the laws of each jurisdiction may be different, you may want to speak to your legal advisor.
DocPro Legal is a team of legal professionals with a passion for making quality documents and legal contract templates widely available to the public through cutting edge technology. Our lawyers are qualified in numerous common law jurisdictions including the United Kingdom, Australia, New Zealand, India, Singapore and Hong Kong. We have experience in major law firms and international banks with expertise in business, commercial, finance, banking, litigation, family, succession and company laws.
Share this Post
Not the right document?
Don’t worry, we have thousands of documents for you to choose from: