GDPR Compliance – What Is It and How Does It Affect Me?

May 29, 2019

If you do business with or operate directly from a country located within the European Union, chances are you’ve been directly affected by the General Data Protection Regulation, or GDPR. However, if you’re like most small business owners throughout the United States and do not have a strong or direct presence in the European Union, you may not be aware of the GDPR and how it can affect you.

Creating the General Data Protection Regulation

In January 2012, the European Commission began planning out data protection reform across the European Union to make Europe “fit for the digital age.” On April 14, 2016, the regulation was adopted by the European Parliament and entered into force on May 24, 2016. The GDPR replaced the outdated Data Protection Directive, enacted back in 1995.

What is the GDPR?

The GDPR identifies two different types of data-handlers, controllers, and processors, and how they must handle the personal data of users that interact with their website. The regulations laid out specific legal consequences for those who violate the rules set by the GDPR.

Controllers

A controller is a “person, public authority, agency or body which, alone or jointly with others, determines the purposes and means of processing personal data.” In other words, controllers are those who collect personal data from data subjects. Because of this, controllers are responsible for determining their legal authority to obtain that data.

Controllers must establish a legal precedent for controlling the data using one of the six bases for data collection, which can be found on the official Information Commissioner’s Office website. Also, they must ensure that their process of collecting data is transparent by creating and posting a Privacy Policy that can be both easily found and easily understood.

The Privacy Policy must outline:

What data will be collected
How the collected data will be stored
How the collected data will be used
Who the collected data will be shared with
Whether the collected data is shared with third parties
When and how the collected data will be destroyed

Whenever a processor becomes involved in collecting data, they automatically become a controller and assume all of the above responsibilities.

Processors

A processor is a natural or legal person, public authority, agency or another body which stores or processes personal data on behalf of the controller. As stated above, a processor must adhere to the same regulations as a controller once they become involved in handling any types of personal data, whether on their own or on behalf of a controller.

For example, if you run a blog that allows users to create profiles and engage on your blog with both your content and other users, you are to be considered the controller. You utilize a security service that equips your blog with protection by encrypting all data transmitted to and from your website and its servers. Your security service would be considered the processor.

Processors cannot make use of the services of sub-processors without receiving written permission to do so. Once the permission has been received, and a processor makes use of a sub-processor, the sub-processor will be legally bound to all of the same standards and regulations that both the processor and controller are bound to.

Processors must be able to answer any questions or objections posed to them by the controller that they are processing data for, those involved in the data processing and any legal authorities. They must also be able to provide users with “the right to be forgotten.” In other words, those who request a copy of their data or the deletion of their data must be provided with the requested action.

In some cases, data processors will require a Data Protection Officer (DPO), which will be discussed further in this article.

What is a Data Protection Officer (DPO)?

A DPO is an enterprise security leadership role required by the GDPR. DPOs are responsible for overseeing a company’s data protection strategy and its implementation to ensure compliance with GDPR requirements.

They are responsible for the following:

Educating their assigned company and its employees about compliance
Training staff involved in the data processing
Conducting regular security audits
Serving as the point of contact between the company and GDPR Supervisory Authorities
Monitoring performance and providing advice on the impact of data protection efforts
Maintaining comprehensive records of all data processing activities conducted by the company, including the purposes of all processing activities, which may be made public on request
Interfacing with data subjects to inform them about how their data is being used, their right to have their personal data erased, and what measures the company has put in place to protect their personal information

Do I Need a DPO?

The GDPR states that those who participate in “large-scale” data handling will always require a DPO. However, the GDPR does not specifically identify exactly how much data is to be considered large-scale. The size of an organization does not have any influence in determining whether one is a large-scale data handler.

If you or your company collects or processes E.U. citizens’ personal data, a DPO will always be required.

It’s safe to assume that corporations and websites engaging with thousands of users online are to be considered large-scale data handlers and will require a DPO. To determine whether you would be considered a large-scale data handler by the European Union, you must take four factors into consideration:

Data subjects
Data items
Length of data retention
The geographic range of processing

Most small businesses that are outside of the E.U. and that do not collect E.U. citizens’ data will not be required to have a DPO.

Privacy Policy

The biggest pre-requisite of GDPR compliance is ensuring that your website has an active and up-to-date Privacy Policy. Your Privacy Policy must be easily accessible and easy to read and must touch upon the type of data you collect and how it will be used.

Privacy Policies are legally required not only in the European Union but also in the United States. In order to be compliant with the California Online Privacy Protection Act (CalOPPA) and the Children’s Online Privacy Protection Act (COPPA), your Privacy Policy must include the special rights that citizens of California are entitled to and whether you collect data from minors under the age of 18.

Cookie Policy

While not legally required in the United States, a Cookie Policy is another legal piece of privacy legislation that is required by the GDPR. Your Cookie Policy should outline the following subjects:

What are cookies?
Why do you use cookies?
How can the user control cookies?
All essential website cookies you use.
All performance and functionality cookies you use.
All analytic and customization cookies you use.
Any other tracking technologies you may be using.
Whether you use Flash Cookies or Local Shared Objects.
Whether you serve targeted advertising.
How often you will update the Cookie Policy.
Where and how the user can contact you for further information.

In addition to listing all cookies that you utilize, you must include a reference link for the user directing them to the provider of your cookie. Ideally, the link provided should link directly to your cookie provider’s Privacy Policy or Cookie Policy, where the user may easily find information on how to opt-out of data collection from that specific cookie.

Method of Consent

You may have noticed that many of the websites you visit nowadays have an introductory pop-up when you first visit them requesting your consent to use cookies and collect your data. You must have a way of allowing users to block your usage of cookies against them as well as provide them with a link directly to your cookie policy.

If you use WordPress, WebToffee offers a great plug-in that takes care of this for you.

Fines and Penalties

Even if you are not a citizen of the European Union, you may still be issued a fine or legal penalty if you are found to be breaking any GDPR requirements. If you actively collect the personal data of citizens of the European Union and are non-compliant, you or your company will be evaluated and will be either issued a “lower level” penalty or an “upper level” penalty.

Lower Level Penalties

You will be fined up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher. Lower level penalties are used for infringements of:

Controllers and processors under Articles 8, 11, 25-39, 42 and 43
Certification body under Articles 42 and 43
Monitoring body under Article 41(4)

Upper-Level Penalties

You will be fined up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. Upper-level penalties are used for infringements of:

The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9
The data subjects’ rights under Articles 12-22
The transfer of personal data to a recipient in a third country or an international organization under Articles 44-49
Any obligations under Member State law adopted under Chapter IX
Any non-compliance with an order by a supervisory authority Article 83(6)

Compliance Is Important

The topic of privacy and data collection has been quite controversial in the past few years, and the GDPR was created in an effort to combat companies misusing the personal data of their customers. Like any other regulation, the GDPR is very important, and you should always ensure that you are compliant with rules set by the GDPR.

It is still unclear whether you would be held accountable for accidentally collecting the data of an E.U. citizen while operating in a non-compliant state – even if you’re not a citizen of the European Union. It is best to ensure your website is compliant at all times, just to be on the safe side. You may also take measures to ensure your website is blocked from all IP addresses located within the European Union if you do not wish to become GDPR compliant.