GDPR stands for General Data Protection Regulation. It's a European digital privacy legislation. It sets our rules regarding personal data designed to give the EU residents more control over their personal data.
It applies to all organisations within the EU, as well as those supplying goods or services to the EU or monitoring EU citizens.
Why is the GDPR important?
TLDR: It protects and gives control to users in the face of a trillion-dollar data selling industry. If you do something wrong, big fine.
Today almost every service we use collects our data. From social media companies to banks, retailers, and governments every service requires the collection and analysis of personal data.
They collect data that they ask from us (contact details, work-related data...) but also some that we don't give up.
Before the GDPR, a company would be able to do more or less whatever they wanted with this data. Today this has changed as it limits what companies can do with that information.
The reason for them toning it down is the big fines. GDPR fines can go up to €20 million (about $25 million USD) or 4% of the company’s global annual revenue (whichever is greater) and the average fine for an SME is €40,000.
Do you need to comply with the GDPR?
If you're a business with an online component, 95% of the time yes. Here's the TLDR:
Do you process personal data?
Personal data is any that can be used to identify an individual directly or indirectly. For example name, email address, passport number, date of birth...
There's a catch:
It doesn't have to be a data point. Look at the stormtrooper with a shoulder pad. Say that we know the id of every stormtrooper and we also know if they wear a shoulder pad or not.
We can directly identify the stormtrooper with the shoulder pad! That means that things that are not directly obvious as personal data could be personal data too as they identify people indirectly.
Stormtrooper Id -> identifies them directly
Do they have a shoulder pad -> doesn't identify them directly
If we have a group in which only 1 stormtrooper has a shoulder pad:
Do they have a shoulder pad -> identifies them directly
Do you offer services in the EU?
1. If your company is based in the EU that processes the personal information of EU citizens and residents.
2. If your company is not based in the EU but offers products or services to EU citizens or residents or monitor their behaviour.
What does it mean to "offer products or services"?
Some interpretations state that having a website in the language of one of the member states (English, Spanish, French) is enough for you to qualify as offering products or services.
GDPR Compliance Checklist
The best practices or the minimum set of steps to ensure compliance with the GDPR can be classified as –
Step 1 - List all the personal data categories you use
Financial Data (credit card number, bank account number...)
Household and Relationships Data (emergency contact, marital status...)
Identifiers and Legal Documents (Public Health Number, Passport Number, Proof of Residence)
Activity and Behavioural (Follower list, Friend Requests...)
Personal Characteristics (Sex, Nationality...)
Location Data (GPS Location, tracking data...)
Communications Data (Instant messaging, social media posts about an individual)
Images and Recordings (CCTV Footage, images, videos...)
Views and Opinions (Survey responses, testimonials...)
Work-related Data (details of grievance, disciplinary proceedings...)
Technical Identifiers (IP Addresses, Mac Address...)
Step 2 - List all the Sensitive Personal Data Categories that you use
Here's a list of sensitive personal data categories also called special category data:
Racial or Ethnic Origin
Sexual Orientation Data
Religious or Philosophical Beliefs
Trade Union Membership
Sex Life Data
Step 3 - List all the categories of individuals (or data subjects) that you process data from
Children (under the age of 16)
Children (under the age of 13)
Step 4 - Write out all the purposes for which you use data
Offering your goods and services
B2B Email Marketing
Step 5 - Put all the above steps together.
For every purpose for which you process data, select whose data you're processing (individual), which data are you processing (sensitive personal data categories and personal data categories).
Repeat for every single purpose for every individual for every category of personal data.
Step 6 - Choose a legal justification (sometimes called legal basis)
For every purpose, individual, category combination you must choose the right legal justification so that you are processing data in a legal way.
We have written a blog post about that here: https://www.privasee.co.uk/post/gdpr-legal-basis
Users must be able to read it before any data is collected from them.
Step 9 - Review these steps every quarter
GDPR Compliance is an ongoing process. Your company as it grows can change a lot from one quarter to another and naturally so does your data.
This article does not constitute legal advice in any form and only seeks to break down some of the main points set out by publicly available sources such as the ICO.
Share this post
Co-Founder & CEO
Get Compliant in <1 Hour
Are you Fully GDPR Compliant?
Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.