Once upon a time, collecting data to understand customers’ behaviors and preferences was very simple.
But things changed in the last few years.
The GDPR passed in 2016 and went into effect in 2018, replacing the outdated 1995 Data Protection Directive.
Suddenly, companies that invested hard in data-driven marketing strategies had to adapt and make sure that their websites were compliant.
And because is not easy to really get all the rules, many still wonder: after all, what is GDPR and how it affects businesses?
In this blog post, we will explain the fundamental points about the regulation and help you assess your situation when it comes to the use of data.
What Is GDPR, And What Does It Mean?
GDPR stands for General Data Protection Regulation.
The regulation is a European-based legal framework that establishes the minimum standards websites must adhere to when it comes to protecting the private data of all those who are accessing any global website from within:
- the European Union (EU);
- or the European Economic Area (EEA) countries.
The GDPR established personal data protection as a fundamental right that is protected under the EU Charter.
It also provides guidelines for punishing website owners that violate these rights.
What is classified as personal data under the GDPR?
This is one of the most important questions.
In order to understand the full extent of the protection that the GDPR offers site visitors from Europe, website publishers need to know how the regulation defines personal data.
Basically, any information that someone may use for uncovering a person’s identity, either directly or indirectly, is considered to be personal data.
Many online businesses find that definition extremely broad in scope, but here are some data points that the GDPR identifies explicitly as personal:
- Name;
- Date of Birth;
- Email Address;
- IP Address;
- Photos;
- Location;
- Ethnicity;
- Gender;
- Biometric Data;
- Religious Beliefs;
- Political Opinions and Affiliations;
- Web Cookies.
This list doesn’t include all possible personal information under the GDPR, but it provides a good idea about the type of information covered by the regulation.
Any time a website processes any of this protected personal data, meaning collecting, storing, organizing, comparing, or using it in almost any other way, the constraints of the regulation may come into play.
It is also important to note that under the GDPR, not all data is treated in the same way.
For example, some data such as race, religious beliefs, sexual orientation, and genetic and health information fall under the special category of personal data.
This sensitive personal data must be held separately from other data and has additional restrictions on processing.
What rights does the GDPR provide website visitors over their personal data?
There are eight individual rights granted by the GDPR when it comes to personal data.
These rights are:
1. Right to Information
Gives website visitors the right to demand websites to inform them about what information is being processed and how it is stored and managed, along with why the site needs the information.
2. Right of Access
Allows website users to demand a copy of all personal information they have provided and any supplemental personal data along with the source of that information. In addition, websites must inform visitors about how their personal data is used for automatic decision-making and profiling by the site.
3. Right to Rectification
Enables people to modify any personal data that they believe to be incorrect. Website owners must make changes to a user’s data in a timely manner without any undue delays.
4. Right to Erasure
Permits individuals to have their personal information deleted from the website by withdrawing consent. However, this right is not absolute, and there are certain instances where a site may have the authority to retain the data.
5. Right of Restriction of Processing
Provides users of a website with the opportunity to temporarily stop personal data processing when the user believes that the data is inaccurate or that the business is processing the data incorrectly or illegally. If a website intends to resume processing this data in the future, it must inform the user.
6. Right to Data Portability
Entitles website visitors to request the transfer of their personal information to a third party in a commonly accessible format. This right is limited to sites that implement automated data processing and have explicit consent or contractual obligations with the person requesting the transfer.
7. Right to Reject
Means that any website processing its visitors’ personal information must stop if asked if a user requests them to do so. The only exception is if a website can prove it has the necessary legal grounds to continue.
8. Right to Avoid Automated Decision-Making
Requires human input for decisions based on personal data that may have legal consequences for the site visitor. However, there are exceptions to this right, including when it necessary for entering or executing contracts, receiving explicit consent from the user, or when the site has specific authorization to do so.
How Does GDPR Affect US-based Businesses?
One of the most significant issues of GDPR and the cause of a lot of confusion and frustration, especially in the US, is its extraterritorial reach.
But here is the fact.
The GDPR guidelines can affect any website no matter where it is based.
Any site that offers goods or services to consumers in the EU or EEA, even if there is no commercial transaction, or a company that tracks internet users in the EU or EEA is subject to the GDPR.
This broad definition of “doing business” means that even if a website does not explicitly advertise or promote European sales, any customer ordering from Europe is protected.
And that is a point worth highlighting.
The regulation protects the privacy of only those who access websites from within the EU or the EEA.
You can probably imagine that from a business perspective, especially if highly effective data-driven marketing is being used, there are a few risks.
And although the GDPR clearly states that all companies doing business with users in Europe must comply with the regulation, many wonder how the EU will enforce fines against US-based companies.
The answer is: it depends.
Businesses with a physical presence in the EU or EEA will face litigation like any other EU-based business.
But things get murkier when companies aren’t actually in Europe.
Even with the GDPR getting around this by requiring non-EU or EEA businesses to designate a representative within its legal boundaries, this obviously requires a company to do so.
Enforcing fines against US-based businesses that neither have a physical presence nor a representative in the US will depend on the US courts to do the dirty work.
Unfortunately, it still isn’t clear how willing US courts are to help out.
What Is The Difference Between The GDPR And The CCPA?
Maybe you heard about this somewhere.
The California Consumer Protection Act (CCPA) provides enhanced consumer and privacy protection for residents of California.
Although both the CCPA and the GDPR have similar goals, there are distinct and meaningful differences.
One of the most significant differences is who receives protection.
While the GDPR requires the compliance of all websites that process data from Europe, the CCPA only protects consumers and households.
In addition, there is a minimum threshold that businesses must reach before the CCPA even applies.
Non-compliance with CCPA guidelines does not carry the same level of penalties as violating GDPR.
Fines are significantly lower, and unlike GDPR, there is a 30-day grace period to cure any violations and inform consumers of these remediations.
Check our blog post for a more in-depth comparison between the GDPR and the CCPA.
What Is GDPR Compliance?
Well, GDPR compliance is simply following all the requirements of the regulation.
However, as you can imagine from the complexity of the GDPR as described above, complying is anything but simple.
So, who has the job of ensuring everything runs smoothly and guaranteeing the business meets all the requirements?
According to the regulation itself, there are three different and distinct roles when it comes to personal data processing — and the two most common roles are the data controller and the data processor.
↳ The data controller
This is the person who is primarily in charge of protecting the personal information of website users.
This individual has an ultimate say concerning what personal data undergoes processing, how it’s done, and why.
↳ The data processor
In some cases, a data controller personally processes the personal information, but not always.
Many websites choose to outsource data processing to a third-party vendor. This outside service provider then becomes the data processor.
It is important to note that a data processor never has complete autonomy when it comes to the data and only follows the specific instructions of the data controller.
While the data processor acts on behalf of the data controller, the data processor still needs to adhere to the GDPR guidelines.
This means that any online business that hires an outside data processor must ensure that the vendor is compliant with the GDPR.
Ensuring third-party compliance is particularly critical when the data processor is working in a non-EU country and may not know the website is doing business with people in Europe.
Remember that unless a company can substantially prove that it was in no way responsible for non-compliance, the data controller, along with the company, will be solely liable for any regulatory violations.
↳ The data protection officer (DPO)
This is the third role that not every company needs to create.
The DPO is an autonomous position responsible for acting as the company’s lead on anything related to GDPR.
Tasks include educating employees about GDPR, monitoring compliance by performing data impact assessments, and handling any questions and concerns of website users.
The only online websites that must create a DPO role are:
- Any public authority besides a court of law that may act in a judicial capacity;
- An entity whose primary function is to monitor a large number of individuals routinely;
- An entity whose primary function is to process special categories of data or data relating to criminal justice.
Companies that do not specifically require a DPO may still find it beneficial to create the position.
What Happens If GDPR Is Not Followed?
Penalties for failing to comply with GDPR are severe and apply to all businesses regardless of how much they earn.
However, there are two tiers of punitive fines depending on the severity of the infraction.
▷ The first tier is for violations that do not directly affect the privacy of individuals.
For example, this level includes infractions regarding a company’s data controller or data processor or those relating to paperwork errors.
Fines for these lower-level violations are still stiff and can range up to €10 million, or 2% of the business’s global revenue from the preceding financial year, whichever is greater.
▷ The second tier fines are for any violations that directly affect the privacy of individuals, violating country-specific privacy laws, or refusing to comply with any order given by a supervisory authority.
The fines double and can get to €20 million, or 4% of the company’s worldwide global revenue from the preceding financial year, whichever amount is more.
In addition to these regulatory fines, individuals who had their privacy rights violated have the right to sue for material or non-material financial damages.
In reality, the vast majority of fines associated with GDPR violations are much smaller than the maximum allowable by law.
While Google was fined €50 million for non-compliance, many companies paid less than a few thousand.
Wrap Up: The Time To Adapt Is Now
With the possibility of hefty fines and its all-encompassing reach, the GDPR is a topic that is certainly worrisome for most online businesses.
Taking a proactive approach to safeguarding the financial security of your business is the best step forward.
However, the complexity of the issue can easily overwhelm the owners of smaller companies.
So remember: you don’t need to handle everything on your own. Feel free to reach out to experts to learn more about GDPR and data.
You can start right here in our blog, learning about the different data types and how your business can protect and profit from them.