For a better grasp of all the lingo, you can refer to our Glossary of Terms.
What does GDPR Consider Personal Data?
The EU GDPR only applies to personal data, which it considers to be any information that relates to an identifiable person. Anything that can confirm your physical presence somewhere is also classified as personal data under GDPR - this includes things like CCTV footage and fingerprints.
What does GDPR Consider Sensitive Personal Data?
The GDPR places certain types of sensitive personal data into a “special category” that must be treated with extra security. This includes information related to:
- Political opinions
- Race or ethnicity
- Religion or philosophical beliefs
- Sexuality or a person’s sex life
- Trade union membership
- Genetic information
- Biometric data - when processed to identify someone
What are the Penalties for Non-Compliance of GDPR?
GDPR requirements are enforced by the national data protection authorities of EU and EEA member states, and by private right of action - as with Max Schrems and his NYOB advocacy group.
It has established a two-tier sanctions system and companies found to have misused data according to GDPR can be fined either:
- Up to €10 million, or 2% of the worldwide annual revenue from the previous year - whichever is higher
- Up to €20 million, or 4% of the worldwide annual revenue - whichever is higher.
Who does GDPR Apply To?
According to the European Commission, GDPR applies to:
- A company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or,
- A company established outside the EU and is offering goods/services (paid or for free), or is monitoring the behavior of individuals in the EU
Effectively, GDPR applies to companies that collect data from or market to the European Union, or are prepared to serve citizens and residents there.
In practice, compliance is mandatory for any company that makes its website or services available to EU citizens.
It's even mandatory for companies that hold the personal data of just one person living in the EU - even if there is no company office in the Union.
Who does GDPR Not Apply To?
Since GDPR reaches outside the territorial scope of the European Union, the number of formal GDPR exemptions is very small:
- Companies that actively discourage the processing of EU citizen data
- Companies that process EU citizen data, without directly targeting subjects or monitoring their behavior
The European Commission states that some GDPR obligations will not apply to companies where processing personal data isn’t a core business activity - such as the appointment of a Data Protection Officer.
Informal Exemptions to GDPR
There are a range of scenarios that free companies from the oversight of GDPR.
If you’re not operating in the EU, you may be exempt from GDPR if you don’t use an EU language, currency or refer to EU consumers - this is tricky given the usage of some of these languages around the world so your intent is important.
You’d need to also ensure that EU residents can’t register for an account or purchase anything.
If your company does collect data, you may be exempt if you don’t process personal data - i.e. anything that can be used by itself to identify someone. Anonymous data is also not covered by GDPR.
There remain some specific scenarios that fall outside the scope of GDPR - they don’t apply to many private companies and vary from EU country to EU country.
Overall, they relate to very specific parts of the GDPR. Particular companies might not need to provide people with the personal data on file, or they might not need to communicate certain information in their privacy notice. Here are some examples:
- Law enforcement is exempt from GDPR in specific situations
- Journalism is exempt from GDPR, if compliance means suppressing press freedoms
- Universities are exempt from giving students access to exam papers in specific situations.
What are GDPRs Key Principles?
Article 5 establishes seven principles that act as an overarching framework to guide the handling of personal data. Data controllers must comply with these principles, and be able to demonstrate adherence at any time.
1. Lawfulness, Fairness, and Transparency
Lawfulness means that you should have a good reason for collecting and processing data.
Fairness means you should never purposely withhold your reason for collecting and processing data, and means you won’t mishandle or misuse it.
Transparency means being open, clear and honest with data subjects about who you are and what you’re going to do with personal data.
2. Purpose Limitation
GDPR states that personal data is “collected for specified, explicit and legitimate purposes”.
You must clearly establish your purpose for collecting data, communicate this to users in a privacy notice and ensure that your activities stay within these set limits. If not, you must acquire further consent from users, unless there is a legal precedent for doing so.
3. Data Minimization
This means collecting the least amount of data required to deliver your objective
This means that all the data you collect and store is correct. It requires setting up systems and regular audits to ensure that incorrect data is corrected, updated, or deleted.
5. Storage Limitation
GDPR forces you to justify how long you store personal data for. This can be done by establishing a storage limitation policy and anonymizing data once the set time period is over.
6. Integrity and Confidentiality (Security)
This means you are required to keep personal data secure from internal and external risks, and protect it from unauthorized processing as well as accidental loss or damage.
Companies must have appropriate processes, procedures and documentation in place to prove compliance with data processing principles, and supervisory authorities have the power to demand evidence of this at any time.
Understanding GDPR compliance
GDPR has established a new standard for the data protection of EU citizens and residents, and presents a challenge to companies that risk huge fines for non-compliance.
GDPR outlines certain obligations organizations must follow, which limits how personal data can be used.
It also defines eight data subject rights that guarantee specific entitlements for an individual's personal data, ultimately giving individuals more autonomy over their personal information and how it is used.
But following GDPR requirements is not enough and you may wonder, what is GDPR compliance?