GDPR in simple words – Finally understand WTF is GDPR
There are over four billion internet users in the world. This means that each day, billions of people log onto sites, download apps, or use other online resources that collect data about them simply by clicking their links. Cookies, IP addresses, locations, and much more can be collected without users even realizing they’ve provided this information.
When companies can store and utilize user data at their leisure, there is potential for misuse. To mitigate the risks associated with using the internet, the European Union has developed GDPR, or General Data Protection Regulations, to protect its citizens and keep companies honest about how they use consumer data.
The following is a thorough breakdown of GDPR, the history of data protection, who GDPR applies to, and how GDPR affects internet users and businesses. By better understanding GDPR, it will be easier to navigate registering domains, set up new websites, and adhere to all legal obligations that apply to business sites.
What is GDPR?
GDPR, or General Data Protection Regulation, is a regulation in the European Union that grants online data protection and privacy to EU citizens. GDPR requires companies to obtain explicit approval from users before storing their data and requires individual approval for each way user data can be used. The protection and privacy granted by GDPR cover any data which makes users identifiable.
The personal data described in the GDPR includes nearly all information garnered through online use. The major pieces of data most people worry about is their social security number, phone numbers, bank account information, or general household information. While it’s true that this information is very dangerous in the wrong hands, other pieces of personal data are seemingly benign but can pose serious risks to citizens.
Websites gather this information by collecting data that the user has input manually, by using predictive systems developed specifically for generating this data or, in most cases, websites use both. Though having a few pieces of data about users isn’t too dangerous, having multiple pieces of data can make a user identifiable, which can lead to unwanted solicitation, security risks, and more.
Identifiable data is anything that singles out a user from other users. This doesn’t mean that a company must have a name for a user to be identified. Identifiable information could be an age range and gender, location, online identifiers, like cookies or IP addresses, or any combination of these data points.
The History of GDPR
In the mid-1990s, the internet quickly turned into an invention that would change the world . As soon as people began logging on to the internet, webpages began collecting their information. As the internet progressed and more sites were developed, consumers shared more information with websites.
As sites begin collecting more and more data about users, it became apparent that certain regulations must be put in place to protect users and hold businesses accountable.
In the UK, the Data Protection Directive was developed in 1995. This directive aimed to control the collection of personal data and limit the way it was being used and distributed.
The Data Protection Directive of 1995 led to the introduction of the Privacy Act of 1998, or Act 1998. Act 1998 further protected European citizens from data breaches, improper data usage, and more from public and private businesses and charities.
A combination of these previous regulations and two decades of learning about internet usage and data collection has led to the creation of GDPR, which has revolutionized the way the personal data of EU citizens is used online.
Who Does GDPR Apply To?
GDPR was developed in the European Union to protect EU citizens. Since EU citizens also use websites that are not based in the EU, GDPR applies to any website that allows EU citizens to access their platform or do business with them online. These stipulations mean that nearly every large business with online operations will need to be aware of GDPR and adhere to its principals when dealing with consumers who are EU citizens. This will also apply to existing businesses that choose to expand their business to the EU market.
There are very few businesses or websites excluded from GDPR, however, there are some exemptions for some of the regulations. In a few cases, businesses may be able to prove they aren’t required to adhere to certain principals of the GDPR. Keep in mind that GDPR exemptions are extremely rare and are processed on a case by case basis by the Information Committee.
GDPR doesn’t apply to personal or domestic use of information, such as taking personal photographs or writing blogs or letters to friends or family for non-commercial purposes. It also doesn’t apply to information gathered by legitimate law enforcement authorities or by the government for national security purposes. If your business operations don’t include any of these exemptions, you’ll need to have a GDPR plan in place.
GDPR Requirements: How to be GDPR Compliant
GDPR is made up of seven key principals. These principals are designed to keep citizens safe and limit the amount of access and control businesses have over their consumer’s private information. While the seven principals are clear cut, it can be helpful to break them down one by one.
Lawfulness, Fairness, and Transparency
The first principal of the GDPR lays the groundwork for the other six principals. The first portion of this principal, lawfulness, may seem like an obvious requirement. Companies are required to follow laws, after all. However, before GDPR, lawfulness could be an unclear term. According to GDPR, lawfulness requires companies to identify clear and valid reasons to collect and use personal data. Once data is collected, lawfulness requires that the information is never used in ways that violate any preexisting laws.
Fairness refers to the idea of customers being treated fairly when their data is collected and used. Data should only be used in a way that is presented in customer terms. Any language that misleads them or any usage that could be damaging to them violates GDPR.
Transparency requires businesses to be open and honest about how their data is going to be used.
Purpose limitation requires that companies divulge how personal information is going to be used. These purposes must be written in clear language in the site’s privacy information. Also, personal data can only be used for the original intended purpose unless the purpose is compatible with the original purpose, new consent is obtained, or there is a clear obligation set out in the law.
Data minimization requires that data obtained is adequate, relevant, and limited to what is necessary. Therefore, data must fulfill the original, stated purpose, has relevance to said purpose, and doesn’t go beyond what is needed for that purpose.
The data that has been collected must be as accurate as possible to the company’s best knowledge. Data should be checked for accuracy regularly and any inaccurate data should be updated or removed.
Businesses should only store information for as long as they need it. The length of time data will be held depends upon how the data is used, so each business should consider what a reasonable time length is for storage. Stored data should also be reviewed periodically so that unneeded data can be erased, or the user can be made anonymous. Individuals must be able to request erasure and the business must comply by erasing their data promptly.
Integrity and Confidentiality
Integrity and confidentiality are essential when personal data is being stored. Every business that holds data in the EU must ensure that they have proper security measures in place so that personal data is not unreasonably at risk of breaches.
Accountability requires that businesses be able to answer how they are storing and using their customer’s data. Compliance with GDPR should be easily evidenced.
What Happens if a Business Isn't GDPR Compliant?
The Information Commissioners Office, or ICO, takes GDPR compliance very seriously. Businesses who fail to comply with the seven GDPR principals could incur hefty fines and penalties.
The fines associated with noncompliance aren’t empty threats. Individuals and businesses have already been fined for their failure to comply with GDPR. A list of those being prosecuted by the ICO can be found here.
Most notably, in June of 2019, EE Limited was fined 100,000 Euro under GDPR. EE Limited sent out over 2.5 million unsolicited direct marketing messages to their customers without first receiving consent.
To avoid these fines, businesses must have a clear plan in place that stops any violations from occurring. They should also frequently evaluate their GDPR compliance plan and vigilantly check for any possible GDPR violations.
What Does GDPR Mean for Consumers and Citizens?
Under GDPR, EU citizens have eight distinct rights when it comes to their data. EU citizens should be aware of these rights and ensure that they are being awarded these rights.
These rights include:
The seven principals of GDPR have been set up in a way that, when properly implemented, all site users will be given these rights. Businesses that don’t ensure these rights to their customers violate GDPR.
GDPR`s Effect on Domain Name Registrations
The process of registering for and obtaining a domain name hasn’t changed under the GDPR. However, for businesses that plan to serve the EU market, there are many more things to consider. Domain names will still need to be registered so that owners can be identified. Though this information will still be held, domain information falls under the GDPR principals. This means that finding a domain, contacting the owners of a domain, and investigating other aspects of a domain name will be more difficult under GDPR, especially for domains originating in the EU.
Since finding domain owners and acquiring domain names has become more difficult under GDPR, many business owners will turn to domain name services to find available domains and develop names that fit their business.
Though GDPR may be difficult to navigate at first, businesses that commit to creating a safer space for users by these EU regulations will reap the benefits of having a global business while maintaining the trust of their customers.