A (Quick) Overview of GDPR
First, a little background on my experience with GDPR (this isn’t to brag, but to give you a feel for my expertise on GDPR).
Earlier this year, I read through the entire, original text of the Regulation, summarizing each Article (section) as I went along. I then went back and re-summarized those original summaries, and then created an overview of the full Regulation. I’ve worked for a large, international organization where I’ve been involved in GDPR-related discussions & trained my coworkers on the subject.
**This article is only a brief overview and is by no means comprehensive. If you’d like to read my comprehensive overview or watch my GDPR training video, you can read/view them (for free) here:
Now that we’ve got that out of the way, let’s go over four major items of GDPR: Important Definitions, Scope, Requirements and Enforcement.
There are two vital definitions that you need to know in order to understand GDPR. They are controller and processor.
When the term “controller” is brought up, most of us think of the person within an organization who ensures that the company’s policies are being followed. Under GDPR, though, this is not at all, whatsoever, in any way, what ‘controller’ means. For this article, I need you to throw out any conceptions you have of that term…..have you done that yet? If not, here’s a short, funny video to help ;)
Got it out now? Okay, good! Now that you’re ready, here’s how GDPR defines controller:
Any person or organization who decides how personal data is going to be processed.
That’s it. So, if your company decides they want to send out happy birthday coupons to customers, they are acting as a controller. Be sure to remember this definition when dealing with GDPR.
This term is a bit easier to understand. Under GDPR, a processor is:
Any person or organization who processes (i.e., any interaction with personal data) personal data.
That’s it! Now that you’ve got those two important definitions in mind, let’s go through the rest of the summary!
Scope of GDPR
Let’s look at scope from two angles — geography and business operations.
GDPR applies to any person who is in the EU (European Union), regardless of if they’re an EU Citizen or not.
For example, if Claire (who is French) decides to visit the United States, GDPR will not apply to her during her visit. Conversely, if Susan (an American) is in Germany for a conference, GDPR will cover her while she’s in Germany.
GDPR applies to organizations (both for-profit and non-profit) if any of the following applies to them:
- Have an office in the EU
- The organization actively targets EU citizens. This is determined by criteria including (1) If the organization offers goods/services to EU citizens or (2) If any of the organization’s webpages contain languages/currencies used in the EU.
For example, if a US-based organization offers to sell Nutella in Euros and the website is available in German & French, then it’s going to need to comply with GDPR.
On the flip side, and this is an example of where GDPR does not apply, if Sam is a plumber in Portland, Oregon, and someone from Italy visits his website, Sam’s business doesn’t need to worry about GDPR. Why? Because he’s not offering services to Europeans — only to people in Portland.
Requirements of the Regulation
GDPR’s overarching goal is to formalize privacy as a right. To protect this right, the Regulation makes personal data property of the individual, requiring organizations to be stewards (and no longer owners) of that data.
GDPR also specifies several, specific privacy rights, which are:
- The Right to Rectification: Individuals can have incorrect personal data corrected
- The Right to Be Forgotten: Individuals can have their personal data erased
- The Right to Object: Individuals can refuse, up-front to having their personal data processed
If an individual exercises their right to object, your organization must still offer your goods/services to that individual as you would to someone who did not exercise their right to object (e.g., if someone rejects your site’s cookies, you still have to let them use the site).
- The Right to Restrict Processing: Individuals who have been allowing their personal data to be processed can end their consent to processing
For example, a new customer subscribes to your weekly newsletter. A year later, though, they decide to unsubscribe from the newsletter.
- The Right to Data Portability: Individuals can have their personal data transferred from one platform to another (so long as those platforms are similar)
- The Right of Access: Individuals can view the personal data an organization has on them
Informed consent is core to GDPR, as I’m sure you’re aware. With few exceptions, explicit consent must be given by an individual before their personal data can be processed in any way.
For consent to qualify as informed consent, the following conditions must be met:
The terms & conditions must be provided clearly, understandably and in plain language.
If these conditions are not met, a user’s consent will be deemed as uninformed and, therefore, void. As a result, your organization can be found to be in violation of GDPR.
Lastly, and as with the right to object, if an individual does not give their explicit consent, they cannot be denied the goods/services offered by your organization.
Enforcement consists of two main elements: Discovery of Noncompliance & Fines.
Discovery of Noncompliance
When an organization is not compliant with GDPR:
- The org’s Data Protection Officer (DPO) must alert the EU authorities (each controller is required to appoint a DPO)
- A data subject can lodge a complaint
Noncompliance can also be discovered by EU authorities investigating your org.
When violations are discovered, fines are imposed. These fines are to be effective, proportionate and dissuasive, and they are based on:
- The organization’s size, privacy posture, attempts to mitigate the effects of the violation and if any previous GDPR violations exist
- The types of data involved
- The type of violation (e.g., an unapproved data transfer vs. a data breach)
After taking these factors into consideration, a violation is found to either be a ‘major’ or ‘minor’ violation. This then corresponds to the amount of the fine:
Fines for Minor Violations
Up to €10 million or 2% of global revenue* (whichever is greater)
Fines for Major Violations
Up to €20 million or 4% of global revenue* (whichever is greater)
*Global revenue — not profit or EBITDA. But total, global revenue.
This chart shows the maximum fines organizations could face, based on their revenue and the type of violation. Note that violations could have a severe effect on small- to medium-sized orgs.
This article provides a brief overview of GDPR. The Regulation is comprehensive and, due in part to its nuanced nature, complex. In short:
- Organizations that have markets/users in the EU need to comply with GDPR
- These organizations need to provide terms & conditions for use that are easy for everyday-people to understand (i.e., no more legalese)
- Users are required to give explicit consent before their personal data can be processed in any way
- Fines can be severe
- GDPR is still young. Over time, we’ll see what portions the EU values the most and how fines are administered
Have Some Questions?
If you have any questions, feel free to reach out to me on Twitter (twitter.com/@and_sanford). I’ll be happy to help you out!
[Disclaimer: This article is not legal nor consultative advice. Before making any GDPR-related decisions, you & your organization should consult with GDPR experts from different fields, including legal, privacy, cybersecurity, etc.]