The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Key Principles of GDPR
The GDPR establishes six key principles relating to personal data processing:
Lawfulness, Fairness, and Transparency
Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. This means there must be a lawful basis for processing the data, data subjects must be informed about how their data is being used, and personal data must not be processed in ways that have unjustified adverse effects on data subjects.
Personal data must be collected only for specified, explicit, and legitimate purposes. Data must not be further processed in a manner incompatible with those purposes.
Personal data processing should be adequate, relevant, and limited to what is necessary in relation to the purpose for which it is processed. Data controllers should only process personal data that is strictly needed for each specific processing purpose.
Personal data should be accurate and kept up to date. Inaccurate personal data should be erased or rectified in a timely manner.
Personal data should not be stored for longer than needed for the purposes for which it was collected. Some exceptions apply, such as for archiving purposes in the public interest, scientific or historical research, or statistical analysis.
Integrity and Confidentiality
Personal data must be processed and stored in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage. Appropriate technical and organizational measures should be implemented.
Lawful Basis for Processing Data
Under the GDPR, processing of personal data is only lawful if at least one of the following legal bases applies:
- Consent – The individual has given clear consent for the processing of their personal data for one or more specific purposes.
- Contract – Processing is necessary for the performance of a contract to which the individual is party.
- Legal Obligation – Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Vital Interests – Processing is necessary to protect the vital interests of the data subject or another person.
- Public Interest – Processing is necessary for the performance of a task carried out in the public interest.
- Legitimate Interests – Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests of the data subject.
If relying on consent as the lawful basis for processing, the GDPR sets strict standards for what constitutes valid consent:
- Consent must be freely given, specific, informed and unambiguous. Pre-ticked boxes or silence do not constitute consent.
- The request for consent must be clearly distinguishable from other matters and provided in an intelligible and easily accessible form.
- Data subjects have the right to withdraw consent at any time. Withdrawing consent must be as easy as giving it.
- If the data subject is a child under 16, parental consent is required. Member states can lower this age but not below 13.
- The controller must be able to demonstrate that consent was obtained. Records should therefore be kept of who, when, how, and what data subjects consented to.
Data Subject Rights
The GDPR provides data subjects with increased rights and control over their personal data. Key rights include:
Right to Access
Data subjects can request details about their personal data being processed such as the purposes, categories, recipients, retention periods, sources of the data, and whether automated decision-making is being used.
Right to Rectification
Data subjects can require inaccurate or incomplete personal data to be rectified or completed.
Right to Erasure
Also known as the “right to be forgotten”. Data subjects can request the deletion of their personal data where there is no longer a justification for its processing.
Right to Restrict Processing
Data subjects can require certain processing to be restricted if the accuracy of the data is contested, the processing is unlawful but the data subject requests restriction over erasure, or the data is no longer needed but the data subject requires it for legal claims.
Data subjects can obtain their personal data provided to a controller in a structured, commonly used and machine-readable format. This data can also be transmitted to another controller.
Right to Object
Data subjects can object to the processing of their personal data for direct marketing, scientific or historical research, or statistical purposes on grounds relating to their situation. Controllers must cease processing unless they demonstrate compelling legitimate grounds.
Controller and Processor Compliance
The GDPR places additional obligations on data controllers and processors. Key requirements relevant for websites include:
Lawful Basis for Processing
Having a lawful basis for collecting and processing different categories of personal data, informed by a data protection impact assessment if processing is high-risk.
Providing data subjects with a detailed privacy notice explaining what data is collected, why, who it is shared with, how long it is stored etc.
Having consent mechanisms that meet GDPR standards if consent is the lawful basis for processing. Pre-checked opt-in boxes cannot be used.
Right to Access
Having processes to handle data subject requests for access to their personal data within one month.
Right to Erasure
Having functionality to erase personal data when requested and no longer needed for the processing purpose.
Data Protection Impact Assessments
Conducting a DPIA for high-risk data processing, such as large-scale monitoring of public areas or systematic profiling.
Maintaining detailed records of data processing activities and consents in order to demonstrate GDPR compliance.
Data Breach Notification
Notifying supervisory authorities of data breaches within 72 hours of awareness if the breach is likely to result in a risk to data subjects.
Data Protection Officer
Appointing a DPO to oversee compliance if required for organizations carrying out large-scale data processing or monitoring.
Website Compliance Considerations
Websites controlled by entities in the EU or processing data of EU data subjects must ensure their data handling practices and policies comply with GDPR requirements. Key website-specific considerations include:
Lawful Basis for Collecting Data
Identify the lawful basis for processing different types of data collected through the website, such as through consent forms, transactions, or analytics.
Cookie Consent Banners
Have a cookie consent banner that meets GDPR requirements for any non-essential cookies or website tracking technologies.
Include a privacy notice on the website providing transparent information about data practices. Make sure it covers all GDPR requirements.
Only collect personal data that is adequate, relevant and limited to what is necessary for each processing purpose.
For account registration, have GDPR compliant consent checkboxes or other mechanisms to obtain consent. Allow users to access, rectify or delete their data.
Right to Erasure
Build in functionality to erase website visitor data on request if no longer needed for processing purposes.
Use SSL encryption (HTTPS) across the website to protect transmitted data. Only use trusted TLS certificates.
Implement access controls and user permission levels to limit access to databases or servers holding personal data.
Establish data retention schedules aligned with processing purposes. Don’t store personal data longer than needed.
If using processors like analytics tools, ensure GDPR compliant processor agreements are in place.
International Data Transfers
GDPR imposes restrictions on transferring personal data outside the EEA to ensure non-EEA countries provide adequate data protection safeguards. Common mechanisms for permitted transfers include:
The European Commission can issue an adequacy decision if it considers a non-EEA country as providing adequate data protection. This allows free flow of data to that country.
Standard Contract Clauses
Using standard data protection clauses approved by the Commission provides safeguards for data transferred outside the EEA. Clauses are included in contracts with recipients.
Binding Corporate Rules (BCRs)
Multinational companies can adopt BCRs approved by EU DPAs for intra-group international transfers if they provide enforceable data subject rights and effective protection.
In the absence of other safeguards, derogations can permit transfers for specific compelling legitimate interests pursued by the controller.
Transfers may be made if the data subject explicitly consents after being informed of risks arising from the transfer.
Web Hosting and GDPR
Websites store and process personal data on servers provided by web hosting companies. This can create data controller/processor relationships under GDPR. Considerations for compliant website hosting include:
Data Processing Agreement
Having a GDPR compliant data processing agreement with the hosting provider defining data handling responsibilities.
EU or UK Hosting
Using a hosting company with servers physically located within the EEA or UK can facilitate compliance, such as for data security or transfers.
Ensuring appropriate authentication controls are in place for accessing hosted servers and databases containing personal data.
Requiring servers and connections to be encrypted using technologies like HTTPS, SSL/TLS certificates, encrypted VPN tunnels etc.
Reviewing hosting provider security provisions like encryption, backups, firewalls, penetration testing etc. Look for certifications like ISO 27001.
Confirming the hosting provider has strong incident detection and response plans. Rapid notification procedures should be covered in contract.
Ensuring data remains portable and can be migrated back to the controller if required, such as for provider changes.
Having visibility and contractual control over any sub-processors used by the web host, such as for cloud infrastructure.
GDPR Fines and Penalties
GDPR strengthens the enforcement powers of supervisory authorities. Under the GDPR, fines and penalties for non-compliance include:
- Fines of up to €20 million or 4% of annual global turnover for the preceding financial year, whichever is higher, for infringements like violation of basic GDPR principles or data subject rights.
- Fines of up to €10 million or 2% of annual global turnover for less severe infringements like failures around security or breach notification.
-Supervisory authorities can impose a temporary or definitive ban on personal data processing.
-Data subjects can claim compensation from the controller or processor for material or non-material damages suffered from GDPR infringements.
-Member states can lay down additional sanctions such as criminal penalties for serious GDPR violations not subject to fines.
The GDPR establishes higher standards for handling of EU citizen data and provides stronger protections for data subjects. Websites collecting or processing data of EU data subjects must ensure full compliance to avoid substantial fines. Key actions include establishing lawful processing, meeting consent and transparency requirements, facilitating data subject rights, implementing data protection by design and default, entering compliant processing agreements, assessing risks with DPIAs, and only transferring data outside the EU/EEA using appropriate safeguards. Regular reviews should assess if policies and procedures remain fully aligned with this complex regulation as it evolves.