What is GDPR?

What is GDPR?

The GDPR (General Data Protection Regulation) of the European Union is the data protection law of the European Union.

When it came into force back in 2018, it was the most significant change in data protection for decades since the ePrivacy Directive and the most comprehensive law worldwide addressing online privacy issues.

It imposes significant duties to businesses to protect users’ personal data. That includes a number of obligations for the collection, processing, use, and transfer of data, as well as implementation of data security measures. Most importantly, it requires businesses to not track users without obtaining their explicit consent.

In addition to that, the GDPR grants users with rights in relation to their own personal data that every business has to respect.

Any company that does business in Europe and/or with European citizens needs to be GDPR compliant.

Non-compliance with the GDPR leads to the biggest monetary fines ever prescribed by a data protection law.

Although ISO 27001 and GDPR are fundamentally different frameworks, but they share a lot of common principles in relation to data protection. Read about ISO 27001 Data Protection .

Why GDPR?

Before GDPR, data protection laws were outdated and inconsistent among EU member states. The GDPR has replaced those inconsistencies with a regulation obligatory for all member-states of the EU.

As a result, the laws among the EU countries are unified. If you comply with the GDPR, it means that you are compliant with the national data protection laws of every single EU country.

Personal data under GDPR

Personal data is any information related to a natural person that can be identified or is identifiable by that information, directly or indirectly.

This means that:

• Any information can be personal data as long as it can be related to a person. It can be data in textual, audio or video format. It can be personal name, email address, home address, IP number, ID number, etc.
• The information has to be related to a person. Company data and deceased person’s data is not GDPR personal data.
• The person can be identified or identifiable. The person is identifiable if the data is pseudonymized or de-identified, but it can be reversed. On the other hand, irreversibly anonymized data is not personal data.
• If the person can be identified indirectly, such as by combining multiple pieces of data, that is also personal data under the GDPR. An example for indirect identification is the purchase behavior as data.

Examples of personal data include name, surname, email addresses such as name.surname@company.com, a home address, ID card number, cookie ID, Internet Protocol (IP).

Examples of data not considered personal data include a company registration number, email addresses such as info@company.com, and anonymized data.

How Do You Compare CCPA V. GDPR?

Both CCPA and GDPR are data protection laws, but the requirements of each of them tend to be quite different.

While there are some similarities, most notably in relation to transparency and data subject rights, the two laws differ a lot. Therefore, if you are compliant with the CCPA it won’t make you compliant with the GDPR and vice versa.

If both the CCPA and the GDPR apply to your business, you have to make sure to determine what each of them require from your business and act accordingly to comply.

What is GDPR Privacy Policy

A GDPR privacy policy is a document with which the business informs the user about their privacy practices. Although not explicitly required by the GDPR, the privacy policy is the most common way of being transparent to the users about your use of their data.

A GDPR-compliant privacy policy should contain certain elements to be compliant. These elements include:

• Your identity and contact details
• The categories of personal data you process
• How you collect and process personal data
• Why do you collect and process data
• Details on international data transfers, if any
• Data subject rights
• How to exercise data subject rights
• Contact details on the Data Protection Officer, if any

This is just the necessary minimum of information that the GDPR requires you to provide. You can add more if you want. Read more about how you can make your website GDPR compliant.

GDPR data subject rights & DSAR

Website users and app users are called data subjects in the GDPR. The GDPR grants them data subject rights. These rights empower users to protect their data privacy against the business that has their data collected. Learn the 6 Steps for Website Compliance.

The data subject rights include the right to:

• Be informed
• Access
• Correction
• Deletion (right to be forgotten)
• Data portability
• Restrict processing
• Object to processing
• Not be subject to automated data processing, including profiling.

Every EU business owes these rights to all their users. All non-EU businesses owe these rights to all their EU users.

Users can exercise their rights by submitting data subject requests, including DSAR requests. Upon verifying the user identity, you have to comply with their request and fulfill it.

Secure Privacy provides businesses with a DSAR center for seamless compliance with data subject requests.

Learn more about Data Subject Access Request Procedure.

GDPR fines & enforcement

GDPR prescribes the world’s largest penalties related to data protection. Read more about GDPR fines and enforcements in our blog post.

GDPR data transfer

Read all about GDPR data transfer in our blog post.

Transferring data outside the EU

Data transfer is the process where personal data flows from one company to another, or from the user to the company. When that’s a transfer across international borders, that is an international data transfer.

Read all about transferring data outside the EU in this blog post.

Do we need a GDPR Data Protection Officer?

GDPR requires only some of the businesses to appoint a Data Protection Officer (DPO). 

You must appoint a DPO if you are a business whose core activities involve:

• Core activities of an organization involves processing requires regular and systematic monitoring of persons on a large scale, or
• Core activities of an organization consists of processing on a large scale of special categories of data or data related to criminal convictions and offenses.

Public authorities are also required to appoint a DPO in any case.

In all other cases, you are not obliged to appoint a DPO.

A DPO can be the business owner, any employee, an independent contractor, or an organization to whom you outsource the processes. See some common problems GDPR DPOs face.

Do we need a GDPR representative in the EU?

You need a legal representative in the EU if:

• Your business has no offices in the EU and
• You regularly process personal data on a large scale, process sensitive personal data, or data related to criminal convictions.

In all other cases, you do not need to appoint a legal representative in the EU.

What to do in case of a breach

A data breach occurs when the data for which your company/organization is responsible suffers a security incident resulting in a breach of confidentiality, availability, or integrity.

In most cases, you need to inform the relevant data protection authority. You have to notify them in 72 hours upon becoming aware of the incident, or later if there are reasonable reasons for the delay.

If the breach poses a risk to the rights and freedoms of the data subjects whose data has been breached, you have to notify the data subjects as well.

In some rare cases, where the breach is insignificant and poses no risk to anyone whatsoever, you may not have to inform anyone.

If your company/organization is a data processor it must notify every data breach to the data controller.