General Data Protection Regulation (GDPR)

The EU GDPR brought on the biggest shift in data protection law since the internet, mobile devices, e-commerce, social media, and big data took off. It went into effect May 25, 2018, and businesses across the globe have been chasing compliance ever since.

Book a Free Consultation

What You Need to Know About GDPR:

To Whom Does the GDPR Apply?

The GDPR is extremely broad! 

The GDPR applies if an organization:

  • Processes personal information and is located in the EU, irrespective of where the data processing physically occurs; or 
  • Is based outside of the EU but processes personal information as part of offering of goods or services to individuals in the EU, or monitors the behavior of individuals within the EU.

In plain English, the GDPR created rules for essentially any organization that handles personal information of an individual in the EU.

What are “Data Processors” and “Data Controllers”?

The terms data processor and data controller are important to organizations trying to understand how GDPR affects them. Under GDPR, a data controller is the entity responsible for making decisions about personal information, like how it will be collected, used, shared, retained, destroyed. If something goes wrong – i.e., a data breach or mishandling of data – they’re on the hook.

A data processor, on the other hand, is simply that: a party that processes the data on behalf of the data controller. They are contracted by the data controller to process the personal information only as instructed and only for the purposes of the controller, among other obligations. 

Companies need to determine if they are a “data processor” or a “data controller” because the law applies differently to each type of entity. Most of the GDPR’s compliance obligations attach to the data controller, however processors have some too.

When Does the GDPR Not Apply?

The GDPR offers very few exemptions from its scope, including: 

  • Personal or Household Activities: processing of personal information by an individual as part of a purely personal or household activity are out the GDPR’s scope;
    • Think: maintaining your own digital address book on your laptop. Your friend cannot utilize their GDPR right to delete to make you delete their phone number! 
  • Processing that is part of an activity that falls outside the scope of EU law;
    • Think: activities of an EU member state as it relates to their national criminal law.
  • Processing by competent authorities for certain criminal justice purposes and public security;
  • Certain processing by EU member states.

Small Business record-keeping exemption: Organizations employing less than 250 people are exempt from the requirement to maintain Records of Processing Activities (ROPAs), unless the processing they conduct represents a high risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data (sensitive data) or data relating to criminal convictions and offenses. We recommend all companies perform ROPAs because it helps them comply with other obligations under GDPR and also manage special categories of employee data effectively.

Unique Use Cases and personal information: The GDPR has rules related to specific use cases, including: 

  • Journalistic purposes or  academic, artistic, or literary expression:
  • Official documents (Article 86);
  • Processing in the context of employment (Article 88):
    • EU Member States can set rules for processing employees’ personal information, especially regarding consent conditions. These rules may include purposes like recruitment, contract performance, legal obligations, workplace management, equality, health, safety, and employment rights. They also cover processing information for employment termination.
  • Archiving In the public interest, scientific or historical research purposes or statistical purposes

Key Components of GDPR

What Constitutes Personal Information?

The GDPR covers “personal data,” or personal information, which is defined as any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

What Constitutes Special Categories of Personal Information under the GDPR?

Certain types of personal information are granted additional protection under the GDPR. These special categories are roughly equivalent to the US concept of sensitive personal information. Organizations are prohibited (unless below exceptions apply) from processing the following categories of personal information:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs; 
  • Trade union membership;
  • Genetic data or biometric data for the purpose of uniquely identifying a natural person;
  • Health data;
  • Sex life or sexual orientation

The processing of special categories of information is allowed in the following circumstances:

  • With the explicit consent of the data subject;
  • Where it is required by employment or social security and protection law;
  • The protection of vital interests;
  •  Limited activities of certain non-profits;
  • Where the data was made publicly available by the data subject;
  • Legal claims;
  • Substantial public interest or public health;
  • Certain healthcare scenarios; or
  • Archiving, research, and statistics in the public interest. 
Any Other Categories of Data I Should Think About?

The GDPR has specific rules for the processing of data related to criminal convictions and offenses.  

Fully anonymized data is not personal information under the GDPR and is therefore outside of its scope. 

Pseudonymized data, however, remains in scope. Pseudonymised data is data that has been processed such that the personal information can no longer be attributed to a specific data subject without the use of additional information, provided that (a) such additional information is kept separately, and (b) it is subject to technical and organizational measures to ensure that the personal information are not attributed to an identified or identifiable individual

For example: if the source data for the data that was anonymized still exists in a manner that can be used to identify an individual from the anonymized data, then the data is only pseudonymized and is subject to the GDPR. 

Is Consent Needed to Process Sensitive Personal Information?

In a word: Mostly! An organization must obtain express consent for processing sensitive personal information unless it meets the criteria for another exception to the prohibition on processing it (think, processing personal data is justified for legal, vital, public interest, medical, or research purposes, among others).

Is Consent Needed for any other Processing?

Unlike in the US, the GDPR requires a legal basis to process personal information. Consent is one legal basis. Therefore, unless another basis to process exists, consent is needed. The six legal basis are: 

  • Consent
  • Contractual obligations
  • Legal obligations
  • Vital interests (think the need to save a person’s life or prevent severe harm) 
  • Public interest
  • Legitimate interests (processing activities that a data subject would typically anticipate from an organization they provide their personal data to, such as fraud prevention) 

Additionally, under the ePrivacy Directive (another EU law that complements the GDPR), organizations most often need to obtain consent to place cookies on a device. The opt-in rules vary by country and B2B or B2C.

What Needs to be Included in the Privacy Notice?

A privacy notice must:

  • Be concise, transparent, intelligible, and in an easily accessible form
  • Be written in clear and plain language, particularly where the information is being provided to a child
  • Contain: 
    • The organization’s name and contact information, including its EU representative and Data Protection Officer where applicable;
    • The purposes for processing personal information;
    • The legal basis used for processing;
    • The legitimate interests (where applicable);
    • Recipients or categories of recipients of personal information;
    • Details about any transfers of personal information to countries outside the EEA and the safeguards that are in place;
    • Retention period or the criteria used to determine this period;
    • Data subject rights;
    • The right to withdraw consent at any time;
    • The right to file a complaint with a supervisory authority;
    • Whether providing personal information is required by law or contract, and the potential consequences of not providing the data (unless the data is obtained via another organization, then replace this with the categories of personal information obtained); and
    • The existence of automated decision-making, including profiling, and the logic, significance, and potential consequences of the decision-making
What Constitutes a Sale of Personal Information?

Unlike in the US, the GDPR does not specifically regulate the sale of personal information. Data subjects have a broad right to object to processing of their personal information, including sale. In this way, a sale is treated like any other processing of data and must be both fair and lawful, which means organizations need to have a purpose and legal basis for selling personal information.

How is the GDPR enforced?

The GDPR is enforced by national data protection authorities (DPAs), also referred to as supervisory authorities, within each EU member state. DPAs have the power to investigate,order compliance and issue fines up to €20 million or 4% of a company’s global annual turnover. 

Multiple DPAs may be involved in an enforcement case, in this situation the  European Data Protection Board (EDPB) works with them to ensure consistent application of the regulation across the EU.

Privacy Rights

 

GDPR instructs businesses and organizations, but at its core, it’s about giving individuals control over their personal information. GDPR includes a number of pieces in place designed to provide that control, including:

  • The right to be informed
  • The right to access
  • The right to rectification
  • The right to erasure/to be forgotten
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

Controllers must comply with requests within 30 days of receipt. The controller may extend its response time by an additional two months where necessary, considering the complexity and number of requests. When extending the response time, controllers must notify the data subject within the initial month of the extension and the reason for it.

When a controller denies a request, it must inform the data subject of the denial, the reasons for not taking action, and how to file a complaint with a supervisory authority or seek a judicial remedy.

 

Universal Opt-Out

 

There is no obligation to recognize universal opt-out signals in the GDPR.

However, organizations that are in scope for the ePrivacy Directive (generally the same organizations that are in scope for GDPR) in most cases need to obtain consent to place non-essential cookies on devices. It varies by country and B2B or B2C.

Additionally, individuals in the EEA have the right to object to the processing of their personal information, which includes the sale or sharing of data with third-party controllers. And, as a reminder, data controllers must have a legal basis for any processing of personal information, including sale and sharing via cookies.

The GDPR offers data subjects the right to object to the processing of their personal information, which includes the sale or sharing of data with third-party controllers. The GPC signal, when recognized, can be viewed as an objection. It would be prudent to recognize GPC signals in the EEA as an objection signal.

 

Privacy Impact Assessments

 

The GDPR has explicit rules for conducting privacy assessments or Data Protection Impact Assessments (DPIAs). Controllers must conduct a DPIA when processing is likely to result in a high risk to individuals’ rights and freedoms.  

Data protection authorities have published specific lists of scenarios where a DPIA is required. The GDPR requires controllers must conduct DPIAs when:

  • Using automated decision-making with legal or significant impact on data subjects
  • Processing special categories of personal information on a large scale
  • Systematically monitoring public areas on a large scale

DPIAs must describe the processing operations and purposes behind the processing, evaluate the necessity and proportionality of the processing activities, and identify and mitigate any potential risks to data subjects. Where processing is based on legitimate interests, the DPIA must state the legitimate interest the controller is seeking and conduct a balancing test of the legitimate interests of the business against the rights and freedoms of data subjects. 

Organizations must document the DPIA process and outcomes, and consult with their Data Protection Officer where applicable.

 

Transferring Personal Information

 

Transferring personal information outside the European Economic Area (EEA) is subject to strict regulations under the GDPR to ensure adequate protection of the information. Controllers may only transfer personal information to a third country or international organization where the European Commission has granted the country adequacy or where specific data transfer mechanisms are in place.

The European Commission grants adequacy to countries that provide an adequate level of data protection. In the absence of such a decision, appropriate safeguards must be put in place, such as binding corporate rules, standard contractual clauses (SCCs) as approved by the European Commission, or approved codes of conduct or certification mechanisms, combined with enforceable rights and effective legal remedies for data subjects. 

In the US, the approved mechanism is registration under the Data Privacy Framework; The EU-US Data Privacy Framework establishes guidelines and mechanisms for the lawful transfer of personal data between the European Union and the United States, requiring organizations to adhere to stringent data protection principles, implement robust safeguards, and ensure transparency and accountability in their data processing practices.

If relying on SCCs, organizations must carry out a “transfer impact assessment” documenting the particular circumstances of the transfer, the legal framework of the destination country, and any additional safeguards to protect the personal information.

Additionally, data subjects have the right to be informed about the transfer and to understand the associated risks and protections. Organizations must also ensure continuous monitoring and assessment of the data protection measures in place in the recipient countries to address any changes in the level of protection and adjust their practices accordingly.
 

Vendor Contracts (Data Processing Agreements)

 
 
Article 28 of the GDPR stipulates that controllers and processors must enter into Data Processing Agreements. Those agreements must contain certain provisions, with the goal of clearly defining the processor’s responsibilities and obligations.

Agreement Requirements:

  • Specify the subject matter and duration of the processing;
  • Specify the nature and purpose of the processing;
  • Identify the types of personal information and categories of data subjects;
  • Detail the obligations and rights of the controller;
  • Mandate that processors handle personal information only according to documented instructions from the controller (unless legally required to do otherwise);
  • Mandate that processors transfer personal information internationally only according to documented instructions from the controller (unless legally required to do otherwise);
  • Ensure that processors guarantee confidentiality commitments from persons authorized to process the personal information or ensure they are under an appropriate statutory obligation of confidentiality;
  • Require that processors implement all measures necessary under Article 32 (Security of Processing), including appropriate technical and organizational measures to ensure a security level appropriate to the risk;
  • Obtain authorization from the controller before engaging a subprocessor and notify the controller of any intended changes regarding the addition or replacement of subprocessors, giving the controller the opportunity to object;
  • Mandate that the processor flows down the same data protection obligations in its contract with the controller to all subprocessors and hold the initial processor fully liable for the subprocessors’ performance of such obligations;
  • Assist the controller in responding to data subject rights requests;
  • Require processors to assist the controller in responding to a data breach, including compliance with breach notification obligations;
  • Require processors to assist the controller with data protection impact assessments and consultations with the supervisory authority when necessary;
  • Ensure that processors delete or return all personal information to the controller, at the controller’s choice, after the end of the service provision related to processing (unless continued storage is required by law);
  • Require processors to make available all information necessary to demonstrate compliance with their Article 28 obligations and allow for and contribute to audits conducted by or at the request of the controller.
 

Data Minimization and Data Protection by Design and Default

 

Data minimization and privacy by design and default are core principles mandated by the GDPR to enhance the protection of personal information. These concepts require that organizations only collect, process, and retain personal information that is strictly necessary for the specific, explicit, and legitimate purposes for which it is processed. This means data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

Regular audits and reviews of data processing activities are essential to ensure compliance with this principle, as well as the prompt deletion or anonymization of data that is no longer needed. By adhering to data minimization, organizations reduce the risk of over-collection, which can lead to potential data breaches and privacy violations.

Data protection by design, as required by Article 25 of the GDPR, mandates that data protection must be integrated into the development of business processes, systems, and products right from the design phase and throughout their entire lifecycle.

This involves implementing appropriate technical and organizational measures, such as data encryption, pseudonymization, and robust access controls, to ensure data privacy and security. The GDPR requires that these measures be appropriate to the risks associated with the processing and the nature of the personal information involved.

Organizations must conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals’ rights and freedoms, ensuring that privacy risks are identified and mitigated early on.

As part of this, Article 30 of the GDPR requires organizations to develop and maintain an internal Record of Processing Activities (ROPA). Without this record, it’s impossible to know what kind of personal information a company is gathering, how they’re storing it, and how it’s being used both internally and externally. Without this record, ultimately, it’s impossible to be fully compliant with GDPR.

Data Privacy is Just Good Business

Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.

You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.

Book a Free Consultation