As online technology has become integrated with every aspect of our lives, personal data now flows around the globe on a gargantuan scale. The explosive growth of so-called "Big Data" went largely unchecked until the European Union's (EU) adoption of the the General Data Protection Regulation (GDPR). Since going into effect in 2018, the GDPR has inspired other jurisdictions to pass similar laws, such as the California Consumer Privacy Act.
The GDPR is a comprehensive data privacy law, meant to fundamentally change the way organizations think about personal data by making them be more mindful of how they collect, use, and share that information. The first step in that direction is understanding how the law works and what it requires.
The GDPR usually applies in one of two ways. First, it applies to organizations that are “established” in a country that has adopted the GDPR. These countries include the entire European Economic Area (all EU member nations plus Norway, Lichtenstein, and Iceland) and the United Kingdom (collectively, “EEA/UK”). Second, it applies to organizations that are not established in the EEA/UK but offer their goods or services there.
Note: We use the term “organizations” to describe entities that might be covered. The GDPR can apply to individuals, businesses, governments, nonprofits, and anyone else that processes personal data outside of a purely household or personal context.
If an organization is established within the EEA/UK, the GDPR applies to all of their data-processing activities regardless of where its data subjects (the people whose data is being processed) are located. For example, if an online business is based in Ireland, it must follow GDPR rules with respect to all of its customers and website visitors even if they are located outside of the EEA/UK.
“Establishment” in the EEA/UK is defined as “the effective and real exercise of activity through stable arrangements” in that territory. Typically, this means a permanent, physical presence of some kind, such as having a headquarters, branch, or subsidiary located there.
The second way an organization can be required to comply with the GDPR is when, even if it is not established in the EEA/UK, it does offer its goods or services there. Such an organization is only required to comply with the GDPR with regard to its processing of the data of European data subjects.
There is no hard rule about what it means to “offer goods or services” in the EEA/UK, but it does require a degree of intention beyond just having a website that is visible to people in Europe. A number of factors may be considered, such as posting prices in the local currency, translating content into European languages, and offering shipping options to the EEA/UK.
Example: An ecommerce business is based in the United States, but also has French and German-language versions of its website where it displays prices in euros. That business is offering its goods to data subjects within the EEA/UK, and will have to comply with the GDPR with regard to any personal data it collects about European data subjects.
The GDPR regulates the collection and use of “personal data,” a term that is defined broadly as “any information relating to an identified or identifiable natural person.” This encompasses a wide variety of information, including:
The list could go on. If you’re not sure if something is personal data, just ask yourself, “Does this information relate to a specific person?” If so, it is personal data.
Two critical terms that any organization seeking to be GDPR compliant must understand are “controller” and “processor.” These are the two categories of parties that actually handle personal data and have legal obligations under the law.
Controllers are the principal actors in the GDPR legal framework; they “determine the purposes and means of the processing of personal data.” In other words, controllers are the ones calling the shots, though in some circumstances they may do so jointly with others.
Processors, on the hand, only handle personal data on behalf of a controller, typically as a vendor or subcontractor. They may only do so under a written contract that contains specific protections for personal data.
Example: Company A is a retail company that collects email addresses from customers in order to send them promotional communications. It hires Company B, an email vendor, to do the actual sending. With regard to the email addresses, Company A is the controller and Company B is the processor. Company B can still be a controller in its own right over other personal data, e.g., the contact information of employees at Company A, cookie data from its own website visitors, etc.
While it’s far from a comprehensive compliance checklist, these major points should give organizations a good idea of what GDPR compliance entails.
Organizations may not process any personal data without first identifying a legal basis for each type of processing activity. The GDPR recognizes six lawful bases:
One of the GDPR’s most conspicuous features is that it grants data subjects the right to make privacy requests to controllers.
One issue that has emerged as a contentious issue since the adoption of the GDPR is that of international data transfers. The GDPR prohibits the transfer of personal data outside of the EEA/UK unless adequate safeguards are in place to protect the data from intrusion by public authorities. These safeguards include:
International data transfers are contentious because a vast amount of personal data is processed in the United States, which has not been the subject of an adequacy decision. This was formerly facilitated by the EU-US Privacy Shield, a voluntary certification program that allowed this data to keep flowing. However, an EU court case in 2020 invalidated the Privacy Shield framework as being insufficient to protect data from intrusion by the U.S. federal government.
This decision has left thousands of organizations scrambling to find an alternate solution. Most of them have adopted an updated version of the official SCCs, but these impose difficult requirements on data exporters and there is reason to doubt whether they will stand up to legal scrutiny. American and EU officials are attempting to create a new legal framework similar to the Privacy Shield that will resolve the issue.
A major component of compliance with any of the modern data privacy laws is posting privacy disclosures on websites, mobile apps, and anywhere else an organization collects personal data. The GDPR disclosures must be tailored to each organization’s data practices and include the following information.
Each country has its own data protection authorities tasked with enforcing the GDPR within its borders. Across Europe, these authorities have been quite aggressive in their enforcement, going after small and large organizations alike. The maximum fine for violations is €20,000,000 or 4% of global turnover (whichever is higher), and some companies have already racked up multiple fines of tens of millions of euros.
The GDPR is a comprehensive law with many requirements. This leaves many small and medium-sized businesses in a tight spot: they have GDPR commitments but don’t have the resources to handle compliance.
TrueVault Polaris is designed to help SMBs become GDPR compliant on their own, at a fraction of the cost of hiring lawyers or consultants. Similar to online tax software, Polaris works through an intuitive question-and-answer interface, allowing businesses to get compliant in as little as a few hours. Polaris also includes the necessary tools, from opt-out management to privacy-request workflows, to help you stay compliant with minimal effort. Contact us today to learn more.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.