The General Data Protection Regulation (GDPR) came into effect in May 2018. Some believe that this comprehensive privacy regulation is the most stringent in the world. The European Union (EU) calls the GDPR “an essential step to strengthening citizens’ fundamental rights in the digital age and facilitating business […]”

Here’s an explanation of some of the GDPR’s most critical components and how they’ll affect organizations and people worldwide.

GDPR and the EU

The EU has 27 member states, and the GDPR applies to all of them.

The European Union may not be the headquarters of your firm. According to the European Commission, the GDPR still applies if you’re “offering goods or services (paid or for free) or monitoring the behavior of individuals in the EU.”

Processing personal data.
GDPR governs the processing of “personal data.” This may not appear to be something you do, but it is a pretty broad phrase.

Anything that has the potential to identify a specific person is considered personal data. Despite the absence of a comprehensive list, we can infer from the extensive body of EU legislation, regulation, and case law that certain items may qualify as personal data:
Name
Telephone number
Email Address:
Information about appearance or conduct.
Browser data, such as specific cookies.
Processing is a much larger concept. The GDPR defines “any operation” on personal data as processing. It’s difficult to envision anything you might do with someone’s personal information that wouldn’t involve “processing.” Examples include:
Keeping a collection of names and emails
sending a direct marketing email
Getting someone’s name and phone number from a third person
Using specifically targeted cookies on your site
Data controller and processor
In Article 4, the GDPR distinguishes between “data controllers” and “data processors.”

A data controller is a person or entity that “determines the means and purposes” of processing personal data.
A data processor is an individual or organization that “processes personal data on behalf of the controller.”
To put this in perspective, if your website sells shoes and accepts payments using an eCommerce platform such as Shopify, you are the data controller, while Shopify is the data processor.

If your company employs five people and pays them using payroll software like ADP, you are the data controller, while ADP is the data processor.

Controllers and processors share the following responsibilities:

Complying with GDPR
We are responsible for appointing a Data Protection Officer (DPO) when necessary.
Cooperating with data authorities.
Controllers’ duties include the following:

Identifying a legal basis for data processing
Creating a Privacy Policy
Facilitating Data Rights
It is important to choose and contract with only GDPR-compliant data processors.
Processors’ duties include the following:

They rigorously adhere to the agreements they have with their data controllers.
We only subcontract to other processors with the controller’s authorization and assist controllers with data rights.
Data processing in the EU must adhere to the six principles outlined in Article 5 of the GDPR:

Lawfulness, Fairness, and Transparency
Article 5(1)(a) mandates the lawful, fair, and transparent processing of personal data in relation to the data subject.

You cannot handle personal data in the EU unless you use one of the six legitimate bases stated in Article 6(1) of the GDPR. You should only handle people’s personal data in a fair and non-misleading manner that they would reasonably expect. You must be honest about all of your data processing operations and have a clear and comprehensive privacy policy.

Purpose Limitation
Article 5(1)(b) states that one may only “collect personal data for specified, explicit, and legitimate purposes and not further process in a manner that is incompatible with those purposes.”

You can only treat people’s personal data in ways that they have consented to or would reasonably anticipate, and only for the reasons for which it was collected.

Data minimization
Article 5(1)(c) requires that personal data be “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.”

Once you understand why and how you will handle people’s personal data, you can only process the data required to do so. To send someone an email, you do not need to know their phone number.

Accuracy
The provisions of Article 5(1)(d) require that personal data be “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”

Keep your records accurate and up-to-date, and have a procedure in place to fix any errors.

Storage Limitation
According to Article 5(1)(e), “personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

You should only retain personal information for as long as it is reasonably necessary. You should not save the email address of someone who purchased something from your shop 10 years ago.

Article 5(1)(f) mandates the secure processing of personal data, which includes safeguarding against unauthorized processing and accidental loss, destruction, or damage through appropriate technical or organizational measures.

Keep personal data secure, anonymize and encrypt it whenever possible, and cooperate with the EU’s data authorities. If anything happens to your users’ personal data, you must notify them within 72 hours.

The GDPR provides a lawful basis for processing.
Article 6 states that you may only treat personal data if you have established one of the six valid bases for doing so. The EU prohibits processing personal data without a legal basis.

Consent
Consent is an important aspect of the GDPR. One of the most significant changes it brought about was the very severe restrictions it imposed on businesses to get their users’ permission. The GDPR’s Article 7 and Recital 43 specify some of the requirements for consent.

Asking your users’ consent before processing their data is one technique to guarantee that you are doing it lawfully. This is required for some types of processing, such as direct marketing to new clients. However, it isn’t always the best option.

The following are crucial requirements for consent to be considered legitimate:

Freely provided: You cannot coerce someone into complying or impose an unjustified disadvantage on them if they refuse.
Clear, intentional action is required. We no longer permit “browsewrap” agreements, where consumers gave approval simply by visiting a website. In most cases, “clickwrap” is now required, in which consumers explicitly consent to conditions by clicking “I agree.”
Opt-out no longer constitutes permission. There can be no more pre-checked boxes.
Granular: If you’re asking users to agree to various sorts of data processing, such as making a payment, creating an account, and receiving your newsletter, you must ask them to consent to each one separately.
Revocable: Your users should be able to easily withdraw their permission; in fact, Article 7 of the GDPR states that it should be “as easy to withdraw as to give consent.”
Contract
If you have a contract with someone, you may be unable to fulfill it unless you treat their personal data in a certain manner. Alternatively, you may need to handle someone’s personal data in order to determine whether to engage in a contract with them. If you’re going to provide someone with health insurance, you may need to maintain some of their medical data on file.

Legal Obligation
You may have a legal responsibility to handle someone’s personal data in a certain manner. For example, disclose your workers’ immigration status to border officials or cooperate with a court request.

You must be able to justify processing your users’ personal information in this manner. It’s not just about doing whatever the state tells you to do with their data.

Vital Interests
It is legal to handle someone’s data in a certain manner if it is necessary for their survival. Article 6(1)(d) of the GDPR allows for the processing of personal data where it is required to “protect an interest which is essential for the life of the data subject or that of another natural person.”

This may seem unusual, but it is possible that a surgeon needs emergency access to an individual’s medical information, and the patient is unable to agree.

Public Task
Working for a public or private entity with legal authority may allow you to handle personal data to fulfill tasks in the public interest. This could apply to actions such as voter registration.

Legitimate interests.
You may be able to rely on it:

According to your organization’s legitimate interests
This function is required.
Not overridden by your users’ rights.
There are several situations in which processing personal data may be in your legitimate interests. For example, a law firm may be required to retain records of legal advice provided in the event that a customer sues them for negligence. This is true whether or not the customer gave permission.

Individual Rights. Under the GDPR
The GDPR provides people with a lot of control over their personal data. There are eight rights, and as a data controller, you are responsible for helping people exercise them.

Right to be Informed
Article 12 of the GDPR requires you to supply full information about your data processing activities in a readily accessible manner, using plain language. You may comply with this right by establishing an openly available and legally binding privacy policy.

Right of access
Your users may request information about any of their personal data that you are processing under Article 15 of the GDPR. This is known as a Subject Access Request (SAR). They may ask you to certify that you are genuinely processing someone’s personal data. They may also ask you to provide a copy of your user’s personal information.

Right to Rectification.
Under Article 16 of the GDPR, your users may request that you fix any mistakes in your records about them. They may be incorrect, and if they are, you may refuse to modify their information.

Right to erasure.
Article 17 of the GDPR includes the “right to be forgotten.” There is considerable public confusion concerning this right. It does not entitle any person to have any references to themselves removed from your website. You still have the right to free speech. However, you will need to consider wiping personal data in specific scenarios.

Right to restrict processing.
Article 18 of the GDPR gives people the right to request that you cease processing personal data in a specific manner. For example, suppose a person changes power providers and requests that the previous company remove all of their personal information. However, the former provider is legally obligated to keep their information on file for eight years. Instead, they might restrict processing to prevent the inappropriate use of the individual’s data.

Right to Data Portability.
People should be able to obtain a copy of their personal data from you and transfer it to another organization, as per Article 20 of the GDPR. This is consistent with the fundamental concept that people should actually own their personal data.

Right to object.
Individuals have the right, under Article 21 of the GDPR, to object to your processing of their personal data. This is particularly obvious in the case of direct marketing; your consumers might refuse to get direct marketing from you. There are no exceptions.

Other grounds for objection are more sophisticated, and you may be able to refuse to halt specific forms of data processing in certain situations.

Rights Relating to Automated Decision Making
Under Article 22 of the GDPR, individuals have the right to seek human involvement if algorithms or profiling make critical judgments about them.

For instance, if a computer decides to turn off a person’s electricity because they didn’t pay their bills, that person may ask for a human to review the decision.

The GDPR Privacy Policy.
Anyone who is subject to the GDPR needs a privacy policy. Article 12(1) of the GDPR mandates the provision of information “in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.” This means no legalese. Write it for the people who need to read it: your users.

Your privacy policy must contain:

Please provide the contact information for your firm and data protection officer, if you have one.
You process various types of personal data, including cookies.
Identify the legal basis and grounds for processing personal data.
There are numerous methods by which you handle personal information
Sharing data with other parties and understanding individual data rights are important considerations.
If you need to send your users’ personal data to any non-EU countries:
Adapting to the GDPR
The GDPR resulted in major changes, especially for non-EU enterprises. However, compliance with these modifications will guarantee that your privacy policies are visible, fair, and reasonable.

Make sure you:

Obey the GDPR’s privacy principles.
Only process personal data legitimately.
Obtain unambiguous, proactive permission for direct marketing.
Help your users exercise their data rights as requested.
Keep your privacy policy clear and concise.