The General Data Protection Regulation, or GDPR, is a European regulation with sweeping consequences for virtually any business that operates in Europe, or serves European users or customers in any capacity. Introduced in 2016, and fully implemented in 2018, the GDPR has become a model for data-privacy laws around the world. But understanding and ensuring compliance with the original GDPR remains a significant challenge for businesses.
We’ll explore the new data privacy obligations that businesses all over the world now face, and explore the steps that are needed to keep your company and your customers safe in the new era of global data-privacy regulation. Wherever your company is on that journey, reading this guide is the first step toward full GDPR compliance.
The GDPR can seem complicated. In practice, though, the 88-page regulation has a straightforward goal: to secure eight key rights for people whose personal data is collected or used by businesses and other organizations:
The Right To...
So Businesses Need To...
Data subjects have the right to know in advance how their data will be collected, used, and stored.
Create clear privacy policies, and provide explicit notification before collecting or using data.
Data subjects have the right to know after the fact how their data has been collected, used, and used.
Track the way data is used and processed across their entire ecosystem, including by third-party partners.
Data subjects have the right to correct inaccurate data that has been collected about them.
Develop systems for vetting requests, entering corrections, and rapidly propagating changes across their entire ecosystem.
Data subjects have the right to demand the deletion of all data collected about them.
Develop systems for verifiably deleting all data without disrupting existing databases and processing systems.
Data subjects have the right to prevent collected data from being used or processed.
Treat consent metadata as a living document that’s subject to change; halt data processing on request without deleting the data.
Data subjects have the right to have their data transferred freely to other data controllers.
Put systems in place to verify requests, extract all data pertaining to a given user, and securely transmit it to third parties.
Data subjects have the right to object to data being used without their consent.
Ensure data subjects have the ability to withdraw consent, and that new consent data rapidly propagates through the entire data ecosystem.
Opt out of automated decisions
Data subjects have the right to insist that important decisions are made by humans, not algorithms.
Provide clear notification of automated decision- making, and put systems in place to allow human agents to take over automated processes on request.
While the eight key rights are themselves fairly easy to understand, they add a critical new layer of complexity to the operations of virtually any organization that collects or uses personal data. To comply with the GDPR, it isn’t enough to simply request consent before collecting data: you need to treat consent as a living document that can be retracted or amended at any time, and you need to put systems in place to track a user’s data across your entire data ecosystem.
You need to ensure you don’t use data in ways for which users haven’t given ongoing consent, and you need to ensure that any vendors or outside partners that handle your data are also able to rapidly adapt to changes in user consent, and to provide the tracking and reporting that’s required under the GDPR.
The GDPR is a European regulation, and as you’d expect it affects virtually every business that operates in the European Union. But don’t assume you’re safe just because your business is headquartered outside the EU. If you have any business dealings with people who are based in Europe, you could fall under the purview of the GDPR.
Any company with a physical presence in Europe will almost certainly be subject to the GDPR. Even a company that doesn’t collect data about customers will likely collect data about its employees, and thus need to comply with the GDPR.
But the GDPR also applies to companies serving European customers, even if the business itself is based elsewhere. If you ship your products to a customer in Belgium, for instance, you’ll need to handle that customer’s data in GDPR-compliant ways.
And don’t assume that you’re safe just because you aren’t selling into European markets. If your digital services or websites are accessible from Europe, you’re likely collecting data about Europeans who browse your online offerings. That alone is enough to trigger the GDPR, even if you never receive a single euro from those digital visitors.
The bottom line: no matter where you’re based, and no matter the size or nature of your business, if you collect any data pertaining to a person based in the European Union—from a customer’s phone number to a website visitor’s IP address—then you need to pay attention to the GDPR.
The GDPR is designed to get results by hitting noncompliant businesses where it hurts—their bottom line. The maximum penalty for infringements is the greater of €20 million (about $24 million) or 4% of annual global turnover—so for big multinational firms, potential fines can reach eye-watering sums.
In practice, data regulators set fines using criteria that include the seriousness of the regulatory breach, the offending company’s past compliance (or noncompliance) with the GDPR, and efforts taken to cooperate with investigators and mitigate the harm done by any regulatory breach.
It’s important to remember, too, that companies are fully liable not just for their own noncompliance, but also for the noncompliance of any third parties (such as email or cloud-storage providers) that handle their data. The only way to avoid penalties for the actions of third parties is to prove that your company was “not in any way responsible for the event giving rise to the damage”—a very high bar to clear.
And the regulatory fines are just the beginning. Article 82 of the GDPR also allows people whose data is improperly handled to receive compensation for both material and non-material damage they suffer as a result. That means if someone suffers financial losses, or even simply gets stressed out, as a result of your noncompliance, you could find yourself facing additional penalties.
Don’t assume you’re safe just because your company isn’t a household name. While large multinational firms draw the most regulatory attention, even small businesses are now being hit by enforcement actions and landed with fines totaling thousands of dollars.It’s also important to remember that while European regulators might not have direct jurisdiction over companies that don’t have a physical presence in Europe, that doesn’t mean it’s totally toothless.
If you’ve read this far, you know that building a GDPR-compliant business is important, but also far from easy. Here are six key steps every business should take to ensure they don’t fall foul of regulators:
Meeting your company’s obligations under the GDPR can seem daunting, especially if you aren’t a regulatory or policy specialist. But the good news is that when you partner with Ketch, you don’t need a law degree to ensure your company is fully compliant.
Our SaaS approach to compliance lets you set broad policies for how data is handled, then tags every single piece of data you collect—from a user’s name or location, to the specific ways they’ve consented to their data being shared—with permits that determine how that data can be used.
That’s a game-changer, because it enables your developers to simply query whether a given action is permissible for a given piece of data. That fully automated process ensures developers can do their jobs without fretting about regulations. And it enables your policy specialists to easily tweak the way data is used, secure in the knowledge that any changes they make will ripple through your whole data ecosystem, including vendors or third-party companies using your data, to ensure complete compliance without messy under-the-hood changes to your codebase.
In addition, the Ketch platform features:
And much more.
Get in touch today to learn more about how Ketch can help make your company fully GDPR compliant—with built-in futureproofing, and no headaches for either your developers or your policy team.