The General Data Protection Regulation, or GDPR, is a comprehensive regulatory framework designed to enhance data privacy standards in the European Union (EU).

Since coming into effect in 2018, the GDPR has nearly single-handedly transformed the digital privacy landscape and inspired a global campaign to protect personal data.

This article will dive deeply into what the GDPR aims to accomplish, who it applies to, its key concepts and principles, actionable compliance steps and insights for businesses, penalties for non-compliance, and more. Let's get started.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is the General Data Protection Regulation (GDPR)?

The GDPR is an extensive data privacy law that was enacted in April 2016 and came into force on May 25, 2018. It is the EU's response to the modern challenges plaguing the field of information privacy and digital security.

In short, the GDPR:

  • Strengthens the rights of EU residents to protect their personal data and digital privacy
  • Simplifies the EU regulatory environment by imposing a uniform data privacy law on its member states

With the end goal of establishing EU residents as true owners of their information, the GDPR lays out a number of stringent requirements to help businesses uphold ethical data processing practices.

Among other obligations, businesses must now implement stronger data security safeguards, get consent before collecting specific data types, and demonstrate transparency about how they manage personal data.

To get further insights into the GDPR, it's important to understand how the law came to be. Let's take a quick look.

A Brief History of the GDPR

A Brief History of the GDPR

In the 1990s, the Data Protection Directive and Data Protection Act established the fundamental framework for privacy laws and compliance in Europe.

However, as technology continued to penetrate all aspects of society, the European Union (EU) recognized the need for modern protections. Evidently, the Data Protection Directive was unfit to address the challenges accompanying key areas of internet privacy, such as cloud computing, social media, and so on.

After four years of lengthy discussions and negotiations over the finer details of the law, the GDPR was approved by the European Parliament to replace the Data Protection Directive.

With 99 articles and 173 recitals, the GDPR is a pretty substantial document. It is currently the strictest and most protective privacy legislation in the world, earning it the moniker "gold standard of privacy laws."

Today, the GDPR serves as a blueprint from which non-EU countries draw inspiration to develop their own protective data privacy regulations. Case in point, privacy laws like the California Consumer Privacy Act, California Privacy Rights Act, Virginia Consumer Data Protection Act (VCDPA), and Colorado Privacy Act (to mention a few) have aspects of GDPR influence.

Who Does the GDPR Apply to?

Who Does the GDPR Apply to?

The GDPR primarily applies to all EU businesses that process personal data. However, the GDPR's reach extends far beyond the EU's physical borders.

Unlike under the Data Protection Directive, businesses don't need to be physically present in the EU to be covered by the GDPR. In other words, if your non-EU business meets certain criteria, the GDPR will apply regardless of your business's location.

To find out if the GDPR applies to your non-EU business, consider the following questions.

Do you offer products or services to individuals in the EU?

The GDPR will apply to your business if you specifically target individuals residing in the EU to offer them products or services (even for free). Now, the key word here is "offer."

According to Recital 23 of the GDPR, making a product or service available to individuals in the EU doesn't necessarily constitute an "offer." The European Data Protection Board (EDPB) supports this by stating that an offer must be intentional.

Simply put, the GDPR won't apply if you don't intentionally target EU residents to offer them products or services.

To get some context, let's see some examples of intentional offers to EU residents:

  • A mobile app that supports payments in EU currency (e.g., Euros, Romanian Leu, etc.)
  • A website with an EU member country code (e.g., .de, .fr, .it, .cz, etc.)
  • A desktop app that serves ads in local EU languages like German, Italian, Finnish, etc.
  • A firm with a dedicated phone number or address exclusively for individuals in the EU
  • A company that offers delivery of products in EU member states

In the examples above, it's clear that these businesses target individuals in the EU. As a result, they will all fall under the GDPR's scope.

Do you monitor the behavior of individuals in the EU?

Alternatively, the GDPR will apply if you monitor the behavior of EU residents (where such behavior occurs in the EU).

Examples of monitoring activities include but aren't limited to the following:

  • Applying profiling techniques to predict individuals' preferences or attitudes
  • Using tracking cookies or similar technologies
  • Providing behavioral advertisements
  • CCTV surveillance

Do you collect or process the personal data of individuals in the EU?

If you do collect or process the personal data of EU residents, the GDPR will apply.

Moreover, the GDPR may impose tougher requirements depending on the sensitivity of the information you collect from data subjects. Simply put, the more sensitive the data you collect, the stricter the standards to which you will be held.

Now, if you answered yes to all three questions above, the GDPR undoubtedly applies to your business.

Even if your business isn't covered, it's still a good idea to comply since the GDPR currently serves as a global model for other countries to develop their own legislation.

For a more detailed coverage of the GDPR's jurisdiction, check out our article, Do I Need to Comply with the GDPR?

Next, let's take a look at when the GDPR doesn't apply.

GDPR Exemptions

Despite the GDPR's extensive reach, certain businesses, data types, and specific circumstances are exempt from its coverage.

Obviously, the GDPR won't apply to you if you don't operate within the EU or intentionally target its residents to offer them products or services or monitor their behavior.

Although it's not required, some businesses choose to err on the side of caution by putting additional safeguards in place to avoid mistakenly targeting EU residents.

Dick's Sporting Goods, for example, blocks EU users from accessing its website to avoid being subject to the GDPR:

Dick's Sporting Goods: GDPR notification of being unable to access the site

There are other specific exemptions outlined in the GDPR. For instance, the GDPR partially exempts businesses with less than 250 employees by relieving them of their record-keeping responsibilities under certain conditions.

Other common areas where GDPR exemptions apply are as follows:

  • Data processing for "personal or household activities"
  • Anonymous data
  • Journalism and free speech
  • Law enforcement or national security
  • Information not in a "filing" system
  • Historical and scientific research

For more information, check out our article, When Does the GDPR Not Apply?

Before exploring the GDPR any further, it's important to understand how the law defines specific terms.

GDPR Key Terms and Definitions

GDPR Key Terms and Definitions

Certain terminologies used in the GDPR have much broader meanings than they do in their literal sense.

Below, we clarify some of the GDPR's most important terms.

Data Subject

Under the GDPR, a data subject refers to an "identified or identifiable natural person[s]." In other words, data subjects are people whose personal data you collect or process to facilitate your business operations.

Personal Data

Under Article 4 (1) of the GDPR, "personal data" (aka "personal information") is defined as:

"any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier..."

Essentially, personal data is any information that can be used to identify a real person. This definition is considerably broad and covers quite a wide range of data types.

While there's no exhaustive list in the GDPR, we can deduce from various regulatory guidance and case laws that personal data can include but isn't limited to the following:

  • Names
  • Mailing addresses
  • Email addresses
  • Phone numbers
  • Identification card numbers
  • Social media handles
  • Financial details
  • Videos/images
  • Online identifiers (web cookies, IP addresses, etc.)

Sensitive Personal Data

As the name implies, sensitive personal data is simply a more delicate type of personal data. They include:

  • Genetic information
  • Biometric information
  • Racial/ethnic origin
  • Political views
  • Philosophical/religious beliefs
  • Health information
  • Sexual orientation

Because of their sensitive nature, the GDPR imposes stricter responsibilities on businesses that collect or process these types of information.

Processing

Processing is defined in Article 4 (2) of the GDPR as:

"any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means"

The GDPR obviously intends to make this term as inclusive as possible. In fact, it proceeds to outline various actions that count as "processing." This includes just about everything you could possibly do with personal data, such as:

  • Collection
  • Recording
  • Organization
  • Structuring
  • Usage
  • Storage
  • Disclosure by transmission
  • Alteration
  • Adaptation
  • Restriction
  • Erasure or Destruction

To provide even more context, the European Commission presents the following examples of processing activities:

European Commission: Examples of data processing

Data Controllers vs. Data Processors

The GDPR broadly classifies applicable businesses as either data controllers or data processors based on their role in handling personal data.

A "data controller" refers to any individual or organization that decides how and why personal data is processed. Data controllers are held most accountable for protecting data subjects' rights and ensuring personal data privacy.

In contrast, a "data processor" is any individual or organization that collects, stores, and manages personal data on behalf of a data controller.

Data processors are typically third-party service providers and external agencies who carry out a controller's explicit instructions.

Before developing your business compliance strategy, it's crucial to understand the key distinctions between a data controller and a data processor, as each has its own legal obligations.

Consider the following scenarios to better understand the relationship between data controllers and processors:

  • If your website shares data with Google Analytics to gain insights about visitors and their preferences, you're the data controller, and Google Analytics is the data processor.
  • If your online store sells comic books and uses a platform like WooCommerce to handle payments for those books, you're the data controller, and WooCommerce is the data processor.
  • Suppose your payroll agency handles the salary payments of a construction company by storing its employees' information. In that case, you're the data processor, and the construction company is the data controller.

For more information on this distinction, check out our article, GDPR Data Controller vs. Data Processor.

GDPR Data Processing Principles

GDPR Data Processing Principles

Article 5 of the GDPR sets out six principles every data controller must observe when carrying out data processing activities. Let's briefly examine them.

Lawfulness, Fairness, and Transparency

As a data controller, the GDPR principles of lawfulness, fairness, and transparency require you to observe the following:

  • Process data only when you have at least one of six lawful bases for doing so. (More on this in the next section.)
  • Use personal data in an ethical and rational way that is consistent with your specified purposes for obtaining that data.
  • Be open about your data processing practices by providing clear and accurate information about how you collect, use, and share personal data, typically within a Privacy Policy.

Purpose Limitation

The GDPR restricts the use of data to specified, legitimate purposes. As a data controller, you must only collect and retain data for a specific purpose made known to data subjects.

You mustn't use personal data for purposes other than those specified unless the data subject consents.

Here's how Superior Essex presents this principle in its Privacy Policy:

Superior Essex Privacy Policy: The Purpose Limitation clause

Data Minimization

Building on the purpose limitation principle, the data minimization principle requires that you only collect the bare minimum amount of information necessary to process data for specified purposes.

To put this in context, you don't need to collect a person's social security number to send them promotional emails.

Here's how Superior Essex presents this principle in its Privacy Policy:

Superior Essex Privacy Policy: The Data Minimization Principle clause

Accuracy

The accuracy principle requires that you keep the personal information in your possession accurate.

You'll need to set up a system to update or delete inaccurate data as soon as it's discovered. You'll also need to conduct routine audits of your data inventory to reassess the accuracy of personal data over time.

Superior Essex Privacy Policy: The Accuracy Principle clause

Storage Limitation

The GDPR requires you to only store personal data for as long as you absolutely need it for specified purposes. Once it's no longer needed, you must promptly delete personal data.

Superior Essex, once again, observes this principle in its Privacy Policy:

Superior Essex Privacy Policy: The Storage Limitation Principle clause

The only exception here is if you process data for any of the following reasons:

  • Archiving purposes in the public interest
  • Historical or scientific studies, or
  • Statistical purposes

Integrity and Confidentiality

You need to implement appropriate technical and organizational security measures to protect data from illegal processing, breaches, and accidental loss or damage.

This typically involves restricting access to personal data and anonymizing or encrypting data where practical.

Next, let's identify the conditions under which you can legally process personal data under the GDPR.

Lawful Basis for Processing Under the GDPR

Lawful Basis for Processing Under the GDPR

Before legally processing data under the GDPR, you need to provide at least one justifiable reason. Article 6 of the GDPR sets out six lawful bases under which businesses may process personal data.

They are as follows:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests

Let's take a closer look at each.

Consent is one of the most critical aspects of GDPR compliance. If you process personal data under the lawful basis of consent, you need to be mindful of the GDPR's stringent conditions.

The GDPR defines consent as:

"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"

This definition is elaborated further in Article 7 and Recital 32 of the GDPR.

Let's briefly break down its key aspects.

  • Freely Given: You can't coerce data subjects into providing consent. In other words, there must be no negative consequences for users who decline to give consent (e.g., blocking access to your services).
  • Specific: You can only obtain consent for a single, clearly stated purpose at a time. If you need permission for different data processing activities, you must get specific consent for each type of processing.

    For instance, if you want users to create accounts on your website and subscribe to your email newsletters, you must obtain consent for each activity separately.

  • Informed and Unambiguous: Data subjects need to understand the details of the processing activity for which you're requesting their consent in a straightforward manner.

    This generally entails describing what type of data you collect with their consent, why you collect it, the associated risks involved, and how they can withdraw their consent. Businesses typically provide this information in a Privacy Policy.

  • Clear affirmative action: For consent to be legally acceptable, data subjects must take some action to demonstrate their approval of your processing activities.

    Browsewrap agreements with statements like "By using this service, you agree to be bound by these terms" are not GDPR-compliant. Pre-ticked checkboxes and other forms of opt-out consent are also unacceptable.

    Data subjects must opt in to your processing activity by taking an affirmative action through a clickwrap method like ticking an empty checkbox labeled "I Agree" or clicking an "I Agree" button.

    Here's how Yelp obtains separate consent to register users on its platform as well as send them marketing emails:

  • Yelp sign-up form with consent checkboxes highlighted

  • Finally, you need to document or keep records of consent and allow users to withdraw consent as easily as they gave it.

Here are some examples of valid consent that meet the requirements above.

Here's how PayPal displays an empty checkbox for visitors to provide their informed, explicit, affirmative, and withdrawable consent before signing up on its platform:

PayPal Sign up page - Agree and Create Account with checkbox highlighted

Dropbox provides a similar consent mechanism for users who wish to sign-up on its platform:

Dropbox Create Account form with clickwrap to agree checkbox highlighted

It's also crucial to obtain consent before loading non-essential cookies and similar technologies on users' devices. Remember to use the clickwrap method here as well.

Here's an example of a cookie consent notice that has options for obtaining consent, as well as for the user to decline consent::

Capgemini Cookie Consent Banner with Cookie Policy link and buttons highlighted

Note how the above consent mechanism satisfies the GDPR's "informed" consent requirement by providing a link where users can learn more about the company's policies before deciding to accept or reject cookies.

Contract

The GDPR allows you to process personal data in order to fulfill a contractual obligation.

Under this lawful basis, one of the following scenarios will apply:

  • You have a contract with someone and need to process their personal data to fulfill your responsibilities under that contract. For example, an internet service provider must retain customer information in order to deliver the best service possible.
  • You're about to enter into a contract with someone, and you need to take certain actions (at the data subject's request) to decide whether or not to proceed with the contract. For example, you may need to collect personal information through a background check before deciding whether or not to hire a job applicant.

Here's how Kamsa explains how it processes personal data to fulfill its contractual obligations:

Kamsa Privacy Policy: Performance of a Contract clause

In some instances, you may be required to process data in a specific way to comply with a legal or statutory requirement.

For example, a bank may need to disclose a consumer's personal information to assist regulatory tax authorities in preventing fraudulent activities, much like the British Bank TSB does here:

TSB Privacy Policy: Why we use your information section - Comply with legal obligations clause

Vital Interests

The GDPR allows you to process a person's data if doing so is critical to saving a life (whether theirs or someone else's).

Data processing on this lawful basis should only be done as a last resort. According to Recital 46 of the GDPR:

"Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis."

In other words, you should only process data under this lawful basis if you're unable to rely on any other lawful bases. Practically speaking, vital interests are unlikely to apply except in emergency medical situations.

Public Task

Suppose you're a public institution or an organization operating on that institution's behalf. In this case, you're allowed to process personal data in order to perform a task in the public interest or under official authority.

For example, law enforcement agencies may need to access personal data to prevent criminal activities.

Legitimate Interests

Under the lawful basis of "legitimate interests," you can process data for any genuine, rational purpose as long as your processing activities don't interfere with the fundamental rights and freedoms of data subjects.

Importantly, you must be able to demonstrate that you are meeting a specific need or providing a service to your customers by processing their data.

To use legitimate interests appropriately, simply ask yourself:

  • Do I really need personal data to carry out this processing activity?
  • Does the processing activity outweigh any risks to data subjects' rights and freedoms?

If you answer no to either of these questions, you can't use legitimate interests as your lawful basis for processing.

Find our 3-part test for determining if you have a lawful basis of legitimate interests in our feature article here: 3 Part Test for Legitimate Interests Under the GDPR.

Now, let's review some examples of how businesses present their lawful basis for processing.

Here's how Marks and Spencer outlines its legitimate interests in its Privacy Policy:

Marks and Spencer Privacy Policy: Our legitimate interests clause

Asides from public tasks and vital interests, Oracle relies on every other GDPR lawful bases for processing data, as shown below:

Oracle Privacy Policy: What is our basis for processing information about you clause

Similarly, Atlassian relies on the legal bases of contract, legitimate interests, consent, and legal obligation:

Atlassian Privacy Policy: Legal bases for processing for EEA users clause

Now that we've gone through the GDPR lawful basis for processing, let's briefly review the privacy rights granted to EU data subjects under the GDPR.

Individual Rights Under the GDPR

Individual Rights Under the GDPR

The GDPR outlines eight privacy rights in Chapter 3 of its provisions to establish data subjects as true owners of their information. As a data controller, you must observe these rights and help data subjects exercise them upon request.

Here is each privacy right with further details on what the right entails.

The Right to be Informed

Under Article 12 of the GDPR, data subjects have the right to understand how you process their personal data.

In other words, you must provide comprehensive information about your data processing activities in simple terms, free of technical jargon.

A GDPR-compliant Privacy Policy will satisfy this requirement (More on this later in the article).

The Right of Access

Article 15 of the GDPR grants data subjects a two-part right:

  1. They can confirm whether your company is processing their personal data, and, if so,
  2. They can request a copy of their data.

This request is known as a Subject Access Request.

The Right of Rectification

Data subjects have the right to request that you correct any out-of-date or inaccurate personal data you hold about them. Article 16 of the GDPR requires that you do this "without undue delay."

Some companies choose to leave this up to the data subjects. For instance, users can update details such as their email addresses or phone numbers through their profile settings menu on a social media platform.

The Right to Erasure

Article 17 of the GDPR grants data subjects the right to erasure, otherwise known as the "right to be forgotten." This right goes hand in hand with the storage limitation principle.

Simply put, data subjects can request that you delete their personal data in the following instances:

  • You no longer need the data for the purposes for which it was collected.
  • The data subject withdraws consent, and there is no other lawful basis for processing the data.
  • The data subject objects to your processing activities, and there are no overriding legitimate grounds for processing their data.
  • You unlawfully process their personal data.
  • The data must be erased for the data subject to comply with a legal obligation.

Once the data subject requests that you delete their personal data, you must notify everyone with whom you have shared that data and urge them to do the same.

The Right to Restrict Processing

Under Article 18 of the GDPR, data subjects have the right to request that you temporarily stop processing their personal data under the following conditions:

  • The data subject's information is reportedly inaccurate, and you need time to verify this.
  • You're processing data unlawfully, but the data subject would rather restrict the use of that data than erase it.
  • You no longer need to process the data, so you restrict it instead of erasing it because the data subject needs it to establish, exercise, or defend legal claims.

Keep in mind that you must notify data subjects if you resume processing their data.

The Right to Data Portability

Under Article 20 of the GDPR, data subjects are granted the right to request a copy of their data from your business in a "commonly used and machine-readable format." They can then transfer this copy to another organization or use it for personal purposes.

It's important to note that this right only applies if:

  • You process data under the lawful basis of consent or contract, and
  • You process data using automated means

The Right to Object

Data subjects have the right to object to your data processing operations, including profiling activities, under Article 21 of the GDPR.

You may, however, overrule this right if you have a legitimate reason for processing that outweighs the data subject's interests, rights, and freedoms.

That being said, there are no exceptions when data subjects object to direct marketing activities. Once data subjects submit their request, you must immediately stop processing data for direct marketing purposes.

What's more, you must inform data subjects of their right to object to direct marketing upon your first contact with them.

Notably, the right to object applies even when you process data for scientific, historical, or statistical research purposes. The sole exception is if you process data to perform a task in the public interest.

Article 22 of the GDPR grants data subjects an eighth and final right relating to automated decision-making, including profiling.

Under certain conditions, data subjects can request "human intervention" if an automated system or profiling technique is used to make important decisions about them that could affect them legally or in a similar capacity.

For instance, if a computer algorithm fails an individual on a recruitment aptitude test, that individual can request that a real person revise the results.

Let's take a look at how some organizations display these rights and include a way for data subjects to exercise them.

UNISON UK goes the extra mile to clarify each GDPR data subject's rights in its Privacy Policy. Note that this is just an excerpt of the complete clause:

UNISON UK Privacy Policy: Your rights as a data subject clause excerpt

Note how Unison UK includes various contact email addresses with links to help data subjects exercise these rights.

In contrast, Upwork addresses GDPR rights in a shorter clause and provides a link to assist users in exercising their rights, as shown below:

Upwork Privacy Policy: Your choices and rights clause

Next, let's examine what steps businesses can take to comply with the GDPR's requirements.

Requirements for GDPR Compliance

Requirements for GDPR Compliance

The GDPR imposes a number of compliance duties on its two main business categories: data controllers and data processors.

While data controllers are responsible for most of the GDPR's requirements, data processors are also responsible to adhere to certain standards in order to avoid stringent penalties.

If you aren't quite sure whether you're a data controller or data processor, check out our article: GDPR Data Controller vs. Data Processor for more information.

Now, let's go over the GDPR's major compliance duties for both controllers and processors.

Data Breach Notifications

The GDPR specifies what actions data controllers and processors must take if a personal data breach occurs.

Under the GDPR, a personal data breach refers to:

"a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

Data processors must notify their controllers "without undue delay" if a data breach occurs.

On the other hand, data controllers must report this breach to the relevant supervisory authority within 72 hours of discovering it.

The data breach notice must contain at least the following:

  • The nature of the breach, including the number of data subjects affected and the types of data compromised
  • The contact information of your Data Protection Officer or another point of contact to get more information
  • The potential consequences of the data breach, and
  • The actions you've taken or recommend to reduce the impact of the breach

Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is a process for analyzing how certain data processing activities may affect the security of personal data.

Under Article 35 of the GDPR, data controllers must conduct this assessment when their processing activities pose a high risk to the fundamental rights and freedoms of data subjects.

According to the GDPR and supplementary guidelines from the UK's Information Commissioner's Office (ICO), high-risk processing activities include but aren't limited to the following:

  • Automated processing, including profiling and similar activities aimed at assessing the personal characteristics of data subjects
  • Processing a large amount of sensitive data and data relating to criminal convictions
  • Large-scale and systematic surveillance of a public area
  • Using modern technologies to process data
  • Monitoring individuals' behavior or location
  • Processing children's information

Importantly, your DPIA should consider the benefits of the processing activity, highlight the risks, and recommend solutions to mitigate those risks.

The end goal is to determine whether the benefits of the processing activity outweigh the threats to the data privacy of individuals.

Data Protection Officer (DPO)

A Data Protection Officer supervises an organization's data protection strategy and makes sure it complies with the GDPR.

You'll need to appoint a DPO if:

  • Your organization is a public authority (excluding courts)
  • Your processing activities involve regular and systematic monitoring of data subjects on a large-scale, or
  • You process a substantial volume of sensitive personal data or data relating to criminal convictions

Even if none of the above circumstances apply to you, it's still a good idea to appoint a DPO.

Once appointed, a DPO's duties are as follows:

  • Educate and counsel data controllers and processors about their GDPR responsibilities and how to meet them
  • Keep track of GDPR compliance measures
  • Provide insights regarding DPIAs
  • Serve as the principal point of contact for data subjects and supervisory authorities

You'll need to place your DPO's name and contact details in prominent locations on your platform, most notably in your Privacy Policy.

For instance, here's how Oracle explains how users may contact its DPO through an online inquiry form or by mail:

Oracle Privacy Policy: Data Protection Officer clause

Privacy By Design

Introduced in the 1990s, Privacy By Design is a concept that proposes incorporating data protection safeguards into a business's design processes and policies.

In other words, Privacy By Design recommends addressing privacy matters at the initial phase of a data processing activity.

Since Privacy By Design is legally required under the GDPR, businesses must observe its seven fundamental principles:

  1. Make privacy the default option
  2. Privacy must be proactive rather than reactive
  3. Design and privacy should coexist
  4. Functionality shouldn't come at the expense of privacy
  5. Data must be protected throughout its life cycle
  6. Be transparent about your data processing activities
  7. Prioritize users in matters regarding their data

Here's how Epic Solutions declares its use of the Privacy By Design approach before addressing the actual details later on in its Privacy Policy:

Epic Solutions Privacy Policy: Privacy by Design clause

International Data Transfers

Businesses with a global presence may sometimes need to transfer personal data across international borders to facilitate their operations. In particular, it may be necessary to transfer data to a country outside the European Economic Area (aka "third countries").

Naturally, this transfer carries a risk that the personal data won't be sufficiently protected in the destination country.

To guard against this, Chapter 5 of the GDPR sets out several mechanisms to help businesses adequately protect personal data outside the EEA.

These mechanisms include:

If you intend to transfer personal data outside the EEA, you must implement at least one of these mechanisms.

Moreover, your Privacy Policy must disclose your international data transfer practices and mention whatever mechanism(s) you employ, like IBM does here:

IBM Privacy Statement: Facilitating International Transfers clause

For more information, check out our article: Transferring Personal Data Out of the EU.

Other Key GDPR Requirements

In addition to the obligations outlined above, it's important to take note of the following requirements:

  • Facilitate individual privacy rights and help data subjects exercise them upon request (as covered earlier in this article)
  • Prepare and publish a GDPR-compliant Privacy Policy (covered in the next section)
  • Observe the GDPR-prescribed guidelines for obtaining consent (as covered earlier in this article)
  • Identify a lawful basis for processing (as covered earlier in this article)
  • Maintain appropriate records of data processing activities

The GDPR and Your Privacy Policy

The GDPR and Your Privacy Policy

In keeping with the principle of transparency, the GDPR requires businesses to provide a publicly accessible Privacy Policy written in simple, straightforward language.

A Privacy Policy is a legal document that typically describes the following:

  • What type of information a business collects, and why
  • How the information will be used
  • How long the information will be stored
  • With whom the information may be shared
  • How the information will be protected

A Privacy Policy is the most important document you need to maintain to ensure GDPR compliance.

Not only is this document a legal necessity under the GDPR and many other privacy laws, but it's also a best practice to demonstrate credibility and let users know that you take their privacy seriously.

If you already have a Privacy Policy to comply with other laws or fulfill similar obligations, it almost certainly needs to be updated to meet the GDPR's strict standards.

Under Articles 13 and 14, the GDPR sets out some specific clauses businesses must include in their Privacy Policies. In short, a GDPR-compliant Privacy Policy should at least address the following details:

  • Introduction and definitions
  • What types of personal data you collect, and why
  • How you process personal data
  • GDPR data processing principles
  • Lawful basis for processing personal data
  • Individual rights under the GDPR
  • Data security safeguards
  • Data retention practices
  • Data disclosure practices
  • Use of cookies and similar technologies
  • International data transfer safeguards (if applicable)
  • Business transfers
  • Automated decision-making practices
  • Name and contact details of DPO (if applicable)
  • Changes to your Privacy Policy
  • Your general contact information

Here's an example from Quady Winery outlining these clauses at the beginning of its Privacy Policy before clarifying the exact details later on:

Quady Winery GDPR Privacy Policy: Intro section with table of contents

We won't go into the details of each clause in this article, but will look at just a few here. For more in-depth coverage, check out our article: Sample GDPR Privacy Policy Template.

What Types of Personal Data You Collect and How You Use the Data

Your GDPR-compliant Privacy Policy needs to disclose specifically what types of personal data you collect, and why you collect it. You need to be fully transparent here, and as detailed as possible.

Here's an example of a Privacy Policy clause disclosing what types of information is collected:

Walmart Privacy Policy: What Information Do We Collect clause

And here's how Microsoft explains in a concise list how it uses the data it collects:

Microsoft Privacy Statement: How we use data collected clause

If you wish to combine this information into one clause, you can do so quite easily. Here's an example of how this could look:

Bed Bath and Beyond Privacy Policy: What information is collected and its primary purpose chart excerpt

Automated Decision-Making Practices

If you engage in automated decision-making, you need to disclose this in your Privacy Policy and give users the ability to object to decisions made in this way.

Here's how Chubb's UK Privacy Policy discloses its use of automated decision making processes and explains how users have certain rights relating to this:

Chubb Privacy Policy: Automated Decision Making and Profiling clause

How to Contact You

You need to give at least one method for users to contact you, such as an email address, phone number, mailing address, contact form or other method. Put this information in your Privacy Policy so users know how to get in touch with you if they have questions or concerns about your policy.

Here's a standard contact clause from Tony Robbins that includes a mailing address as well as an email address:

Tony Robbins Privacy Policy: Contacting Us clause

If you have multiple different points of contact as part of GDPR compliance, such as an EU Data Protection Officer, an EU-based representative and/or a UK-based representative, you should include detailed contact information for each department or individual.

Here's how Geocaching's Privacy Policy lists out contact information based on location of the end user:

Geocaching Privacy Policy: How to Contact Us clause

GDPR FAQs

GDPR FAQs

Below, we answer some of the most frequently asked questions about GDPR compliance.

Do I need to comply with the GDPR as a small business owner?

It depends. The GDPR applies to all businesses that target EU residents, regardless of size.

That said, small businesses may enjoy more lenient coverage under the GDPR in certain cases. For instance, the GDPR specifically exempts businesses with fewer than 250 employees from the obligation to maintain a record of processing activities.

However, this exemption won't apply if your data processing activities:

  • Have a potential risk of harming data subjects' rights and freedoms
  • Are frequent and regular, or
  • Involve handling sensitive personal information or data relating to criminal convictions

What countries are covered by the GDPR?

The GDPR is applicable in every EU member state. At the time of writing, this includes the following countries:

  • Austria
  • Bulgaria
  • Belgium
  • Cyprus
  • Croatia
  • The Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Latvia
  • Lithuania
  • Italy
  • The Netherlands
  • Luxembourg
  • Romania
  • Malta
  • Poland
  • Portugal
  • Spain
  • Sweden
  • Slovakia
  • Slovenia

Despite the United Kingdom's exit from the EU (Brexit), the GDPR has also been incorporated into UK legislation.

Keep in mind that if you target individuals in any of the countries listed above to offer them products or services or to monitor their behavior, the GDPR will apply.

Can a single business be both a data controller and a data processor?

Yes. A single business can be both a data controller and processor under the GDPR.

To put this in context, suppose an email newsletter agency like MailChimp stores email addresses on behalf of its clients but also processes the data of its own employees. In this scenario, MailChimp is a data processor for its clients but a data controller of its employees' information.

Remember that data controllers are people or organizations who collect and decide how to use personal data. Conversely, data processors are people or organizations who process data in accordance with the controller's instructions.

Are cookies and similar technologies covered by the GDPR?

Yes. Cookies and similar technologies are regulated under the GDPR and, more specifically, the EU Cookies Directive. This is because the GDPR classifies cookies and similar technologies as personal data.

Consequently, businesses that track individuals in the EU via cookies and similar technologies will be covered by every responsibility relating to the processing of personal data under the GDPR.

Remember to obtain explicit, opt-in, and informed consent from users before setting cookies on their devices, like Deloitte does here:

Deloitte Cookie Consent Banner with cookie information page link and buttons highlighted

What do Subject Access Requests entail?

The specifics of Subject Access Requests have been updated under the GDPR. Here are some of the highlights:

  • You must process Subject Access Requests within 30 days of receiving the request.
  • You can no longer impose an administration fee in normal situations.
  • Potential fines have been increased in accordance with the GDPR's new maximum penalty.

We recommend setting up a system to handle Subject Access Requests automatically. This will entail developing a strategy and properly training personnel responsible for responding to requests within the specified time frame.

GDPR Fines for Non-compliance

GDPR Fines for Non-compliance

While data privacy fines are not a new concept, the GDPR has drastically redefined the potential amounts payable for businesses that violate its provisions. With monetary penalties amounting to tens of millions of dollars, GDPR compliance is not something to be taken lightly.

Depending on the severity of infringements, the GDPR imposes two tiers of fines on violators:

  1. Less severe violations (tier 1) involve infringements relating to children's consent, data breach notifications, DPOs, DPIAs, certification procedures, and code of conduct, to mention a few.

    For tier 1 infractions, Data Protection Authorities (DPAs) can impose fines of whichever is higher of the following two amounts:

    • Up to €10 million
    • Up to 2% of the company's global yearly turnover from the preceding financial year
  2. More severe violations (tier 2) involve infringements relating to data processing principles, lawful bases, sensitive personal data, consent, and data subjects' rights, to mention a few.

    For tier 2 infractions, DPAs can impose fines of whichever is higher of the following two amounts:

    • Up to €20 million
    • Up to 4% of the company's global yearly turnover from the preceding financial year

For more in-depth coverage of the GDPR's fines, check out our article: GDPR Fines.

Summary

The GDPR is the most comprehensive, expansive, and far-reaching data privacy law to date. It aims to match the high expectations for data protection in today's technologically advanced society.

The GDPR applies to businesses even beyond the EU that offer goods or services to EU residents or monitor their behavior through personal data collection. In other words, a business's location is not a relevant factor in determining the GDPR's applicability.

The GDPR redefines some commonplace terms and introduces several new terminologies that are rapidly gaining traction in the data protection landscape. Among them are personal data, sensitive personal data, processing, data subjects, data controllers, data processors, and consent.

The GDPR establishes six lawful bases under which businesses may process personal data, as well as six privacy principles they must observe in their processing operations. It also grants data subjects eight privacy rights over their personal data.

To comply with the GDPR, you'll need to take the following steps:

  • Post a GDPR-compliant Privacy Policy
  • Observe the GDPR's guidelines for obtaining consent
  • Promptly notify appropriate supervisory authorities of data breaches
  • Conduct Data Protection Impact Assessments (DPIAs) for high-risk data processing activities
  • Appoint a Data Protection Officer (DPO), if applicable
  • Observe the principles of Privacy by Design (PbD)
  • Implement appropriate safeguards for personal data transfers to third countries
  • Maintain proper record of processing activities

Remember that failure to meet the GDPR's stringent standards may result in steep fines or penalties, running into millions of dollars.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy