What is the GDPR?
The General Data Protection Regulation (GDPR) is the major privacy legislation in the European Union. It upholds people’s data rights and requires businesses to process personal data only in limited and controlled ways. The way the law applies means it can and does affect businesses around the world.
History of the GDPR
The first major European law on privacy was the Data Protection Directive of 1995. This was followed by the Privacy and Electronic Communications Directive 2002, commonly known as the ePrivacy Directive. These aimed to protect the right to privacy through specific measures, with the latter taking account of changes in technology.
Both were directives, meaning a set of principles that EU countries had to incorporate into their domestic law. The GDPR went a step further as it is a regulation. This meant that when it took effect in 2018, it had immediate legal force in all EU countries.
Although the United Kingdom left the EU in 2020, at the time of writing the GDPR’s measures are broadly replicated through the UK’s national laws.
What Are the GDPR's Goals?
The GDPR formally sets out its goals in its first seven recitals. These are notes designed to explain and clarify the legal measures in the law’s articles. Key goals include:
- Protecting people’s personal data as a fundamental right.
- Standardizing data protection rules across the EU.
- Balancing people’s data rights with other fundamental rights such as free speech.
- Protecting data while still allowing it to cross national borders.
- Giving people and businesses certainty about their rights and responsibilities regarding data.
Key Terms: What are Data Processors, Collectors, and Subjects?
What is a Data Controller?
Under the GDPR, a Data Controller is defined as the person or entity that determines how and why data is collected and used by an organization. A data controller can be an individual person, a private company, or any other legal entity. Controllers are accountable to the strictest levels of GDPR compliance and are responsible for the GDPR compliance of any Data Processors they use to process data.
What is a Data Processor?
Under the GDPR, a data processor is defined as a legal entity or individual that processes personal data on behalf of a data controller, according to the controller's instructions.
What is a Data Subject?
A data subject is an individual to whom personal data relates.
What Rights does the GDPR Establish for Data Subjects?
Articles 12 through 22 of the GDPR set out eight fundamental data subject rights:
- The right to be informed (articles 12-14) about how their data is collected and used. This covers the following:
- Your identity and contact details as the data processor (the person or organization that decides what data to process and how) and those of your data protection officer.
- The purpose for collecting the data.
- The legal basis for collecting the data.
- Who, if anyone, you share the data with.
- Whether you transfer data outside the EU and, if so, how you protect it.
- How long you keep the data.
- Whether it’s a legal or contractual requirement to provide data.
- The right to access data (article 15). Data subjects (the person the data is about) can ask whether you process data and, if so, how and why you do so.
- The rights to rectify information (article 16), erase information (article 17) or stop processing (article 19). Data subjects can ask you to correct any errors and erase information that is no longer needed for the original purpose or was processed based on consent that the data subject has now withdrawn. In some circumstances, the subject can also ask you to keep the data but stop processing it. If any of these three rights apply, you must tell anyone you’ve shared the data with.
- The right to data portability (article 20). I.e. the right to get a copy of the data or ask you to pass it on to a third party. This should be in a commonly used format, hence this being the “right to data portability.”
- The right to object to processing you carry out on the basis of public interest or legitimate grounds (article 21). In most cases, you must either stop the processing or show why your right to process overrides the data subject’s rights. If the objection is to processing for direct marketing you must always stop.
- The right to not be subjected to automated decision-making such as profiling unless legally necessary (article 22).
Article 23 says countries can pass laws to limit some of these rights but only in very specific circumstances, for example for security or defense reasons.
What is the Scope of the GDPR?
Material Scope - What is Personal Data Under the GDPR?
Article 2 of the GDPR sets out its material scope, namely that it applies to the processing of personal data that is done entirely or mainly by automated means. So what is defined as personal data?
Article 4 explains that personal data means any information that relates to a human who can be identified. It also notes that processing means any use of data. This includes collecting it, sharing it and even destroying it.
Territorial Scope - Where Is the GDPR Applied?
Article 3 of the GDPR sets out its territorial, namely that it applies in any of five situations:
- The data subject is in an EU country or is an EU citizen.
- The data processor is established in an EU country. This could be a physical or legal presence such as a subsidiary company.
- The processing relates to offering goods or services to somebody in the EU or monitoring their behavior.
- The processing takes place in an EU country, for example in a data center.
- The data processor is subject to an EU country’s laws.
Does My Organization Need to Comply with the GDPR?
If the material and territorial scopes both apply, you must comply with the GDPR regardless of your location or status.
What are the Consent Management Requirements of the GDPR?
The overriding principle of the GDPR is that you can only process personal data when a lawful basis applies, as listed in article 7. In most cases, consent from the data subject is the most relevant basis. (A business could also use “legitimate interests” but only if they can show the interests outweigh the individual’s GDPR rights.)
To rely on the consent basis, and thus make your processing lawful, you must get consent before processing data in any way, including collecting data in the first place.
What is Valid Consent Under the GDPR?
Article 7 of the GDPR sets out conditions for consent to be valid. The key principle is that it’s up to you to prove consent. You can never assume consent and leave it to the data subject to opt-out.
You must request consent with clear and understandable wording, and the data subject must give a clear and active signal that they consent.
Consent must be based on a genuine choice. You can’t make consent mandatory to access or receive a service unless the processing in question is the only way to provide the service.
Data subjects can withdraw consent at any time. You must then stop any processing based on this consent. (The previous processing before the withdrawal remains lawful.)
Learn more about what con
GDPR Cookie Banner Requirements
Since the GDPR came into force, several court rulings and regulatory decisions have clarified how it works in particular situations. This includes the way you gather consent to issue cookies. A cookie comes under the GDPR if, either by itself or combined with other information you collect, it identifies an individual.
Some of the key points established by rulings about cookies and cookie banners are:
- You can’t issue cookies on an opt-out basis.
- You can’t use a “cookie wall” (making the site inaccessible to users who don’t accept non-essential cookies) as this violates the need for consent to be a meaningful choice.
- You should make consent specific by letting users give or refuse consent to different types of cookies, for example those for different purposes.
- You can’t use pre-ticked checkboxes or toggles set to “accept” as this doesn’t produce unambiguous consent.
- You can’t treat scrolling down a page as a signal of consent.
Consent is a crucial piece of global privacy laws like the GDPR, but compliance doesn’t end with consent. In order to maintain compliance, user preferences must be upheld and enforced. Articles 6 and 7 of the GDPR have the combined effect that if you rely on consent for lawful processing and the data subject then withdraws consent, the processing is no longer lawful and you must stop immediately. You cannot switch to using a different lawful basis. Likewise, no tracking or processing can occur prior to opt-in.
This means the only way to be certain your cookie use remains lawful is to enforce user preferences in real-time so that when a user changes their cookie choices (and thus their consent) there is an immediate and automatic effect on how your site operates.
To address this, most commercial Consent Management Platforms employ a series of APIs that rely on the orchestrated cooperation of third parties to ensure that a user’s privacy selections are respected. Unfortunately, this solution falls short of true GDPR compliance. The nature of relying on third parties for preference enforcement means that real-time enforcement is not possible, and the timeline for enforcement is murky at best. But, per article 18 of the GDPR, any data processing related to marketing must cease immediately when a user objects or opts out. Any lag between opt-out and the cessation of tracking is non-compliant with the law.
What to know more about GDPR compliance and consent management? Check out these articles: