GDPR, or General Data Protection Regulation, was first approved by the European Union in April of 2016, later going into effect on May 25th of 2018. Upon introduction, it struck fear and worry into the hearts and minds of nearly everyone across the global supply chain. The regulation, while prudent and necessary, left a staggering number of businesses with a lot of leg work to do in order to comply, or else face unprecedented fines. For the first time ever, the sanctity and privacy of personal data were being taken seriously.
Now that we’re more than four years in, a lot of folks are asking, “where do we stand, what do we need to know, and what’s next?”. To help demystify things, our team has assembled our take on the current state of GDPR and what’s on the horizon.
Remind me: What is GDPR?
GDPR is a regulatory measure that was implemented by the European Union in an effort to protect the data and privacy of consumers living within the EU. GDPR places a strong burden on businesses that touch the data of EU residents and holds them accountable when they breach the regulations. It ultimately puts power back into the hands of the individual to determine how their data is collected, managed, and distributed. Similar regulations, such as California’s CCPA (California Consumer Privacy Act), have since been implemented in various regions around the globe in order to maintain a similar level of consumer privacy.
The entirety of the regulation can be found online. While the text is available for everyone with an internet connection, the regulation is full of complex legalese and it is highly recommended that you work with a certified GDPR entity if you have questions about your involvement. As these guidelines are meant for EU member states, they’re each required to create their own national laws based on the regulation, meaning requirements for compliance may vary from nation to nation within the EU. Germany and Austria, for example, are more stringent in their implementation of GDPR and have far more legal cases and rules than other EU members.
The cost of non-compliance
The language within the regulation does not mince words, and the fines are significant. There are two tiers of fines spelled out within GDPR:
Severe infractions can cost noncomplying businesses a fine of 20 million euros, or 4% of the firm’s global annual revenue, whichever amount is higher.
Minor infringements can cost a business 10 million euros, or 2% of the firm’s global revenue, whichever is higher.
The less severe infringements include violations of these sections of the regulation:
Controllers and processors (Articles 8, 11, 25-39, 42, and 43) - these articles ensure that entities that collect and control data are adhering to the rules governing data protection, and are doing so lawfully.
Certification bodies (Articles 42 and 43) - Certification bodies are accredited to certify organizations in the evaluation and assessment of GDPR without bias. These businesses must follow GDPR using a transparent and fair process.
Monitoring bodies (Article 41) - These entities handle complaints and reported infringements and must do so in an impartial and transparent fashion.
More severe infringements of GDPR include violating the basic right of privacy and the right to be forgotten which are at the core of the regulation. These include violations of:
The basic principles for processing (Articles 5, 6 and 9) - Processing must be done in a legal, unbiased, and transparent fashion. It must be collected and processed for a specific purpose, kept up to date, and processed in a way that ensures its sanctity. Businesses may only process data if they meet one of the six bases listed in Article 6. Additionally, personal data, including racial origin, political opinions, religious beliefs, trade union membership, sexual orientation, and health or biometric information are not allowed except under specific allowance.
The conditions for consent (Article 7) - When an entity’s data processing is consensual, that organization must have documentation to prove it.
The data subjects’ rights (Articles 12-22) - Individuals have the right to know what information a business is collecting and how they are using it. They must have a right to obtain a copy of the information collected, to have this data corrected, and, in certain cases, the right to have this data be erased. Individuals must also have the right to transfer their data to another entity.
The transfer of data to an international organization or a recipient in a third country (Articles 44-49) - Before a company transfers any personal data to a third country or international organization, the European Commission must decide that that country or organization ensures an adequate level of protection.
What fines have been assessed to date?
Make no mistake, the EU was not playing around when they introduced this regulation. To date, the following are the top five fines that have been issued to date (as of November 2022):
Amazon ($823.9 million) Amazon was found to be tracking user data without proper consent from users and not providing the means to opt out from this tracking. This is the largest GDPR fine to date.
WhatsApp ($247 million) WhatsApp was fined for a lack of transparency and unclear policies regarding privacy and data collection.
Google Ireland ($99 million) Google Ireland failed to provide users an easy way to disable cookies under GDPR’s ePrivacy Directive.
Google US ($66 million) The US-based Google was fined for failing to give users simple ways to disable cookies on their YouTube service.
Facebook ($66 million) Facebook was fined for failing to give users methods for refusing cookies while using their website.
The fines do not stop there. Since inception, GDPR has assessed over $1.2 billion in penalties since its implementation in 2018. Needless to say, the regulation is something all businesses should take seriously.
How does GDPR affect my business?
Now that we’ve recapped the scariest elements of GDPR, we’re sure you still have the looming question of, “how does GDPR affect me and my business?” The simple answer is that GDPR applies to organizations that are engaged in commercial or professional activities that involve the data of users residing within the EU. Have you ever simply collected an email address of someone residing in the EU? Then you’re handling GDPR data.
The scope of your involvement is clearly defined in Article 3 of the regulation, which says:
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
What do I need to do to ensure compliance?
GDPR has many moving parts. While this information is intended to help you understand the basics, it by no means covers the large and ever-changing compliance requirements you may be facing. Ultimately, we recommend working with a GDPR specialist if you know you will be collecting and processing EU member data of any kind.
Develop a data processing agreement. This clearly outlines what types of data you intend to store and it also identifies how you will process this information. This type of agreement ensures you are legally and responsibly processing GDPR data.
Develop a GDPR-friendly privacy policy. As GDPR is mostly about privacy, it should accurately state exactly how you collect and use the information you are storing.
Take the “right to be forgotten” clause of GDPR seriously. GDPR guarantees that anyone can request their information be purged and forgotten and you must be able to adhere to this without question or hesitation.
Know the scope of data you are collecting. If you are collecting information, you need to be aware of the origins of this information in the event it involves EU member data. You will not be able to claim ignorance of the type of information you are collecting, storing, and potentially processing.
Implement a cookie management plugin. Liftoff allows implementation of cookie management plugins on your sites, but does not have native support due to the flexibility our subscribers require through such a tool. This tool ultimately ensures you are indeed limiting data collection per the user’s request.
Implement a breach plan. This means you have a formal document that outlines how you will manage a breach of information. Any document you create should be easily accessible to your employees and regular training should take place to ensure everyone knows how to properly handle data.
Train your staff. As mentioned above, training your employees on data protection will be key to your success in GDPR. It’s not enough to say you’re properly handling data; you must ensure that data is handled exactly as prescribed, or you could be infringing on GDPR’s core values.
How do I stay updated?
Since GDPR is a living and evolving regulation, it is subject to change. If you aren’t working with a dedicated GDPR compliance firm, we recommend that you keep your eye on newsgroups, including platforms such as Reddit. If you do not have a dedicated CSO or individual in your organization who can interpret and properly manage GDPR data, we highly recommend engaging in services with a GDPR compliance firm to help ensure continuity of business.
In summary
GDPR, CCPA, and the many upcoming privacy-related regulations are to be taken seriously. If you are unsure whether or not you are working with GDPR-scoped data, you need to be sure. While our team continues to ensure that Liftoff is GDPR compliant, it does not replace your responsibility to understand the requirements necessary to be compliant. As always, reach out to our team if you have any questions or concerns. We can help steer you in the right direction based on your situation.