The General Data Protection Regulation (GDPR) is a European privacy law that imposes strict requirements on how companies handle personal data. The GDPR went into effect in 2018 and applies to all companies that collect or process data of EU residents, regardless of where the company is located.
The GDPR establishes several key requirements that companies must comply with. Some of the most notable GDPR requirements include:
- Having a lawful basis for processing personal data
- Requiring explicit consent for data processing activities
- Allowing EU residents to access, correct, and delete their personal data
- Mandating data portability so data can be transferred between services
- Implementing privacy by design and default
- Appointing Data Protection Officers to oversee compliance
- Instituting breach notification requirements
- Potentially facing steep fines for noncompliance
The GDPR has dramatically increased the privacy rights of EU residents. Companies that fail to comply with GDPR face fines of up to 4% of global revenue or €20 million, whichever is greater.
Below is a summary table of some of the key GDPR compliance requirements:
|Lawful Basis||Must have a lawful basis for processing data, such as consent, contract, legal obligation, vital interests, public interest, or legitimate interests.|
|Consent||Consent must be freely given, specific, informed, and unambiguous. Must be easy for users to withdraw consent.|
|Right of Access||Users can request details on data being processed and receive a copy of their data.|
|Right to Erasure||Users can request their data be deleted.|
|Data Portability||Users can receive their data in a machine-readable format and transmit it to another controller.|
|Privacy by Design||Companies must implement data protection from the start, not as an afterthought.|
|Data Protection Officers||Companies must appoint DPOs to oversee GDPR compliance.|
With these stringent requirements, the GDPR has fundamentally changed how companies handle personal data. Understanding the key GDPR requirements is essential for any company subject to this far-reaching privacy regulation.
Lawful basis for processing data
One of the core principles of the GDPR is that companies must have a lawful basis for processing personal data. The GDPR establishes six lawful bases for processing data:
- Consent - The individual has given clear consent for the processing of their personal data.
- Contract - Processing is necessary to fulfill or enter into a contract with the individual.
- Legal obligation - Processing is necessary to comply with the law.
- Vital interests - Processing is necessary to protect someone’s life or safety.
- Public interest - Processing is in the public interest or carried out by an official authority.
- Legitimate interests - Processing is necessary for legitimate interests pursued by the controller or third party, as long as individual interests and rights don’t override.
The two most common lawful bases companies rely on are consent and legitimate interests. However, the GDPR sets a high bar for consent. Consent must be:
- Freely given - Consent cannot be bundled into terms and conditions.
- Specific - Consent must be granular and cover separate processing activities.
- Informed - Individuals must be given clear information on what they are consenting to.
- Unambiguous - Consent must involve a clear affirmative action to opt in. Silence or inactivity does not constitute consent.
Companies must also make it easy for individuals to withdraw consent at any time.
The legitimate interests basis is also frequently used. To rely on this basis, companies must:
- Document their legitimate interest for processing the data.
- Show that processing is strictly necessary and proportionate to meet those interests.
- Prove individual rights don't override those interests.
Below is a comparison of consent vs. legitimate interests:
|Definition||Individual has given consent for processing||Processing needed for legitimate interests|
|Requirements||Freely given, specific, informed, unambiguous. Easy to withdraw.||Necessary and proportionate. Individual rights don't override.|
|Example||Signing up for a newsletter||Using purchase history for targeted ads|
No matter what lawful basis a company uses, it must be documented and communicated to individuals. Selecting the right lawful basis is key for GDPR compliance.
Consent is one of the lawful bases for processing data under the GDPR. The regulation sets stringent requirements for what constitutes valid consent.
Consent must be:
Freely given - The individual must have a genuine choice with no imbalance of power. Consent cannot be bundled as a non-negotiable part of terms and conditions.
Specific - Consent must relate to well-defined, distinct processing operations. Blanket consent for vague purposes is invalid.
Informed - Individuals must be provided clear information on what they are consenting to. This includes:
Identity of the controller
Purpose of data processing
Type of data being collected
Existence of any automated decision-making
Unambiguous - Consent must involve a clear, affirmative action by the individual. Pre-ticked boxes or implied consent based on inactivity don't suffice.
In addition to meeting those standards, consent under the GDPR must be:
Documented - Companies must retain records to demonstrate what individuals have consented to.
Easy to withdraw - Withdrawing consent must be as frictionless as giving consent.
Freely given by children - Parental consent is required for children under 16 (with individual EU countries able to lower the age to 13).
Special rules apply when relying on consent:
Request must be clear, concise, and not unnecessarily disruptive to the user experience.
For sensitive data like health information, explicit consent is required with a very clear, specific statement of consent.
For low-risk activities like first-party marketing, implied "soft opt-in" may be acceptable if individuals are clearly informed and can easily opt out.
Overall, the GDPR sets a very high bar for valid consent. Companies should critically assess their consent mechanisms to ensure they meet the GDPR's strict consent requirements. Doing so provides a lawful basis for data processing and reduces compliance risk.
Children's consent and data
The GDPR provides special protections for children's personal data and consent. Under the regulation, a child is anyone under the age of 16, although individual EU countries can lower that age to 13.
When offering online services to children, companies must:
- Obtain parental consent for data processing.
- Verify consent using reasonable efforts.
- Provide privacy information understandable to children.
- Evaluate data protection safeguards given children's vulnerability.
Parental consent is required for processing children's data. The consent must clearly state:
- The controller's identity and contact details
- The data processing purposes
- The types of data collected
Consent can be obtained and verified through:
- Email confirmation from a parent
- Phone verification of parental consent
- Hard copy authorization forms
- Credit card verification
However, the GDPR prohibits collecting more data than necessary to confirm consent.
If consent is given within the context of online services offered directly to a child, reasonable efforts should be taken to verify the user is an adult. Possible methods include:
- Self-declaration of age
- Technical measures like age screening or machine learning
- Requiring a parent's email address or phone number
Companies should take a risk-based approach in determining verification steps based on factors like:
- Sensitivity of data collected
- Intrusion into child privacy
- Industry best practices
Privacy information provided to children must be clear, age-appropriate, and prominent. Data collection should be minimized, and heightened protections like pseudonymization may be warranted given children's vulnerabilities.
Overall, obtaining children's consent and managing their data in a GDPR-compliant way requires careful measures tailored to their specific needs and vulnerabilities.
Right of access
The GDPR grants individuals the right to access their personal data held by a company. This right of access, also called the right of subject access, is a critical right under the regulation.
When an individual requests access to their data, companies must provide:
- Confirmation that their data is being processed
- Access to their personal data
- Other details like:
- Purposes of processing
- Categories of data concerned
- Recipients of the data
- Retention period
- Right to lodge a complaint
Companies must provide this information:
- Free of charge in most cases
- Without delay and within one month at the latest
- In a commonly used electronic format
Individuals have the right to obtain:
- A copy of their full data
- Confirmation of the categories of data being processed
- Access to metadata showing provenance and history of the data
Companies should have processes in place to handle access requests, including:
- Identifying and authenticating the requester
- Locating all relevant data
- Providing the data in an easy to access format
- Redacting any third party information
Exceptions to providing full access include if it would:
- Adversely affect rights of others
- Reveal confidential commercial information
Overall, the right of access enables individuals to understand and verify if a company is processing their personal data in compliance with the GDPR. Companies must prioritize systems for efficiently responding to access requests within the one month timeframe.
Right to erasure
The GDPR establishes the right to erasure, also known as the right to be forgotten. This gives individuals the right to have their personal data erased in certain circumstances.
Companies must comply with erasure requests when:
- The data is no longer necessary for the purposes collected
- Consent is withdrawn and there is no other legal basis for processing
- The individual objects to the processing and there are no overriding interests
- The data has been unlawfully processed
- There is a legal obligation to erase the data
When an individual makes an erasure request, the company must:
- Erase the data without undue delay
- Cease further dissemination of the data
- Notify other recipients handling the data to also erase it
- Provide confirmation to the individual of erasure
However, the right to erasure is not absolute. Companies can refuse to erase data if processing is necessary for:
- Exercising the right of freedom of expression
- Complying with legal obligations
- Public health reasons
- Establishing, exercising or defending legal claims
Practical steps for erasure include:
- Having processes to handle erasure requests
- Properly identifying the data subject
- Locating and deleting all instances of the data
- Ensuring backups and archives are erased
- Confirming deletion to the individual
Companies should restrict access to data pending erasure, and implement technical measures to prevent recovery of erased data.
The right to erasure shifts the balance towards individuals controlling their data. It also acts as a counterbalance to the concept of the perpetual memory and lifespan of data online.
The GDPR introduces the right to data portability to give individuals greater control over their personal data. This right allows people to obtain their data from one service and transfer it to another service or controller.
The right to data portability applies when:
- Data processing is based on consent or fulfilling a contract
- Data is processed automatically
When requested, the company must provide data in a:
- Commonly used format that is structured and machine-readable
- Transmittable format allowing direct transfer to another controller
Data that must be provided includes:
- Provided by the individual - Such as input into forms and other user activity
- Observed about the individual - Such as location data or search history
The GDPR's right to portability establishes interoperability between services. Individuals can switch with their data between:
- Social media sites
- Music streaming services
- Cloud storage providers
- Banking institutions
- Individual empowerment over data
- Competition by easier switching between services
- Innovation in transferable data formats
Companies should develop procedures for portability requests, such as:
- Securely transmitting data
- Direct transfer to other controllers
- Converting data into interoperable formats
Overall, data portability is a landmark right underscoring that individuals should control their data, not companies. It highlights the shift towards personal data sovereignty in the GDPR era.
Privacy by design
The GDPR requires companies to implement "privacy by design and default." This means building data protection into systems and processes from the start, rather than an afterthought.
Privacy by design has 7 key principles:
- Proactive - Anticipate risks proactively vs. reacting later
- Privacy as default - Minimal data processing is the default Out-of-the-box
- Embed privacy - Build into design from start
- Full functionality - No trade-off between privacy and utility
- End-to-end protection - Lifecycle data management
- Visibility and transparency - Stakeholders can verify measures
- User focus - Respect user privacy empowerment
To implement privacy by design, companies should:
- Assign responsibility for privacy design
- Conduct privacy impact assessments identifying risks
- Adopt data minimization collecting only necessary data
- Use pseudonymization and anonymization methods
- Provide data breach controls like encryption
- Document processes for demonstrating compliance
Examples of privacy by design include:
- Decentralized storage - Avoid single point of failure
- Differential privacy - Add "statistical noise" before analysis
- Metadata removal - Stripping metadata revealing contexts
- Access controls - Granular user permissioning
- Compliance - Following core GDPR principles
- Trust - Respecting user privacy and rights
- Reduced risk - Less data means less exposure
- Competitive advantage - Leading privacy practices
Privacy by design represents a paradigm shift - building appropriate protections proactively rather than retrofitting them. It provides a key framework for operationalizing privacy and earning user trust.
Data Protection Officers
The GDPR mandates that certain organizations appoint a Data Protection Officer (DPO) to oversee compliance efforts.
DPO roles and responsibilities include:
- Informing and advising on GDPR obligations
- Monitoring compliance and assigning responsibilities
- Advising on data protection impact assessments
- Cooperating with supervisory authorities
- Acting as a contact point for the authorities and data subjects
Organizations requiring a DPO include:
- Public authorities handling large scale systematic monitoring or sensitive data
- Organizations whose core business involves large scale processing of sensitive data
- Organizations that regularly monitor data subjects systematically and extensively
Even when not mandatory, voluntarily designating a DPO is considered best practice.
Requirements for DPOs include:
- Expert knowledge of data protection law and practices
- Adequate resources and support to fulfill duties
- Reporting directly to highest management level
- No conflicts of interest from other tasks or roles
- Bound by secrecy and confidentiality
To support the DPO, organizations should:
- Involve the DPO in all data privacy matters
- Ensure the DPO's independence and no conflicts of interest
- Provide adequate funding and resources
- Provide access to systems and data to monitor compliance
- Document the DPO's appointment and communicate their role
Having a dedicated DPO demonstrates an organization's commitment to data protection. DPOs provide integral guidance and oversight to ensure GDPR conformance.
The GDPR represents a significant evolution in data protection, providing individuals with more control over their personal data. Companies worldwide now face strict requirements for handling EU resident data.
Some of the key GDPR requirements include having a lawful basis for processing data, meeting stringent consent standards, allowing data access and portability, implementing privacy by design principles, and appointing Data Protection Officers.
Below is a summary of major GDPR provisions:
|Lawful Processing||Must have a valid lawful basis for processing personal data.|
|Consent||Consent must be freely given, specific, informed, and unambiguous. Easy to withdraw.|
|Children's Data||Parental consent required for under 16s. Age may be 13.|
|Right of Access||Individuals can access their data and details on processing.|
|Right to Erasure||Individuals can request data deletion under certain circumstances.|
|Data Portability||Data provided by individual must be portable to another service.|
|Privacy by Design||Build in privacy from start rather than retrospectively.|
|Data Protection Officers||Required for organizations with large scale systematic monitoring or processing.|
By shifting control back towards individuals, promoting transparency, and establishing accountability, the GDPR aims to restore trust in data stewardship. It protects EU rights while catalyzing better data practices globally. Strict GDPR compliance is essential given the severe penalties for violations. With vigilance and care, organizations can embrace the GDPR's privacy framework.
As businesses work to align their data practices with GDPR's core principles, they need pragmatic tools and guidance for implementation. Complydog offers a user-friendly GDPR compliance software solution and checklist to methodically assess compliance gaps and build out a roadmap of priority actions. We provide a 14-day free trial, allowing B2B SaaS businesses to experience our platform and get a jumpstart on their GDPR journey, no credit card required. Our goal is to provide the practical help needed to operationalize GDPR's privacy framework. Sign up for Complydog today and take advantage of our risk-free trial to progress your GDPR compliance efforts.