GDPR Compliance: Your One-Stop Guide

The General Data Protection Regulation (GDPR) is a set of data privacy and security regulations that came into effect on May 25, 2018, in the European Union (EU). Since then, it has fundamentally reshaped the global landscape of data privacy and protection.

Its stringent requirements and emphasis on accountability have forced organizations to prioritize data privacy and adopt robust measures to protect personal data.

By doing so, the GDPR has not only empowered individuals with greater control over their data but has also spurred a collective recognition of the importance of safeguarding personal information in the digital age.

Here are some examples of impacts on businesses and organizations around the world:

Increased awareness of data privacy: The GDPR has brought data privacy and security to the forefront of public discussion, increasing awareness of individuals’ rights to their personal data and the responsibilities of businesses and organizations to protect that data.

Stricter data protection requirements: The GDPR has set higher standards for data protection, requiring businesses and organizations to obtain explicit consent from individuals for the collection and processing of their personal data, as well as to implement strong security measures to protect that data.

Increased enforcement and penalties: The GDPR has given EU regulators more power to enforce data protection regulations and impose penalties on businesses and organizations that fail to comply. Non-compliance with the GDPR can result in fines of up to 4% of a company’s global annual revenue or €20 million, whichever is greater.

International impact: The GDPR has also had an impact beyond the EU, as many businesses and organizations around the world have had to comply with the regulations in order to do business with EU customers or partners.

The impact of the GDPR extends beyond legal and compliance obligations. It has fostered a cultural shift by increasing public awareness and expectations regarding data privacy rights. Individuals are now more conscious of their data and have higher expectations for organizations to handle their personal information responsibly.

There have been some updates and clarifications to the GDPR since it went into effect in 2018. Here are a few notable examples:

• Guidelines on data protection impact assessments: In April 2018, the Article 29 Working Party (now the European Data Protection Board) published guidelines on data protection impact assessments (DPIAs). The guidelines provide practical advice on when a DPIA is required under the GDPR and how to conduct a DPIA.
• EDPB guidelines on consent: In May 2020, the European Data Protection Board (EDPB) published guidelines on consent under the GDPR. The guidelines provide detailed guidance on how to obtain valid consent for data processing, including the use of granular consent options and the need to obtain separate consent for different purposes.
• Schrems II ruling: In July 2020, the Court of Justice of the European Union (CJEU) issued a ruling in the Schrems II case, which invalidated the EU-US Privacy Shield framework for data transfers and placed new restrictions on the use of Standard Contractual Clauses (SCCs) for data transfers. The ruling requires companies to conduct a case-by-case assessment of whether the laws and practices of the recipient country provide an adequate level of data protection before transferring personal data outside of the EU.
• GDPR one-stop-shop mechanism: In June 2021, the European Commission published updated guidance on the GDPR’s one-stop-shop mechanism for cross-border data processing. The guidance provides practical advice on how the mechanism works, including the role of lead supervisory authorities and the coordination of investigations and enforcement actions.

These are just a few examples of the updates and clarifications that have been issued since the GDPR went into effect. As technology and data use continue to evolve, it is likely that we will see additional guidance and updates to the regulation in the future.

Even if your company isn’t located in the EU, there’s a strong chance that some of your customers are European citizens. If you have an e-commerce site that sells products internationally, you should be aware of the data privacy laws in effect for every country where you do business. Compliance with GDPR laws should include the following steps:

1. Understand and map data: Businesses should conduct an inventory of all the personal data they collect, process, and store. They should also document data flows, map data storage locations, and identify any third parties with whom they share data.
2. Obtain consent: Businesses should obtain explicit consent from individuals for the collection, processing, and storage of their personal data. Consent should be freely given, specific, informed, and unambiguous.
3. Implement security measures: Businesses should implement appropriate technical and organizational security measures to protect personal data, including access controls, encryption, and regular backups.
4. Appoint a Data Protection Officer (DPO): Businesses may appoint a DPO, or at least someone who oversees GDPR compliance, particularly if they process large volumes of personal data.
5. Respond to data subject requests: Businesses should be prepared to respond to data subject requests, such as requests for access to personal data, requests for data deletion, and requests to update or correct data.
6. Conduct data protection impact assessments (DPIAs): Businesses should conduct DPIAs for high-risk processing activities, such as large-scale data processing, or processing sensitive personal data.
7. Monitor compliance: Businesses should regularly monitor their GDPR compliance program, including internal policies, procedures, and training, as well as third-party contracts and data protection impact assessments.

GDPR compliance requires a comprehensive and ongoing effort to protect personal data and ensure the rights of individuals are respected.

To make a website compliant with GDPR law, businesses can take the following steps:

Obtain online consent: Website visitors should be asked for their explicit consent to the use of cookies, tracking, and processing of their personal data. Consent should be freely given, specific, informed, and unambiguous.

Provide a privacy policy: Websites should provide a clear and concise privacy policy that outlines what personal data is collected, how it is used, who it is shared with, and how it is protected. The policy should also include contact information for a Data Protection Officer (DPO), or other data-protection resource.

Implement security measures: Websites should implement appropriate technical and organizational security measures to protect personal data, including access controls, encryption, and regular backups.

Enable data subject rights: Websites should provide a way for visitors to exercise their GDPR rights, including the right to access, correct, and delete personal data.

Use compliant third-party services: Websites should ensure that any third-party services used on the site, such as analytics, advertising, or social media plugins, are GDPR-compliant.

Obtain parental consent for minors: If a website is intended for use by children under the age of 16, parental consent should be obtained before collecting personal data.

GDPR compliance entails a comprehensive and ongoing effort to protect personal data and ensure the rights of individuals are respected. It is important to consult with other legal and technical experts on your team to implement these GDPR-compliant measures.

Click-to-accept agreements can be used to maintain compliance with GDPR laws, such as to obtain proper consent. But businesses should be intentional with their implementation of click-to-accept agreements.

Under the GDPR, consent must be freely given, specific, informed, and unambiguous. This means that click-to-accept agreements should clearly explain what personal data is being collected, how it will be used, who it will be shared with, and for how long it will be retained.

The language of the click-to-accept agreement should also be easy to understand and not buried in lengthy legal terms and conditions. Additionally, the option to opt-out of data collection should be available, and consent should not be a precondition to access the website or service.

Generally, click to accept agreements can be used for GDPR compliance if they are designed in a way that respects individuals’ rights to control their personal data. It is important to consult with legal experts to ensure that click-to-accept agreements are designed in a way that will best enable the business to meet the specific requirements of the GDPR.

The legal team plays an important role in ensuring GDPR compliance within a company. Legal is typically responsible for managing legal affairs and advising the company on legal matters, including data protection and privacy issues.

Specifically, the legal team’s role in GDPR compliance may include:

• Providing guidance on GDPR compliance: Advising the company on the requirements of the GDPR, and helping to develop policies and procedures to ensure compliance.
• Conducting risk assessments: Helping the company to identify areas of risk related to GDPR compliance, and developing strategies to mitigate those risks.
• Reviewing contracts: Reviewing contracts with third-party vendors to ensure that they are GDPR compliant, and negotiating GDPR-related provisions where necessary.
• Managing data subject access requests: Overseeing the process for handling data subject access requests, which are requests from individuals to access their personal data held by the company.
• Monitoring and responding to data breaches: Overseeing the company’s response to data breaches, which includes identifying the breach, assessing the risk, notifying the appropriate authorities and affected individuals, and implementing remedial measures.

The legal team plays a critical role in ensuring that the company complies with the GDPR, and in protecting the privacy rights of individuals whose data the company processes.

American businesses that process personal data of individuals located within the EU must comply with the GDPR or face significant fines and legal penalties. Failure to comply with the GDPR can also damage a company’s reputation and lead to loss of customer trust.

The GDPR has also spurred increased attention to data privacy and protection in the United States, leading to the adoption of new privacy regulations at the state level, such as the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA).

In summary, the GDPR is important to American businesses because it requires compliance with strict data protection and privacy regulations when processing the personal data of individuals within the EU, and has spurred increased attention to data privacy and protection in the United States.