What Is GDPR Compliance And Does It Apply to You?
The General Data Protection Regulation (GDPR) is a comprehensive EU legislation that came into effect in 2018. Its purpose is to enhance and unify data protection for all individuals within the European Union. This regulation has introduced significant changes in how businesses around the world handle personal data. GDPR is not only relevant to companies based in the EU. But also to any business that processes personal data of EU citizens. Thus, global businesses must understand the requirements of GDPR.
In this article, we will delve into the various aspects of GDPR and answer key questions such as: When is it necessary to comply with GDPR? Which businesses are affected by GDPR? And what does compliance with GDPR entail for your business? Although GDPR may seem daunting, it's important to understand that regardless of your business size. There are certain aspects of GDPR that you need to be aware of.
GDPR requires businesses to implement appropriate security measures. And ensure that personal data is processed lawfully, fairly, and transparently. Additionally, businesses must be able to document their compliance activities. And of course, respect the rights of data subjects.
Our goal with this article is to provide a thorough understanding of GDPR's requirements and guidelines. Ensuring your business handles personal data responsibly and in compliance with the law. Whether you are a startup or an established international player? This article is designed to guide you through the complex landscape of GDPR.
Start with your free GDPR compliance tool from .legal
What is GDPR Compliance?
Defining GDPR compliance in its entirety necessitates referring to the GDPR regulation itself. Yet, it's possible to highlight some key principles that clarify what GDPR compliance means.
Fundamentally, GDPR compliance sets rules for businesses that fall under the data protection regulation. Obligates them to handle and process personal data by the law.
The GDPR regulation was established to ensure that personal data of EU citizens is not processed without a valid purpose and legal basis. This implies that businesses processing personal data of EU citizens are obliged to live up to it. This can be done by implementing a range of security measures to protect these citizens' personal data. They are also committed to processing personal data only for the purposes they have a basis for. Additionally, GDPR comes with a documentation requirement. This means you need to not only comply with the rules but also document how you do it.
When it comes to GDPR, there are seven overarching principles to consider in relation to data processing. These seven principles are:
Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and transparently. Lawfulness means having a legal basis for data processing, which can be found in articles 6 and 9 of the GDPR regulation. Fairness and transparency ensure that the data subject is fully informed about how their data is processed.
Purpose Limitation: Your business should only process personal data for clear, legitimate, and documented purposes. And only for those purposes for which the data subject has been informed about.
Data Minimization: Only necessary data relevant to the stated purpose should be collected. It's essential to continuously assess whether the current data still needs to be processed for the intended purpose. Superfluous data should be deleted to reduce the risk to the data subjects.
Accuracy: Data should be accurate and kept up-to-date. Data that are no longer relevant should be removed.
Storage Limitation: Personal data should only be accessed for the period necessary. Base it on the processing purpose. Deleted or anonymized data beyond this scope.
Integrity and Confidentiality: Install security measures. Do this to protect against unauthorized access to personal data. This includes both technical and organizational measures.
Accountability: The business must be able to prove compliance. Do this with the above six principles and the handling of personal data.
If you can account for how you have addressed and complied with these seven principles. You are well on your way to achieving GDPR compliance.
When Did GDPR Go into Effect?
The GDPR regulation was adopted on May 25, 2016. Subsequently, businesses had two years to implement the legislation. This means that GDPR came into effect on May 25, 2018.
Before 2018, existing rules regarding personal data were based on local legislation. While GDPR is an EU regulation.
Today, GDPR exists as EU legislation. Yet individual EU countries can set extra requirements. They can have supplementary legal bases, and issue their guidelines for complying with the law. This is managed by local data protection authorities. Who also ensure that businesses adhere to the rules. In Denmark, this task is handled by the Danish Data Protection Agency (Datatilsynet).
This also means that GDPR has been active for over five years. During this time, businesses have had to maintain documentation. And continuously improve their data protection practices. In Denmark, we have seen the first cases of fines for not complying with documentation rules. For instance including issues with data not being deleted promptly.
Alongside the GDPR regulation, the Danish Data Protection Agency has published several guidelines to assist businesses with the implementation of GDPR rules. These guidelines cover both existing and future regulations. Here you can find advice on how to conduct risk assessments and supervise data processors. Areas that may be challenging to find clear guidance for in the GDPR regulation itself.
It is important to emphasize that GDPR compliance is a process, not a one-time project. Although the rules came into effect in 2018, it is something that businesses need to revisit continually. So they ensure that their processing activities are kept up to date with both changes in the business and in the legislation.
Who Does GDPR Apply to?
Is GDPR compliance only necessary in the EU?
No, GDPR compliance is not only necessary within the EU. Businesses based in the EU are likely to need to comply with GDPR. But the regulation also applies to companies outside the EU. If they have operations, branches, or offer services in the EU they need to comply. GDPR is designed to protect the rights of EU citizens. And for that reason, it applies to all businesses processing personal data of EU citizens. Regardless of their geographic location.
GDPR grants EU citizens nine overarching rights regarding their personal data. These rights must be upheld. Regardless of the company's location. And they are closely related to the seven principles mentioned earlier in the article. The nine rights are:
The Right to Be Informed (GDPR articles 12 and 14): The data subject has the right to be informed. The subject should be able to retrieve information about the collection and processing of their personal data.
The Right of Access (GDPR article 15): The data subject has the right to view and request a copy of their personal data.
The Right to Rectification (GDPR article 16): The data subject has the right to have incorrect or outdated personal data rectified.
The Right to Erasure (Right to Be Forgotten) (GDPR article 17): The data subject has the right to request the deletion of their personal data.
The Right to Data Portability (GDPR article 20): The data subject has the right to have their personal data transferred. Meaning they can transfer from one company to another if needed.
The Right to Restrict Processing (GDPR article 18): The data subject has the right to request the restriction or cessation of their personal data processing.
The Right to Withdraw Consent (GDPR article 7): The data subject must always be able to withdraw previously given consent.
The Right to Object (GDPR article 21): The data subject has the right to object to the processing of their personal data at any time.
The Right to Object to Automated Processing (GDPR article 22): The data subject has the right not to be subject to a decision based solely on automated profiling.
These rights transcend borders and apply to all EU citizens. Whether their personal data are processed by a Danish, French, or American company.
Does GDPR apply to the UK?
Following the conclusion of the Brexit transition on December 31, 2020, GDPR no longer covers citizens in the United Kingdom (UK). However, this does not mean there are no data protection rules for UK citizens. The UK’s own data protection law came into effect on January 1, 2021. This integrates many of the same requirements and rights as those found in the EU’s GDPR. Known as the UK GDPR, this legislation ensures that the UK continues to have a robust data protection framework. That is mirroring the EU's approach in many respects.
For businesses in the UK, this means complying with the UK GDPR. This includes maintaining records of data processing activities. Conducting risk assessments. And mapping data transfers. Among other obligations.
It's also important to note that UK-based businesses processing personal data of EU citizens still need to comply with the EU’s GDPR legislation. As discussed in the previous section. With the right documentation structure, businesses can potentially repurpose much of their existing GDPR documentation. To comply with both UK and EU GDPR. This can help simplify compliance processes and ensure effective protection of personal data. Whether processing data of EU citizens or UK nationals.
Thus, while the UK and EU GDPR have separate legal frameworks, there is a clear congruence in their approach to data protection. This shows the importance of a solid understanding and implementation of data protection principles across borders.
Does GDPR apply to the U.S.?
The short answer is yes. Referring to the section about the rights of EU citizens, regardless of a company's geographical location. GDPR applies to any business that processes personal data of EU citizens.
However, GDPR only covers EU citizens residing in the union. Therefore, an EU citizen who has moved to the U.S. is no longer covered by GDPR. Conversely, GDPR can apply to U.S. citizens residing in the EU. For U.S. citizens living in the U.S., different data protection laws apply.
This means U.S.-based businesses need to comply with GDPR in the following instances:
The business regularly processes personal data of EU citizens.
The business provides a service that EU citizens can use.
The business conducts marketing aimed at EU citizens, for example, by having a website in a local language or displaying prices in euros.
In terms of compliance, the entire value chain must be considered. If you are an EU-based business using a data processor in the U.S., you must ensure that this processor also complies with GDPR to protect the data subjects. This is partly why there has been a significant focus on EU-U.S. data sharing, as the U.S. is categorized as an unsafe third country. However, the recent Data Privacy Framework agreement has made it easier for U.S.-based companies to certify themselves under a scheme that proves they meet a data protection level compatible with GDPR.
It’s also important to be aware of where your data is hosted. For example, you might use an EU-based provider that hosts their service (where the data is stored) in the U.S. In such cases, the same rules mentioned above apply.
Does GDPR Compliance Only Affect Large Businesses?
No, GDPR applies to businesses of all sizes. This means that factors such as the size, revenue, number of employees, or other aspects of a business do not impact whether it falls under GDPR.
However, there are certain exceptions, such as in the context of Article 30 records. Article 30, paragraph 5, of the GDPR states:
“The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organization employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offenses referred to in Article 10.”
This means that if your organization processes personal data of fewer than 250 persons, you might be exempt unless the processing poses a risk, is not occasional, or includes special categories of data. However, as most processing is likely to entail some risk, and many businesses regularly process personal data, most businesses will likely be subject to GDPR.
Therefore, businesses of all sizes should comply with GDPR and document their processing activities. The good news is that the smaller the business, the less complex tasks like data mapping and other GDPR-related activities will be.
More information on how to conduct data mapping can be found here.
Additionally, the Data Protection Authority has a section specifically aimed at small businesses and their GDPR compliance, which can be accessed here.
At .legal, we have also developed a free version of the Privacy platform, specifically to assist small businesses with their compliance work.
Does GDPR Compliance Affect All Types of Businesses?
Yes, essentially. The same exceptions as mentioned in the previous section apply. But, it doesn’t matter whether you run a business in the financial sector or own a timber store. Of course, the complexity of your GDPR documentation and the specific rules you need to comply with will vary depending on your type of business.
For instance, it is more complex for a hospital than a small business. They process health data on patients and the small business only handles the contact information of its customers.
As a fundamental principle, all businesses must comply with GDPR rules. And document their processes according to the requirements they fall under.
You can also read: Mandatory GDPR documents checklist
Introducing .legal Privacy Tool: GDPR Compliance Made Easy
At .legal, we have developed a GDPR compliance platform named Privacy. Having a compliance tool like Privacy at hand can be a great advantage when executing your GDPR documentation. We have tailored Privacy to cater to all types of businesses.
We also offer a free plan, allowing businesses of any size to use the platform for as long as they wish.
As this article outlines, the same GDPR requirements apply to all types of businesses. Hence, every business needs functionalities such as:
Option to generate an Article 30 record.
Mapping data flows to other parties, such as data processors.
Storing data processing agreements.
Storing policies and procedures.
Setting up a free GDPR Compliance annual wheel to guide you through the year's GDPR activities.
Task management and documentation of your GDPR activities.
All these features are accessible in the free version of Privacy. For larger businesses that may exceed the limits of our free plan, we offer paid subscriptions, which you can read about here.
Among our subscriptions, we offer Privacy Pro. Ideal for larger organizations managing many group companies and advanced user/role management.
Thus, the Privacy platform can be used by both small and large businesses for the same purposes.
We have designed Privacy with two primary user types in mind. The responsible person (for instance a DPO), who needs an overview of the documentation, especially with legislative changes. And the executor, who knows the personal data being processed. But may need guidance through the documentation process with built-in help, templates, and suggestions.
Why choose Privacy? Learn about the advantages of using a GDPR platform versus Excel here. And yes, the platform is free 😀
Start your free Privacy plan today - your GDPR Compliance tool
You may also be interested in these articles:
Common Questions About GDPR
Does GDPR Apply to Non-Profit Organizations?
Yes, GDPR applies to non-profit organizations if they process personal data. GDPR does not differentiate between commercial and non-commercial entities. If a non-profit organization processes personal data of EU citizens - such as member information, donor details, or employee data - it must comply with GDPR. This includes ensuring data security, respecting individuals' rights, and maintaining transparent data processing.
How Does GDPR Impact Employee Data Processing?
GDPR significantly affects how businesses process their employees' personal data. It requires companies to have clear policies and procedures to protect employee data. Such as employment details, contact information, and performance data. Businesses must ensure that employee data is used only for legitimate purposes. And is protected against unauthorized access. They must also inform employees about how their data is used. And ensure that employees' rights regarding their data are respected.
Is Consent the Only Legal Basis for Data Processing Under GDPR?
No, consent is not the only legal basis for data processing under GDPR. There are several other legal bases, including the necessity to fulfill a contract, compliance with a legal obligation, protection of vital interests, performing a task in the public interest, and the necessity for legitimate interests pursued by the data controller or a third party. This means businesses can process personal data without consent if they can justify it under one of the other legal bases. See more in GDPR articles 6 and 9.
What Rights Do Data Subjects Have Under GDPR?
GDPR grants data subjects a range of important rights. Including the right to be informed, the right to access, the right to rectification, the right to erasure, the right to data portability, the right to restrict processing, the right to object, and the right not to be subject to automated decision-making, including profiling. These rights provide individuals with control over their personal data and how it is used.
How Can I Prepare for a GDPR Audit?
To prepare for a GDPR audit, it's crucial to ensure that your business has documented its data processing activities. And general compliance with GDPR principles. This involves maintaining an up-to-date record of data processing activities. Clear data protection policies. Employee training. And effective procedures for data security and breach handling. It's also important to have a procedure for handling data subjects' requests regarding their rights.
What Steps Should I Take to Ensure GDPR Compliance?
To ensure GDPR compliance, conduct a thorough assessment of your current data processing activities and identify any gaps in compliance with GDPR. Develop and implement an effective data protection strategy. Including policies, procedures, and employee training. Ensure you have procedures in place to handle data subjects' rights requests. And an effective data security structure to protect against data breaches.
What Are the Consequences of GDPR Non-Compliance?
The consequences of not complying with GDPR can be severe. They can include substantial fines, up to €20 million or 4% of the global annual turnover, whichever is higher. Additionally, non-compliance can lead to reputational damage, legal disputes, and potential compensation claims from data subjects. Therefore, businesses must take GDPR seriously and ensure full compliance.
Need help with your GDPR Compliance? Start using Privacy for free.