You’ve heard about GDPR, you know it’s important, but how much do you actually know about the EU’s General Data Protection Regulation?
In this article, we will explain every major facet of the GDPR:
- How the GDPR defines “personal data.”
- The legal justifications your business must claim in order to collect personal data.
- The rights your customers have over anything you do with their data.
- How to ensure your policies, contracts, and processes comply so you can avoid a big, fat fine.
In fact we’ll even walk you through what we’ve done at Quaderno to align our team and product to fully comply with GDPR (and avoid big, fat fines).
What is the GDPR?
Put one way, the GDPR is “the most important change in data privacy regulation in 20 years”. That’s according to the GDPR website. The previous legal framework for data privacy is known as the Data Protection Directive and was created in 1995.
What even was our concept of “data privacy” back then — before the era of multiple personal devices, one-click purchases, and storing everything in the cloud? It seems data privacy laws were well overdue for an update, and the European Commission has delivered.
The GDPR is full of high, and highly specific, standards about how your business must handle consumers’ personal data. This includes rules about how you collect, process, store, and erase data from your users.
The main changes from previous data privacy laws
- Tons of due diligence and documentation around how your business uses data
- Greater expectations of transparency with consumers
- Stricter limitations on what you can do with personal data
- More consumer rights
- Heavier penalties for non-compliance
So, the GDPR is more specific, more strict, more serious. In fact, the fine for non-compliance is up to €20 Million or 4% of global annual turnover, whichever is higher. That’s not something you want to mess with.
Oh, and it applies to every company who interacts with EU consumers and their personal data. Yep, even if your business is on another continent.
What’s considered “personal data”
The GDPR casts a wide net with the definition of “personal data,” beyond the typical items such as name, address, and social security number. Under the GDPR, personal data includes information that can directly — or indirectly — identify an individual.
How can you indirectly identify an individual? Well, through their internet activity, for example. Web data such as location, cookies, RFID tags, and IP address are all personal data of the user.
Plus, the GDPR grants special protection to a certain set of “sensitive” data:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- processing of genetic data
- biometric data for the purpose of uniquely identifying a natural person
- sex life or sexual orientation
So, effectively almost any shred of information you collect about your users can be considered “personal data,” and you’re expected to protect every piece of it equally.
But before you can process any of your users’ data, you must justify why you’re collecting that data on one of the six legal bases.
The six legal bases for collecting or processing personal data
For every activity that involves processing data, your business must determine and assign a legal basis. This legal basis is essentially explaining your “right” to process that data, that you’ve cleared legal hurdles and taken steps to comply with the GDPR.
As an overview, the six legal bases are:
1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
3. The processing is necessary for the compliance with a legal obligation to which the controller is subject;
4. The processing is necessary to protect a vital interest of the data subject;
5. The data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority; or
6. The processing is necessary for the legitimate interests pursued by the entity, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require personal data protection.
Again, this is just an overview. Some of these bases have specific guidelines embedded within, such as specific requirements around user consent (#1) or completing a Legitimate Interest Assessment and balancing test (#6).
Determining which legal basis to use for each kind of data processing will take a lot of due diligence in your company: understanding exactly how data is acquired, where it’s stored, where it flows, who it’s exposed to, then ultimately concluding that there’s no better way to conduct the entire process.
Even once all this legal justification is said and done, the user can deny you their data at any time! Under the GDPR, individuals maintain ownership over their own data, and they can exercise several rights that affect your business.
Consumer rights over their own data
Along with an expansive definition of what data needs to be protected, the GDPR also grants expanded rights to individuals. Here are each of the rights, what they entail, and a few other stipulations your business needs to keep in mind!
- The right to be informed
- The right of access
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
Should a user make a request or complaint along any of these lines, you have 30 days to comply. A well-designed system (database and internal processes) would be helpful in making sure your business could meet one of these deadlines!
For a thorough definition of each of these rights, you can check out the full legal text of the GDPR.
General expectations, or how to comply with GDPR!
As stated above, complying with the GDPR means a ton of due diligence, understanding and clarifying your own business practices, then adjusting your documentation and processes to fit the guidelines.
Conduct a personal data audit
A common piece of advice is for you to conduct a “personal data audit” of your business. What personal data does your company already hold? How did you acquire it, and how are you using it? You may find that some of the data is already compliant under the GDPR.
Develop and document all of the following:
- The details of the company and the details of the elected Data Protection Officer (explained below)
- Categorization of individuals, their personal data and the recipients of this data
- The purpose of processing, along with accurate information about your lawful basis of processing
- Your data retention schedules and rationale
- Evidence of due diligence around your selected legal bases
- Details of any third parties that come in contact with the data, including any overseas offices
- Records of security measures taken by your business, in both technology and organization
- The process for identifying a data breach and notifying the appropriate parties within 72 hours of detection
- with the opt-out methods clearly stated*
- Updated contracts with third-party vendors to ensure they’re also GDPR-compliant
All documentation should be in writing, and you should implement a review process in to ensure that all policies stay compliant, especially as your business grows or as the GDPR itself evolves. This brings us to the next point…
Assign a Data Protection Officer, if necessary
Any business with over 250 employees must appoint a dedicated Data Protection Officer (DPO), who will ensure that the business collects and secures personal data responsibly. Some companies may hire for this role specifically, while others may delegate the title — and hefty responsibilities — to an existing team member.
Revise how your users give consent and opt out
A main component about GDPR is that you must collect unambiguous, proactive consent from users. No pre-ticked boxes or vague promises of “not spamming” anyone.
You should also ensure there’s a way for users to opt-out of marketing communication at any time.
How Quaderno complies with GDPR
A main concept of the GDPR is the Accountability Principle, which states that any data controller (i.e.- business) must be able to demonstrate how they’re complying with the law. Consider this blog post part of our GDPR compliance!
Truth be told, we were almost already in line with GDPR even before it was announced, since the Spanish Data Protection Law is pretty strict. The main adjustment for us at Quaderno was to be more transparent about our practices and to track that our suppliers comply with the GDPR, too.
The main change for us has been in marketing. Over the years, we obtained many leads without the explicit consent that the GDPR now requires. So, we had to backtrack a bit. We’ve asked all of our existing users and subscribers to please re-consent to receiving Quaderno messages and content. Moving forward, we ask users to give consent on all the forms we use, such as various support forms, sign-up forms or newsletter subscription forms.
Here’s a quick list of all the revisions we’ve made to ensure we comply with GDPR:
- Asking for renewed confirmation from current subscribers about whether they want to continue receiving emails.
- No longer storing or using data without explicit consent. We only use the data for contract-related matters, like the use of the Quaderno app.
- Added consent checkboxes in the app to receive notifications.
- Updated our terms of service to include clear details of our data processing.
- Updated our data processing agreement. Here we provide the details of the third parties we use, which data we store and how we use it. We also explain that all of our third parties comply with the law.
That’s all from us on the topic! We hope you’ve found this blog post helpful, but please also check with resources below. Our advice is just our own understanding, not certified legal guidance. Best of luck!