A Crash Course on the General Data Protection Regulation (GDPR)
If your business serves customers in the European Union, then you’ve likely heard of the General Data Protection Regulation (GDPR). This hefty legal tome dictates data protection principles for any business operating within the EU, and failure to comply is a severe offense.
In fact, breaking the GDPR can cost businesses up to €10–20 million in legal fees.
So, what exactly is the GDPR, and how can you ensure your business is on the path to GDPR compliance? Keep reading this blog post to learn more!
The Basics of the GDPR
The key to GDPR compliance is transparency and accountability. In addition to understanding that you — as a business — are responsible for guarding any data collected from your customers, you must also acknowledge that you’re on the hook when things go wrong.
If you’re using customer data to analyze website activity, build customer profiles, or deliver targeted advertising, you are known as a data controller. Likewise, whoever processes personal data — whether that’s an in-house team or an outsource marketing firm — is your data processor.
More importantly, both parties are responsible for informing customers of and exercising their rights.
The Rights of EU Citizens Under the GDPR
Under the General Data Protection Regulation, every European Union customer has six fundamental rights. For the legally curious, I’m also listing the relevant location of each right within the GDPR’s original text.
- Access to Information (Chapter 3, Section 2, Article 15)
- Data Portability (Chapter 3, Section 3, Act 20)
- Erasure (Chapter 3, Section 3, Article 20)
- Lodge a Complaint (Chapter 8, Article 77)
- Objection (Chapter 3, Articles 21–22)
- Rectification (Chapter 3, Section 3, Act 16)
If these ideas don’t make sense now, that’s okay! I’ll dig into them in a moment. For now, we still have a few basics to cover.
Moreover, I can’t stress enough that there are many other data protection measures within the GDPR. These six rights are the bare minimum, and it’s worth hiring an expert to double-check your marketing if you’re ever unsure.
Who Enforces the GDPR?
While data processors and data controllers are responsible for maintaining the high-security standards of the GDPR, the European Union has also instituted a sophisticated enforcement system. Much of the enforcement revolves around a data protection officer who monitors and reports on a business’ GDPR compliance status.
This is all overseen by the European Data Protection Board, but that’s an entirely different story!
The Right to Access Data Collected by Businesses
With the basics out of the way, let’s dig into the essentials of the GDPR.
Understanding the lengthy tome is far from easy, but its most basic tenets can be broken into one of the six inalienable rights. To kick this blog post off, I’ll start with the right-to-access, explicitly laid out in article 15.
What Is Personal Data?
In the world of data processing and marketing, there are many forms of data. The average marketer will find dozens of data points on any given person, but only some of that information is considered “personal data” under the GDPR.
To be precise, the GDPR defines personal data as anything that relates “… to an identified or identifiable natural person (‘data subject’).” Examples of such data include:
- Biometric data (e.g., facial data or fingerprints) (Chapter 1, Article 4 § 14)
- Digital identifying information (e.g., browser history and search history)
- Genetic data (Chapter 1, Article 4 § 13)
- Identification numbers
- Names, including both full and partial names (Chapter 1, Article 4 § 3)
- Sensitive personal data relating to a customer’s physical, social, or economic status (Chapter 1, Article 4 § 1)
Any data processing activities that use this information are also considered personal data, and the results of such “profiling” should be delivered to consumers as requested. In addition to basic information, the GDPR defines any of the following extrapolated information as private and personal data (per Chapter 1, Article 4 § 4):
- Economic situation
- Interests, hobbies, and personal preferences
- Geolocation or “movements”
- Personal health
- Professional performance
Many businesses protect such information by using pseudonymised data, which unlinks the data from individuals. However, this does not make the information exempt from GDPR compliance. As such, this information should be accessible to consumers unless it is truly and wholly decoupled from that individual’s profile.
What Does Right to Access Mean?
In terms of a legal obligation, the GDPR’s right to access dictates that both the data processor and data controller be able to provide a data subject with their individually identifiable information upon request. Such a request can be made at any time and for any reason, and compliance is mandatory.
When consumers request access to their data, businesses must provide them with a lengthy list of data, including:
- Contact information for the brand’s data protection officer
- The categories or types of information gathered
- The information of any relevant third-party data processors
- Whether or not the data is being processed by AI
- Why the personal data is being gathered and processed
Once a business receives these requests, it generally has one month to comply, and customers are to be informed of any delays. Depending on the customer’s request, the information should be delivered digitally or physically.
Can Businesses Refuse to Provide Information?
Under certain circumstances, a business can refuse a customer’s request for information. Per the European Union’s data protection laws, a business that does not possess the requested information can refuse to fulfill the request. However, businesses bear the burden of proof, and refusing requests may lead to problems in the future.
The Right to Data Portability
Much like the right to access, the right to data portability — outlined in Chapter 3, Article 15 — gives customers the ability to manage and control their own data offline. In other words, consumers should be able to download their data and view it on their personal devices.
Once the data is downloaded, consumers can use it as they wish. In some cases, they may even transfer the information to a competing platform.
Thus, consumers can ask for their data to be transmitted directly to a different data controller, and this request must be honored promptly and without bias.
The Right to Erasure
Customers can also exercise the right to erasure (or the “Right to Be Forgotten”) at any time, meaning that they can request the deletion of all non-essential data. Moreover, users can request a copy of their data during this process.
This particular right is fairly standard, and examples can be found in privacy and data protection laws worldwide. So, let’s move to the next topic!
The Right to Lodge a Complaint
As its name implies, this right defines the consumer’s ability to file complaints against businesses. When this occurs, the complaining data subject (or data subjects) must be notified of the receipt and submission of their complaint.
Again, this is a straightforward rule. For the sake of timeliness, I won’t do a deep dive on the technicalities. Instead, I’m zooming ahead to the next right.
The Right to Objection
This is one of the “Big Ones!”
Europe’s data privacy laws are extensive, and the regulations are strictly enforced. Avoiding pricy punishments is far from simple, but understanding the basics can help you stay on the right side of the law.
The right to an objection is a fancy way of saying that customers can refuse to provide any non-essential data at any time and for any reason. In fact, they can refuse access to their data for no reason at all!
Once a consumer has objected to a certain type of data, businesses can no longer collect that information. Moreover, no data processing can be performed with that information.
This right overlaps with every customer’s right to lodge a complaint. Again, this can be done at any time and for any (valid) reason. Similarly, customers have the right to correct incorrect information — at any time and for any reason!
How to Handle General Data Protection Regulation Compliance
At this point, it should be obvious that GDPR compliance is hard! There are so many moving parts, and it’s easy for you — as both a data controller and a protector — to lose track of something.
Moreover, you can’t pass the responsibilities to someone else. If your data processor fails to comply, you also fail to comply. The data protection rules apply to every involved party, and it’s your responsibility to ensure that the proper data protection measures are in place.
You Can’t Refuse Requests
Unless you can definitively prove that you don’t have the data, it’s up to you to turn over any information you have on request. The only other exception to this rule — given in section 12(5) of Chapter 2 — is when a particular customer has made excessive and burdensome complaints to a company. Again, it is not the job of the data subject to prove that they have done so. Businesses are expected to keep track of their requests and log any strange or erratic requests for information.
And — even when you do refuse a request — you must issue your refusal with a notice that the customer can file a complaint against your company.
You Must Tell Users What They’re Signing Up For
One of the best ways to avoid legal reprisal is to undergo data protection impact assessments. These analytical undertakings are outlined in Chapter 4, Section 3, Article 35.
When a company undergoes an impact assessment, a data protection officer reviews a list of all the data the company collects. Each bit of data will also be tied to a purpose, and Europe’s data protection rules allow the government to refuse the collection of data for frivolous or invasive reasons.
Data impact assessments are routine procedures, but they are not required for many small businesses. If your company does not handle large amounts of personal data or store and process data that can be classified as harmful, then you don’t need an impact assessment.
However, in forgoing a data impact assessment, your business becomes responsible for posting its own data protection information. In other words, you now bear the burden of proof, and you must make your own impact statements.
What Is a Data Impact Statement?
Obviously, you want to stay on the right side of GDPR compliance. This means you’ll need a data impact statement.
These online documents must include…
Well, first of all, let me say that a compliant impact statement will include a lot of information, so bear with me through this list. If you’re ready, now is the time to start taking notes!
So, what does a brand need to post to stay GDPR compliant? Well, the list looks like this:
- A formal assessment of consumer risks
- A list of the type of data collected
- Contact information for every data controller and data processor
- The measures your company takes to protect user data
- Plans for any possible data breaches
- A statement about the rights, responsibilities, and risks every customer takes by agreeing to your data collection
- Why each type of data is collected
All of this information must be provided in clear and plain language. Disguising your intent beneath some flowery Shakespearean prose may seem like a decent idea, but it’s, like, super illegal.
Consider Hiring the Experts
That’s a lot of information to take in, and I just scratched the surface.
The GDPR is a lengthy legal document, and understanding every legal obligation is more than a chore — it’s a Herculean undertaking! Most brands — especially small businesses — just don’t have the time to deal with everything. However, you still want to grow, and you’ll need to understand the GDPR if you plan to break into the lucrative European economic area.
So, what do you do?
If you’re smart, you hire an expert! At The Email Marketers, my team of pros knows the ins and outs of legal matters. We can craft campaigns that amaze without resorting to underhanded tactics, and we’ll never make your data subjects feel like anything less than the valued customers they are!
(The information contained in this site is provided for informational purposes only and should not be construed as legal advice on any subject matter.)