The General Data Protection Regulation (GDPR) became fully enforceable on May 25th, 2018. In this comprehensive guide on GDPR compliance, we explain the main requirements of the EU Regulation, how to comply, what are users’ rights, and much more.
In this post, we explain:
For example, an internet company may collect user information via their website and store it using a 3rd party cloud service. In this scenario, the internet company is the data controller and the organization running the cloud service is the data processor.
GDPR stands for General Data Protection Regulation (Regulation (EU) 2016/679) and at its most basic, it specifies how personal data should be lawfully processed (including how it’s collected, used, protected or interacted with in general). The EU GDPR became fully enforceable on May 25th, 2018.
This regulation is intended to strengthen data protection for all people whose personal information fall within its scope of application, putting personal data control back into their hands.
Personal data within the context of the GDPR text refers to any data that relates to an identified or identifiable living person. This includes pieces of information that, when collected together, can lead to the identification of a person.
This applies even to data that has been pseudonymized or encrypted as long as the encryption/anonymization is reversible. In terms of meeting data protection obligations under the regulation, it means that decryption keys will need to be kept separately from the pseudonymized data.
Examples of personal data include:
Examples of non-personal data include:
The GDPR can apply to:
This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether your organization is based in the EU or not. As a matter of fact, this PwC survey showed that GDPR compliance is a top data protection priority for up to 92% of US companies surveyed.
The GDPR can apply to you whether your organization is based in the EU or not
A common misconception is that only EU users are covered by the protections of the GDPR. However, the protections of the GDPR also extend to users outside the EU if the data controller is EU-based. Therefore, if you are an EU-based data controller, the GDPR requirements apply to you and you must, by default, apply GDPR standards to ALL your users.
The conditions of applicability of the GDPR are set in GDPR text Articles 2 & 3 from a material and a territorial point of view. To determine, whether a specific processing activity is exempt from its applicability, we have to consider both aspects.
The EU GDPR applies to the processing of personal data. Therefore, it does not apply to company data, such as a company name and address. Be careful here, however, because normally “natural persons” work in a company, any data referring to them would, therefore, be deemed “personal”, regardless of whether they are processed in a Business to Customer (B2C) or Business to Business (B2B) context.
Furthermore, personal data would not fall under the scope of applicability of the GDPR whenever:
We’ve already mentioned under which conditions the GDPR applies from a territorial point of view.
Consequently, for a processing activity not to be subjected to the GDPR, the following must apply cumulatively:
💡 Let’s take a look at some practical examples:
US-based company, “A”, is selling goods to EU-based consumers (→ GDPR applicable) and hires a US-based company, “B”, for market analytics and statistics purposes. Is company B subject to the GDPR, although it’s neither based in the EU nor does it sell goods or services to EU customers? Probably yes, if the market analytics and statistics activity requires a “monitoring of the behavior” of customers based in the EU.
Do the employees of the Italian Consulate in New York need to comply with the GDPR? Yes, because the GDPR applies to them by virtue of “international public law”.
Does a China-based company selling goods over a website only drafted in Chinese need to comply with the GDPR just because it’s possible, from a practical point of view, that some EU-based Chinese persons might purchase something from it? In principle, we’d say no, unless it can be proven that the company is doing relevant business with EU-based customers, or is addressing them expressly (for instance, by informing that “delivery to the EU” or “payment from an EU bank account” are possible, etc.)
We have listed below the main requirements that organizations should meet in order to comply with the GDPR. It’s not an easy task. That’s why we have crafted GDPR-compliant legal software solutions to help you speed out and simplify the process. Jump to this section to learn more.
According to GDPR compliance, data can only be processed if there’s at least one legal basis for doing so.
The legal bases are:
Consent is the most common legal basis that an organization can choose to process user data, but it is not the ONLY one. Therefore in some cases, companies can apply other legal bases for a data processing activity (however determining whether or not another legal basis may apply to your processing is best done with a lawyer). With that said, there will always be data processing activities where consent is the only, best or safest option.
GDPR requirements dictate that if relying on the legal basis of consent, data controllers must get verifiable consent from users.
In general, when getting consent for data processing, organizations should not use overly complicated terms. This includes legalese and unnecessary jargon. This indicates that terms and privacy policies should be laid out legibly (see ours here) using understandable language and clauses so that users are fully aware of what they’re consenting to and what the consequences of their consent are.
Organizations must be transparent on the purpose of the data collection and consent must be “explicit and freely given”. This means that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” action (the regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms).
The regulation also gives a specific right to withdraw consent; it must, therefore, be as easy to withdraw consent as it is to give it.
In regards to Consent for children, organizations are required to get verifiable consent from a parent or guardian unless the service being offered is a preventative or counseling service. Organizations must make reasonable efforts (using available technology) to verify that the person giving consent actually holds parental responsibility for the child.
Consent is such an important issue under the GDPR and it’s mandatory that you’re able to demonstrate that the user has given consent; should problems arise, the burden of proof lies with the data controller, so keeping accurate records is vital.
To achieve GDPR compliance, your consent records should include:
💡 Check this out for an example of compliant record-keeping vs non-compliant record-keeping:
| Non-compliant Record Keeping | Compliant Record Keeping |
|---|---|
| Simply keeping a spreadsheet with customer names and whether or not consent was provided | Ensuring that you keep a copy of the customer’s dated form which shows the action taken by the customer to provide their consent to the specific processing. |
| Simply keeping the time and date of consent linked to an IP address, with a web link to your current data-capture form and privacy policy. | Keeping comprehensive records that include a user ID and the data submitted together with a timestamp. You also keep a copy of the version of the data-capture form and any other relevant documents in use on that date. |
Maintaining valid records, while mandatory, can be a technical challenge. Our Consent Database simplifies this process, making it easy for you to view, manage and export your recorded consents. You can read more about it here.
Another EU law worth mentioning here is the ePrivacy Directive (also known as the Cookie Law). This law still applies as it has not been repealed by the GDPR. In future, the ePrivacy Directive will be replaced by the ePrivacy Regulation and as such, will work alongside the GDPR; the upcoming regulation is expected to still uphold the same values as the directive.
The Cookie Law requires users’ informed consent before storing cookies on a user’s device and tracking them.
💡 Everything you should know in this guide: Cookies and the GDPR: What’s Really Required?
🌏 Want to learn more about which EU cookie consent rules apply on a per-country basis? Check out our Cookie Consent Cheatsheet.
The GDPR text significantly enhances users’ rights over their personal data within the EU. It empowers individuals with greater control and transparency over their information and providing rights such as access, rectification, erasure, and data portability among others. Let’s take a look at each of them.
Organizations must provide users with information about the data processing activities they carry out. Such information should be provided at the time at which personal data is obtained, typically via a privacy notice/policy.
The information must be concise, transparent, intelligible, easily accessible, written in clear and plain language (especially if addressed to a child), and free of charge.
If the data is collected from the actual user it relates to, then they must be provided with privacy information at the time the data is obtained. However, if the personal data is obtained from a source other than the individual user it relates to, then the user must be provided with privacy information within a “reasonable period” of the data being obtained. This period can be no later than one month in general. If you use the data to communicate with the user, the disclosure must be at latest, when the first communication occurs.
Users have the right to access the data and information about how their personal data is being processed. GDPR compliance dictates that should a user request it, data controllers must provide an overview of the categories of data being processed, a copy of the actual data, and details about the processing. The details should include the purpose, how the data was acquired, and with whom it was shared.
Also, the organization must provide the person making the request with a copy of their personal data free of charge (a reasonable fee can be charged for further copies). The requested data must be provided to the individual without undue delay and at latest, within one month of receiving the request; the exact number of days the organization has to honor a request depends on the month in which the request was made.
💡 The right to access is closely linked to the right to data portability, but these two rights are different. It is therefore important that in your privacy policy, there is a clear distinction between the two.
Users have the right to have their personal data rectified if it is inaccurate or incomplete.
This right also implies that rectification must be disclosed to any and all third-party recipients involved in the processing of the data in question – unless doing so is impossible or disproportionately difficult. If requested by the user, the organization must also inform them about these third-party recipients.
Requests can be extended by a further two months if the request is complex or if numerous requests were received from the individual. The individual must be informed within one month of receipt of the request with an explanation as to why the extension is necessary. Requests must be honored without undue delay and at latest, within one month of receiving the request.
In most cases, organizations must comply with a request for rectification without charging a fee, however, if a request is found to be “manifestly unfounded or excessive”, a “reasonable fee” can be requested in order to carry out the request or refuse to deal with the request. In both scenarios, the decision will need to be legitimately justified. If a request is refused, the individual must be informed (along with the justification) without unnecessary delay and within one month of receiving the request.
Under the GDPR text, users have the right to object to certain processing activities in relation to their personal data carried out by the controller.
The user has to state a motivation for their objection, unless the processing is carried out for direct marketing purposes, in which case no motivation is needed to exercise this right.
In a nutshell, the user can object to the processing of their data whenever the processing is based on the controller’s legitimate interest, or the performance of a task in the public interest/exercise of official authority, or for purposes of scientific/historical research and statistics.
In a nutshell, the user can object to the processing of their data whenever the processing is based on the controller’s legitimate interest, or the performance of a task in the public interest/exercise of official authority, or for purposes of scientific/historical research and statistics.
If an objection to the processing of personal data is received and there is no grounds to refuse, the processing activity must stop. While the processing activity (including storage) must stop for the particular processing activities objected to, erasure may not be appropriate if the data is processed for other purposes (including the fulfillment of legal or contractual obligation) as the data will need to be retained for those purposes.
Requests must be honored without undue delay and at latest, within one month of receiving the request. Requests can be extended by a further two months if the request is complex or if numerous requests were received from the individual. The individual must be informed within one month of receipt of the request with an explanation as to why the extension is necessary.
In most cases, organizations must honor an objection (where there are no grounds to refuse) without charging a fee, however, if a request is found to be “manifestly unfounded or excessive”, a “reasonable fee” can be requested in order to carry out the request or the request can be refused. In both scenarios, the decision will need to be legitimately justified. If a request is refused, the individual must be informed (along with the justification) without unnecessary delay and within one month of receiving the request.
Users have the right to obtain (in a machine-readable format) their personal data for the purpose of transferring it from one controller to another, without being prevented from doing so by the data processor.
This right only applies to personal data and as such does not apply to genuinely anonymous data (data that can’t be linked back to the individual).
Requests must be honored without undue delay and at latest, within one month of receiving the request. Requests can be extended by a further two months if the request is complex or if numerous requests were received from the individual. The individual must be informed within one month of receipt of the request with an explanation as to why the extension is necessary.
In most cases, organizations must comply with a request without charging a fee, however, if a request is found to be “manifestly unfounded or excessive”, a “reasonable fee” can be requested in order to carry out the request or the request can be refused. In both scenarios, the decision will need to be legitimately justified. If a request is refused, the individual must be informed (along with the justification) without unnecessary delay and within one month of receiving the request.
When data is no longer relevant to its original purpose, or where users have withdrawn consent, or where the personal data have been unlawfully processed, users have the right to request that their data be erased.
The right to erasure can be refused:
The request must be honored without undue delay and at latest, within one month of receiving it.
Requests can be extended by a further two months if the request is complex or if numerous requests were received from the individual. The individual must be informed within one month of receipt of the request with an explanation as to why the extension is necessary.
Users have the right to restrict the processing of their personal data in cases where:
The restriction must be disclosed to any and all third-party recipients involved in the processing of the data in question – unless doing so is impossible or disproportionately difficult. If requested by the user, the organization must also inform the user about these third-party recipients.
Requests must be honored without undue delay and at latest, within one month of receiving the request. Requests can be extended by a further two months if the request is complex or if numerous requests were received from the individual. The individual must be informed within one month of receipt of the request with an explanation as to why the extension is necessary.
In most cases, organizations must comply with a request without charging a fee, however, if a request is found to be “manifestly unfounded or excessive”, a “reasonable fee” can be requested in order to carry out the request or the request can be refused. In both scenarios, the decision will need to be legitimately justified. If a request is refused, the individual must be informed (along with the justification) without unnecessary delay and within one month of receiving the request.
Users have the right to not be subjected to a decision when it is based on automated processing or profiling, and it produces a legal or a similarly significant effect on the user.
Organizations can only carry out automated decision-making if it is needed for the performance of a contract; authorized by EU state law applicable to the data controller; does not have a legal or similarly significant effect on the user; or is based on the individual’s explicit consent. You can only make automated decisions based on special category data with the explicit consent of the user or for reasons of substantial public interest.
The GDPR allows data transfers of EU resident data outside of the European Economic Area (EEA) only when in compliance with set conditions.
According to the GDPR text, the country or region the data is being transferred to must have an “adequate” level of personal data protection by EU standards, or where not considered adequate, transfers may still be allowed under the use of standard contractual clauses (SCCs) or binding corporate rules (BCRs).
💡 Learn more about data transfers between the EU and the US.
Data protection should be included from the onset of design and development of the business processes and infrastructure. This means that privacy settings should be set to ‘high’ by default and measures put into place to make sure that the processing life cycle of the data falls within the GDPR requirements.
If the organization is victim of a data breach, the data controller must notify the Supervisory Authority within 72 hours of becoming aware of it. If the processing is carried out by a processor on behalf of the controller, the data processor will have to notify the controller immediately after becoming aware of it.
Under this rule, users must also be informed of the breach (within the same time frame) unless the data breached was protected by encryption (data rendered unreadable for the intruder), or, in general, the breach is unlikely to result in a risk to individuals’ rights and freedoms.
In any case, the data controller should keep records of the breaches occurred in order to be able to demonstrate to the supervising authority compliance with these provisions.
The Data Protection Officer (DPO) is a person with expert knowledge of data protection law whose role includes assisting the controller or processor in monitoring internal compliance with GDPR regulations and overseeing data protection strategy and implementation. The DPO should also be proficient in IT process management, data security and other critical issues surrounding the processing of personal and sensitive data.
GDPR compliance requires the designation of a DPO specifically in the following cases:
The appointment of a DPO is therefore not just based on the actual number of employees but on the essence of the data processing activity. If your organization falls outside of these categories, then it is not mandatory that you appoint a DPO.
The EU GDPR requires that both data controllers and data processors keep and maintain “full and extensive” up-to-date records of the particular data processing activities they are carrying out.
The records of processing activities must be in writing. While both paper and electronic forms are acceptable, it is best practice to use an electronic method of record-keeping so as to facilitate easy amendments.
Under GDPR compliance, full and extensive records of processing are expressly required in cases where the data processing activities:
This effectively covers almost all businesses.
Even if your processing activities somehow fall outside of the situations mentioned above, your information duties to users (Articles 13 & 14) make it necessary for you to keep basic records relating to which data you collect, its purpose, all parties involved in its processing and the data retention period — this is mandatory for everyone.
💡 You may find that it is, in fact, quite useful to do regular information audits on what data your organization holds as not only does this practice help you to readily meet your record-keeping obligations, but it also makes it easier for you to review and optimize your data processing procedures.
Our Register of Data Processing Activities comes in very handy here as it greatly simplifies the technical process of creating and maintaining records. Read more about how it can help here.
A data protection impact assessment (DPIA) is a process used to help organizations comply effectively with the GDPR and ensure that the principles of accountability, privacy by design and privacy by default are put in practice by the organization.
The DPIA process should be recorded in writing. While publishing the DPIA is not a general legal requirement of the GDPR, it is suggested that data controllers consider publishing all or part of their DPIA as a gesture of transparency and accountability.
💡 An effective DPIA is useful in meeting the requirement of “Privacy by design” as it makes it possible for organizations to find and fix issues at an early stage, thus mitigating both data security risks for users, and the risk of GDPR fines, sanctions and reputation damage that might otherwise occur to the organization.
The DPIA is only mandatory in cases where data processing activity is likely to result in a high risk for users.
However, if unsure as to whether or not your processing activity falls within what is considered “high risk”, it is recommended that a DPIA be carried out nonetheless as it is a useful tool for ensuring that the law is complied with.
🔎 “High-risk” data processing activities include:
Know that DPIAs can also be required in other circumstances (based on a by case evaluation) including but not limited to processing data concerning vulnerable persons (e.g. children, the elderly), data transfer across borders outside the EU and data that is being used in profiling (e.g. credit scores).
The legal consequences for non-compliance can include fines up to EUR 20 million (€20m) or 4% of the annual worldwide turnover (whichever is greater), but perhaps equally as concerning are the other potential sanctions that may be implemented against organizations found to be in violation. These sanctions include official reprimands (for first-time violations), periodic data protection audits and liability damages.
The legal consequences for non-compliance can include GDPR fines up to EUR 20 million (€20m) or 4% of the annual worldwide turnover
The GDPR text also gives the explicit right to file a complaint with a supervisory authority if they feel that any processing of their personal data was done in violation of GDPR regulations and the right to compensation for any damages resulting from an organization’s non-compliance with regulations, hereby leaving violators open to potential litigation.
If a report is made to the authority about an instance of regulatory violation, the authority may choose to perform an audit of the organization’s data processing operations. If it’s found that some processing activity was done unlawfully, not only is a fine imposed, but the organization may be forbidden from making further use of both the data of the inquiry and data acquired using similar mechanisms. This means that if the improper use was in regards to email address collection, the organization risks being barred from using the entire associated email list.
In simple terms, GDPR stands for General Data Protection Regulation, which is a comprehensive data protection and privacy law in the European Union (EU). It was introduced to enhance the privacy and protection of personal data of EU citizens and residents. The regulation became enforceable on May 25, 2018, replacing the Data Protection Directive of 1995.
The 7 principles of GDPR are lawfulness/fairness/transparency, purpose limitation, data minimization, accuracy, storage limitations, integrity/confidentiality, and accountability. They guide the processing of personal data and ensure the protection and privacy of individuals’ data. The 7 principles of GDPR are as follows:
In short, GDPR compliance refers to adhering to the General Data Protection Regulation (GDPR), a set of data protection laws implemented by the European Union (EU).
GDPR sets guidelines and regulations on how personal data of individuals within the EU should be collected, processed, stored, and protected by organizations.
Achieving GDPR compliance involves implementing necessary measures to ensure the privacy and security of personal data, obtaining explicit consent from individuals, providing transparency in data handling practices, appointing data protection officers (DPOs), and promptly addressing data breaches. Non-compliance can result in significant penalties.
No, GDPR compliance is not mandatory in the United States by default.
The General Data Protection Regulation (GDPR) is a regulation implemented by the European Union (EU) and primarily applies to organizations that collect, process, or store personal data of individuals within the EU. However, some US-based companies may need to comply with GDPR if they handle the personal data of EU residents.
This can occur when offering goods or services to EU individuals or monitoring their behavior. It is advisable for US companies to assess their data processing activities and consult legal experts to determine if GDPR compliance is required for their specific situation. Additionally, the US has its own data protection regulations, such as the California’s CCPA/CPRA, which may apply to businesses operating within that state.
| What is GDPR | The EU General Data Protection Regulation is one of the most robust privacy laws in the world. It was enforced in May 2018. |
|---|---|
| What’s the aim of the GDPR | The Regulation wants to strengthen data protection for all people whose personal information fall within its scope of application, putting personal data control back into their hands. |
| Who does the GDPR apply to | The GDPR applies to both EU and Non-EU companies. Thus, its scope of application can extend outside of EU borders. |
| How comply with GDPR | GDPR compliance is made of several steps, and each organization should evaluate it carefully. At the very least, you should:
|
We’ve created a useful checklist on how to comply with GDPR and the Cookie Law, since they go hand in hand for compliance in Europe. Keep reading!
👋 The GDPR applies to you if you’re based in the EU (+ UK), or if you target EU (+ UK) users. The ePrivacy Directive (or Cookie Law) applies to most websites that can be accessed by EU users and that run cookies, trackers or similar technologies.
✅ Do you have a valid, up-to-date and easily accessible privacy policy in your website’s footer or app menu?
✅ Does your privacy policy describe all the types of personal data you collect, how, why, and who it gets shared with?
✅ Do you get user consent before collecting any personal data, e.g. on a contact form, or wheninstalling marketing cookies for advertising or analytics?
✅ If you install cookies, do you show an obvious cookie banner when a user first visits your website?
✅ Do you block cookie scripts to prevent non-exempt cookies from being installed before you get consent?
✅ Do you give users full granular consent options on your banner so they can filter out cookies they don’t want installed (e.g. by type of cookies and purposes)?
✅ Do you have a proper cookie policy or a section of your privacy policy dedicated to cookies?
✅ Do you maintain detailed records of consent for cookies, marketing activities and more? Do they include elements like timestamps, preferences expressed, and the specific form used?
✅ Do you inform users of and make it easy for them to exercise their rights, i.e. to fulfill their requests to access/correct/update/delete data you hold on them?
✅ Do you keep detailed internal records, including data retention policies, security measures or transfers outside the EU?
✅ Do you keep the data safe? Who is responsible for GDPR compliance within your organization?
At iubenda, we take a comprehensive approach to GDPR compliance. We built our compliance solutions with the strictest regulations in mind, giving you full options to customize as needed. This way, we’ll assist you with meeting your legal obligations, reduce your risk of litigation and protect your customers —building trust and credibility.
And, wait for it: our solutions are made to simplify and speed up your compliance journey!
💡 Please note that privacy laws are usually amended and updated. It’s therefore important to ensure that your policies meet the latest requirements. For this reason, we use dynamic embedding and NOT copy & paste. With this method, you can rest assured that your policy is up to date and being maintained remotely by our legal team.
Here’s what you need to get started with full GDPR compliance:
This legal document should state the ways in which your website or app collects, processes, stores, shares and protects user data, the purposes for doing so and the rights of the users in that regard.
With our Privacy and Cookie Policy Generator you can create a beautiful, lawyer-crafted, precise privacy policy and seamlessly integrate it with your website or app. You can simply add any of several pre-created clauses at the click of a button or easily write your own custom clauses using the built-in form.
The privacy policy also comes with the option to include a cookie policy (it’s necessary to include it if your website or app is using cookies). The policies are customizable to your needs and remotely maintained by an international legal team.
For more information on privacy policies click here.
Using cookies can mean both processing user data and installing files on the user devices. That’s why you need to meet the ePrivacy directive (Cookie Law)’s legal requirements if using tracking technologies. To help you out, we’ve created our comprehensive Privacy Controls and Cookie Solution. It’s an easy-to-use cookie policy and cookie consent solution (including banner management), it’s fast and does not require heavy investments.
Many Data Protection Authorities across the EU have strenghtened their requirements and aligned their rules on cookies and trackers with the requirements of the GDPR. More specifically, it’s required that you record and store proofs of your users’ preferences.
Cookie and Consent Preference Log are now available in our Privacy Controls and Cookie Solution. Click here for more info!
In order to make your web forms fully GDPR compliant – regardless of how many users you have – you must also store proof of consent. You must demonstrate that consent was collected, when it was provided, by whom, which preferences were expressed, which legal or privacy notice was presented.
Do all of the above with iubenda’s Consent Database. It helps you record and manage GDPR consent and privacy preferences for each of your users. It smoothly integrates with your consent collection forms, syncs with your legal documents and includes a user-friendly dashboard for reviewing consent records of your activities.
To meet the record-keeping requirement from the GDPR text, our Register of Data Processing Activities helps you record and manage all the data processing activities within your organization. You can list processing activities from 1800+ pre-made options, divide them by area, assign processors and other member roles, and document legal bases and other GDPR-required records.
For a list of the full features of the Register of Data Processing Activities, read our guide here.
