Everything you need to know about the General Data Protection Regulation (EU) 2016/679 commonly known as GDPR plus GDPR compliance!
Warning. There’s a new four-letter acronym in town. No, it’s not a swear word. Until recently, no-one had heard of it, but now everyone is talking about it. And it’s getting people really worked up.
GDPR. Or more correctly, EU GDPR.
It’s a new privacy law from Europe that potentially affects everyone from beginning bloggers to big businesses and promises heavy fines for those who don’t comply.
This is what I mean.
If you’re a blogger or other online business person.
If you have an email list.
If you collect, process or hold any other personal data for people on your list or members of your tribe. And if anybody on your list is a citizen of the European Union (EU), then the GDPR (EU GDPR) applies to you. And a breach of the EU GDPR can close your business and bankrupt you!
More about that in a moment.
But first, some more information about the EU GDPR.
Quick Navigation
What’s the EU GDPR?
The General Data Protection Regulation (EU) 2016/679 is a regulation under EU law on data protection and privacy for all individuals within the European Union. It was adopted on April 14 2016, and after a two-year transition period, becomes enforceable on May 25, 2018. The EU GDPR replaces the 1995 Data Protection Directive. Because the EU GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.
The EU GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It also addresses the export of personal data outside the EU.
When does the EU GDPR apply?
The EU GDPR applies if the data controller (an organisation that collects data from EU residents), or processor (an organisation that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU.
Under certain circumstances, the regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. See for instance, Article 3(2) which provides as follows:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Who does the EU GDPR apply to?
- The EU GDPR applies to ‘controllers’ and ‘processors’.
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
- If you are a processor, the EU GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
- However, if you are a controller, you are not relieved of your obligations where a processor is involved – the EU GDPR places further obligations on you to ensure your contracts with processors comply with the EU GDPR.
- The EU GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
- The EU GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
What information does the EU GDPR apply to?
Personal data
The EU GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The EU GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the EU GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data
The EU GDPR refers to sensitive personal data as “special categories of personal data”. This is provided for under Article 9. The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing under Article 10.
Main responsibilities of Organisations
Under the EU GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the EU GDPR requires that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the EU GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
The Rights of Individuals
The EU GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Lawful basis for processing Data Under the EU GDPR
Under the EU GDPR, you must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing.
- Consent
- Contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
It is important to note the following salient points:
- No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
- Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
- You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time – you should not swap to a different lawful basis at a later date without good reason.
- Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
- If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).
- If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
- If you are processing criminal conviction data or data about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
Consent Under the EU GDPR at a Glance
For most on-line business owners including bloggers, coaches, authors, copywriters, on-line marketers and social media practitioners, consent will be the most applicable lawful basis for holding personal data. Because of that, I intend to zero in on consent in this blog post.
The EU GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.
- Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
- Check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard.
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
- Explicit consent requires a very clear and specific statement of consent.
- Keep your consent requests separate from other terms and conditions.
- Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
- Be clear and concise.
- Name any third party controllers who will rely on the consent.
- Make it easy for people to withdraw consent and tell them how.
- Keep evidence of consent – who, when, how, and what you told people.
- Keep consent under review, and refresh it if anything changes.
- Avoid making consent to processing a precondition of a service.
- Public authorities and employers will need to take extra care to show that consent is freely given, and should avoid over-reliance on consent.
EU GDPR Consent Checklist
Asking for consent
☐ We have checked that consent is the most appropriate lawful basis for processing.
☐ We have made the request for consent prominent and separate from our terms and conditions.
☐ We ask people to positively opt in.
☐ We don’t use pre-ticked boxes or any other type of default consent.
☐ We use clear, plain language that is easy to understand.
☐ We specify why we want the data and what we’re going to do with it.
☐ We give separate distinct (‘granular’) options to consent separately to different purposes and types of processing.
☐ We name our organisation and any third party controllers who will be relying on the consent.
☐ We tell individuals they can withdraw their consent.
☐ We ensure that individuals can refuse to consent without detriment.
☐ We avoid making consent a precondition of a service.
☐ If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
Recording consent
☐ We keep a record of when and how we got consent from the individual.
☐ We keep a record of exactly what they were told at the time.
Managing consent
☐ We regularly review consents to check that the relationship, the processing and the purposes have not changed.
☐ We have processes in place to refresh consent at appropriate intervals, including any parental consents.
☐ We consider using privacy dashboards or other preference-management tools as a matter of good practice.
☐ We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
☐ We act on withdrawals of consent as soon as we can.
☐ We don’t penalise individuals who wish to withdraw consent.
What is a personal data breach under the EU GDPR?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Examples of data breach
Personal data breaches can include:
- Access by an unauthorised third party;
- Deliberate or accidental action (or inaction) by a controller or processor;
- Sending personal data to an incorrect recipient;
- Computing devices containing personal data being lost or stolen;
- Alteration of personal data without permission; and
- Loss of availability of personal data.
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
Don’t go out of Business: Understanding the fines and penalties
The EU GDPR imposes stiff fines on data controllers and processors for non-compliance. The fines are administered by individual member state supervisory authorities. The following 10 criteria are to be used to determine the amount of the fine on a non-compliant organisation:
- Nature of infringement: number of people affected, damage they suffered, duration of infringement, and purpose of processing
- Intention: whether the infringement is intentional or negligent
- Mitigation: actions taken to mitigate damage to data subjects
- Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance
- History: (83.2e) past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines
- Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement
- Data type: what types of data the infringement impacts; for example, whether it relates to special categories of personal data
- Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party
- Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct
- Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement
- Amount
If an an organisation infringes on multiple provisions of the EU GDPR, it shall be fined according to the gravest infringement, as opposed to being separately penalized for each provision.
There are two levels of fines available:
Lower level
Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:
- Controllers and processors under Articles 8, 11, 25-39, 42, 43
- Certification body under Articles 42, 43
- Monitoring body under Article 41(4)
Upper level
Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:
- The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9
- The data subjects’ rights under Articles 12-22
- The transfer of personal data to a recipient in a third country or an international organisation under Articles 44-49
- Any obligations pursuant to Member State law adopted under Chapter IX
- Any non-compliance with an order by a supervisory authority
NOW your turn:
Do you process personal data? Does the EU GDPR apply to your business? What steps are you taking to protect your business interests? Click here to leave a comment.
Disclosure of material connection
Some of the links in this article are “affiliate links” as defined by the FTC. This means if you click on the link and purchase the item, Astute Copy Blogging will receive an affiliate commission, at no additional cost to you. However, please note that we only recommend the best products and services.
Ryan Biddulph says
Excellent breakdown Pedro. Still trying to wrap my head around disclosure as a US blogger. Because I do have some European readers but wonder: how can the EU enforce fines for bloggers in the United States? If they work with US authorities I reckon they can….and I wish them the best of luck on that LOL. I will likely be compliant soon though, for disclosure. So I do not look like a cookie monster hehehehe….
Ryan
Pedro Okoro says
Hi Ryan,
Thanks for visiting us here at Astute Copy Blogging. What an honor to see here Ryan!
Yes, the GDPR is a strange one particularly for Bloggers outside the European Union who have European residents on their lists and as part of their tribes. How can they enforce the fines if there is a breach? Well the point is, if they choose to they can always enforce it. They’ve shown that with the big guns like Facebook. But best to be compliant. I think it’s good practice – if nothing else!!
Thanks again Ryan.
Best regards,
Pedro
Liton Biswas says
Hey Pedro,
Well written and you’ve explained the thing very nicely.
Thank you.
Pedro Okoro says
Hi Liton,
Thanks for stopping by. Glad you found the blog post interesting and useful.
Best regards,
Pedro
Christen says
Thanks Pedro! Really informative post on all things GDPR. I have just revised my privacy policy and installed the WP GDPR plugin. Currently researching it I need to take additional steps to be complaint!
Pedro Okoro says
Hey Christen,
Thanks for stopping by and joining our conversation on the GDPR 🙂 Glad you found it informative, and super excited you’ve updated your privacy notice and even installed a GDPR plugin. Way to go girl!!!
Best regards,
Pedo
Nina | Lemons and Luggage says
From what I understand, bloggers who don’t make any money off of their blogs should be fine, but, certainly, it’s always better to be compliant.
Pedro Okoro says
Hi Nina,
Thank you for visiting us here at Astute Copy Blog. Not sure you have to make money to be compliant with the GDPR! My understanding, is as long as you process data of EU residents, you need to comply.
Best regards,
Pedro
kikaysikat says
Learned a lot today thanks to your article!
Pedro Okoro says
Glad you liked it!
Jenna McFarland says
Thank you SO much for breaking this down and putting it in laymen’s terms!! This has been so confusing and I’ve read so many posts about how and if the GDPR will affect me!!
Pedro Okoro says
Hey Jenna,
Thank you for visiting us here at Astute Copy Blogging. Really glad you found the blog post on GDPR easy to understand, and useful!
Best regards,
Pedro
Kristen Frolich says
I had no idea about these details. As a blogger, I look forward to reading more about your insight on this topic so I can make my blog better and always more secure.
Pedro Okoro says
Hi Kristen,
Glad you found the article useful. Would be delighted to help you in your blogging journey in anyway we can. Just ask!!
Best regards,
Pedro
ryan says
Thanks for sharing GDPR information! It is so helpful!
Pedro Okoro says
Glad you found it useful.
Blair says
This is very informative and helpful information. It is sometimes difficult to find the information you need to fund an online business. Usually we are not even aware of what we need to know until someone shares helpful bits like this.
Pedro Okoro says
Hi Blair,
Thanks so much for stopping by here at Astute Copy Blogging. Super delighted you found it informative and helpful.
Best regards,
Pedro
HilLesha says
I was a little confused when I first heard about this, but thanks for breaking everything down. This article was very helpful!
Pedro Okoro says
Hello HilLesha,
Delighted you found this post about GDPR helpful.
Best regards,
Pedro
Stephanie Jeannot says
Oh wow. This is important information to take note of. I had no idea.
Pedro Okoro says
Glad you found it helpful 🙂
Emmeline says
Thank you for this guide! There is so much to navigate with GDPR and no one seems to know exactly what is necessary…
Pedro Okoro says
Delighted you found it helpful 🙂
maysz says
Wow, very detaied explanation. I made this for my blog privacy policy. Thanks for sharing
Pedro Okoro says
Delighted you liked it 🙂
Elizabeth O says
Pedro, this is very informative and helpful information. You’ve explained GDPR very nicely!
Pedro Okoro says
Hi Elizabeth,
Thanks for stopping by. Delighted you found it useful 🙂
Best regards,
Pedro
Rosey says
There are so many things to learn and know. It’s always so nice to come across something that really helps.
Pedro Okoro says
Glad you’re loved it 🙂
Lyosha says
Your write-up on GDPR is very complete and detailed. Practically I believe you have covered any question I might possibly have. Thanks!
Pedro Okoro says
Hi Lyosha,
Really glad you found the blog post complete and detailed.
Best regards,
Pedro
Pedro Okoro says
Hi Lyosha,
Really glad you found the blog post complete and detailed.
Best regards,
Pedro
Sincerely Miss J says
Thank you so much for sharing this. This is super helpful for everyone who owns an online platform.
Pedro Okoro says
Delighted you found it helpful 🙂
Sudip Saha says
Thanks for the comprehensive analysis on GDPR. Wish I came across this page earlier.
Pedro Okoro says
Glad you found it useful 🙂
Bindu Thomas says
This is really a helpful one. You’ve explained all the things deeply and easily. Thank you for this guide!
Pedro Okoro says
Glad you found it helpful 🙂
Ashley Rice says
This is an area that I feel like I have so much to learn. Thank you for all of this thorough information! It is super helpful!
Pedro Okoro says
Hi Ashley,
Pinterest is a gold mine for any discerning blogger who wants to take supercharge their blog traffic. Delighted you found the blog post helpful.
Best regards
Pedro