GDPR is a relatively new set of rules implemented by the EU as a way to offer citizens better control of their privacy and personal data. GDPR stands for General Data Protection Regulations - and was created with the intention of simplifying regulations within the digital economy and making business easier. Having only been implemented in 2018, it accurately reflects the level of technology and concerns regarding personal data and privacy. We will be going through the 7 principles of GDPR.
As we briefly stated, GDPR stands for General Data Protection Regulations and was only just implemented by the European Union (EU) in 2018. GDPR is an individual-centric regulation, meaning that the law protects citizens within the EU by guaranteeing them certain rights relating to their personal data.
In our age of technology, nothing is more valuable than data. Every day, millions of people exchange their data for services on the internet. Data protection is getting more and more important as more of our private information is increasingly shared online every day (whether through social media sharing, inadvertently so, or privacy breaches).
The GDPR is also significant because its implementation means that companies have to be aware of the hundreds of requirements it imposes to determine which parts of it apply to them. The GDPR has a significant impact on privacy and security requirements.
The purpose of GDPR is to protect the data of EU citizens and residents. Article 3(2) of the GDPR states that organizations that 1) control and process a large amount of data of citizens within the European Economic Areas (EEA), and; 2) offer goods and services to citizens within the EEA are liable under the GDPR.
This means that the GDPR applies to all EU-based entities (businesses and companies) even if the data are being used or stored outside of the EU.
Despite the GDPR being an EU regulation, organizations all around the world have scrambled to comply with it. This is because the GDPR is applicable not only within the EU but also applies to entities that offer goods and services and collect and process the data of EU customers.
If you are running a business that seeks to target EU customers (i.e. offering goods and services to people in the EU), then the GDPR applies. However, the GDPR does not apply if you are not catering to EU customers, but instead, a few EU citizens that want to use your goods or services. In particular, it should not apply if you are mainly offering goods and services locally (outside of the EU and not targeting EU citizens) through an online platform.
There is no hard rule that sets out what percentage of EU-derived revenue you need before the GDPR takes effect. Rather, the regulator is more focused on any indication of intent to target EU customers. An example indication is whether the business offers payment in Euro or advertises on a European website - which, if so, your business ought to be GDPR compliant.
This is a particularly important area if your website has tracking functions such as cookies to monitor the behaviour of your users. While it may be difficult in practice for EU regulators to come after you if you are not based in the EU, you should nevertheless comply with GDPR if you conduct business with EU customers and plan to carry on doing so.
There are two main exceptions that individuals, small, and medium-sized businesses can rely on for an exemption from the GDPR:
Purely Personal or Household Activity - GDPR only applies to "professional or commercial activity. As such, purely personal or household activity is exempted from the GDPR. For example, if you collect personal information for a private event such as a wedding, the GDPR would not apply. However, pay attention to the word "purely" - if you are also advertising for certain wedding services as a side project for sponsorship to your wedding, the GDPR would apply to you.
Entities with less than 250 Employees - Small and medium-sized businesses with fewer than 250 employees are exempt from certain GDPR obligations, such as record-keeping obligations. That said, they are still required to comply with the bulk of the GDPR requirements such as giving rights of access to customers and explicit marketing consent.
The first data protection law was implemented in 1973 in Sweden. Soon after, countries all around the world followed suit, with over 80 countries around the world having different guidelines in place to protect the data of their citizens. The GDPR stands out as being the most progressive regulation thus far, and it has already made a large impact on how global online businesses are being conducted.
Governments around the world are trying to follow the leads of the EU. In fact, no other regulation has created as much global buzz as the GDPR. This is especially the case in California, which has already implemented its version of GDPR, the California Consumer Privacy Act (CCPA), which imitates the key tenants of GDPR.
Even if your business does not fall within the bounds of the GDPR, it is good to start implementing the 7 principles of GDPR, which lie at the heart of the GDPR regime, as good practice. It is expected that sooner or later, they will be adopted as universal principles for data protection.
Here are the 7 Principles of GDPR as set out in Article 5:
1. Lawfulness, Fairness, and Transparency
2. Purpose Limitation
3. Data Minimisation
5. Storage Limitation
6. Integrity and Confidentiality
This principle focuses on the requirement that personal data should be collected and processed lawfully and fairly. There must be full transparency in the process of collection and processing.
This requires you to give transparent notice to your user on what you plan to use the data for, and how you plan to use that data legally and fairly (only for the purpose your user has agreed to).
This principle specifies that personal data should be collected for explicit and legitimate purposes, and not further processed in a manner that is incompatible with such purposes. Further processing purposes like public, scientific, historical, or statistical purposes shall not be considered to be compatible with the initial purposes.
This again relates to using the data fairly. The purpose of using the data should be specific and the use should be limited to the stated purpose. Further processing can only be done if not incompatible with the initial purpose.
This principle highlights that only the most minimal amount of personal data needed should be collected - and if collected, in an adequate and relevant manner. The personal data should be limited to what is necessary for the purposes for which they are processed.
Similar to the limitation of purpose, you should limit the minimum amount of personal data required for your purpose. This may require you to create a data minimization policy to justify that the amount of data collected is adequate and relevant.
This principle emphasizes that personal data which is stored should be accurate and, where necessary, kept up to date. Reasonable steps must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay.
If you are not keeping or it is not necessary to keep your database up to date, you should delete outdated and inaccurate data promptly.
That personal data is only kept for a limited amount of time and in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes subject to the implementation of the appropriate technical and organizational measures required by the GDPR to safeguard the rights and freedoms of individuals.
You should set a policy on the period of storage of personal data and justify the time limit with proper documentation. In particular, if the data need to be achieved in the interest of the public, science or research.
This requirement points to the fact that personal data should be kept securely and processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.
You will need to implement protective security measures such as anonymization or pseudonymization systems to protect the identity of your data subjects.
Accountability refers to the requirement for accountability and compliance in compliance with GDPR policies.
You are responsible for demonstrating compliance with GDPR. That is why you should have a suite of privacy, data protection, and cookie policies. You should also justify all your data protection measures and document them in writing.
These seven principles form the basis and rationale for most laws within the GDPR and quickly become the universal data protection principles on a global scale. So even if your business does not fall within the remit of the GDPR, it is advisable to follow the seven principles above when you make decisions regarding data protection.
Consumers often provide personal information and other private data to different organizations. Even if this information is not willingly or actively provided, most websites have cookies to track consumer behaviour.
This data, while necessary to keep the internet up and running, serves a wholly different purpose to organizations. Upon gathering data, organizations analyze and interpret it to generate consumer information.
Organizations tailor their services to users based on their information, sell targeted advertisements, and even sell the information and data to third parties. By implementing these strategies, organizations can gain traction, maintain user satisfaction, and even make a profit.
Before the GDPR, most websites made it mandatory for consumers to accept all terms and conditions and privacy policies before being allowed to use their service. These terms were, however, clearly very one-sided with few privacy protections for consumers.
The GDPR seeks to give some of these rights back to the consumers. Below are some of those rights:
Consumers have the right to request access to their personal information and any supplementary information from organizations that are holding the information.
Consumers can request for their information to be amended or updated if they are accurate.
Consumers can request that their information is deleted or removed upon the withdrawal of consent, or where the data is no longer relevant or accurate.
Consumers can request for their personal information to be provided to them, and have them transferred to another provider.
Before the GDOR, consumers who signed up to websites were frequently spammed by marketing emails. The GDPR requires explicit consent to receiving marketing emails by consumers (usually through an unchecked checkbox during registration). The consent conveyed in plain language, and a lack of response by consumers cannot/does not indicate consent.
Since the GDPR imposes sweeping fines and penalties for non-compliance, small businesses looking to break into the global market might find the GDPR daunting. On the contrary, large businesses have teams of lawyers and IT professionals who are trained to tackle GDPR compliance, a resource small businesses may not have.
If you are a small business - don’t worry. Read on to learn how to protect your business and protect your users’ data.
It is well known that the consequences of violating the GDPR are sweeping and harsh. Noncompliance with the GDPR can lead to:
Warning notices for first-time offences;
Regular data protection audits; or
Fines of up to 20 million euros or 4% of the annual worldwide turnover of the preceding year for enterprises, whichever is greater.
If you want to avoid these penalties, the following policies are especially important to note:
The GDPR refers to organizations as either “controllers” or “processors”. Controllers refer to organizations that collect data, and processors refer to organizations that process data on behalf of the controller. Simply put, if you collect and/or process data of citizens in the European Union in a commercial capacity rather than an individual capacity, you fall under the remit of the GDPR.
One thing to note is the definition of ‘personal data’ under the GDPR. Rather than the traditional “personally identifiable information” definition, the GDPR has famously adopted a broader definition to adequately protect European Economic Area citizens.
Personally identifiable information refers to data that can be traced back to a particular person, through their name, social security number, or their email. Aside from “direct” information, indirect information is also protected. This may include IP addresses, any cultural or political identifiers and opinions, and potentially even the time they arrive at work each day. As long as a person can be either directly or indirectly identified with the data given, it is protected under the GDPR.
You should note that the GDPR only applies to natural persons - not legal persons. This means that you can legally collect data on a corporation in the European Economic Area without compliance with the GDPR. However, you may not do the same for a person in the European Economic Area.
When discussing data processing under the GDPR, there are six circumstances where the owner may legally process data. Personal data can only be processed if:
The data subject (owner of the data) has given informed consent to have their data processed;
The data is processed to fulfil contractual obligations, or on the request of the data subject in order to enter into a contract;
The data is needed to comply with the legal obligations of the controller;
The data is needed to protect the vital interests of the data subject or any other individual;
The data is needed to perform tasks in the public interest; or,
The data is processed for the legitimate interests of the data controller or a third party.
It is important to note that if you seek the informed consent of the data subject, the consent must be explicit. The data user must know how their data is to be collected and used and agree to the collection and processing of their data. The data user must also be allowed to withdraw their consent at any time.
As such, not allowing a user to use the service if they do not agree to have their data collected and processed is a violation of the GDPR. Having an opt-out structure to seek the consent of users as well as bundling different forms of the collection as one general collection would also violate GDPR.
As stated, the GDPR offers many rights to European Economic Area citizens regarding data privacy.
One such right is the right of access. This means that the data user should be allowed access, to their data such that they can see how it is being processed, with whom the data is being shared, and how the data was acquired.
Their data must also be in a “transferrable format”. This means that the data user must receive their data in a structured format that is clear and readable, and in a common electronic format.
Thus, if a European Economic Area customer requests to access the information you have been storing on them, You must comply with the request. The response must be reasonable - it should be presented in a readable format rather than being in the form of raw data or encrypted data.
A right that is relatively unique and new to the data protection world is the right of erasure, which is similar to the right to be forgotten, but more limited. It allows the data user to request that their data be deleted within 30 days after the request is submitted.
This means that if a European Economic Area citizen wants their information to be erased from your database, the request must be complied with and their data and information must be removed.
The GDPR simultaneously places several duties on controllers and processors.
Under the GDPR, pseudonymization is required for all stored data. The goal of this is that where there is a data breach, the compromised data is not linked back to a specific individual. This can be done through encryption or tokenization.
The GDPR requires that data protection is a part of the business process. This means that security measures to protect data must be at a high level.
When there is a data breach, data controllers and processors are required under the GDPR to notify relevant authorities within 72 hours. Generally, if there is a high risk of an adverse impact, the individual data subjects must also be notified. No notification is needed if the data is sufficiently protected such that the data is unreadable.
One special duty companies and enterprises have are to have a data protection officer.
A data protection officer must not only know the data privacy laws of the EU and the country of business but they are put in charge of the data. That means that the DPO should be knowledgeable about both law and IT security.
If your company or enterprise is outside the EU, not only is a Data Protection Officer needed but so is an EU-based representative to act as a contact point. Since their role is mostly similar to the Data Protection Officer, it is possible for the Data Protection Officer to simultaneously act as the EU contact point.
You are probably thinking that the GDPR seems to confer many duties and potential penalties, and that compliance is a daunting task.
We would advise you to start with an internal audit of your data. Analyze what data you collect, how much of it is collected, and what the data is used for. Doing so will provide you with a framework of what you can continue collecting, and what to cease collecting.
Following that, figure out who should be responsible for what data. Doing so will allow you to divide work evenly throughout the enterprise and understand if you are a processor or controller, and whether you need to outsource your data to a GDPR-compliant data processor. At this stage, ideally, you would appoint your data protection officer.
You should then focus on finding the best way to pseudonymize and organize data. Given the technical nature of the task, everyone needs to maintain communication and stay on the same page. Doing so will allow for the best results - full compliance with the GDPR in terms of data security, and happy customers on the business front.
For small businesses, GDPR can look like a daunting and risky body of regulations that hinders business development. However, compliance with the GDPR is not as hard as it may initially seem as long as proper measures are taken to ensure compliance and communication, and teamwork within the enterprise is ample.
Please note that this is just a general summary of GDPR for Small Businesses under common law and does not constitute legal advice. As the laws of each jurisdiction may be different, you may want to speak to your legal advisor.
Not the right document?
Don’t worry, we have thousands of documents for you to choose from: