We get it. The GDPR is more than a little confusing.
Most of us know roughly what it is – doing right by your customers or users when handling their information – but what it means in practice and how to be GDPR compliant? Probably not.
And this is for a good reason – the GDPR is complex. There’s a lot of jargon in there, and it’s not exactly the most concise of documents.
Still, if you have responsibilities that involve data collection, it’s not something you can plead ignorance to.
But fret not; we’re going to break down all those terms and requirements in simple language and provide a comprehensive guide to the GDPR from the employer’s perspective.
Table of contents
- What is the GDPR?
- Understanding the GDPR
- How to be GDPR compliant: 9 best practices for employers
- What about other privacy regulations around the world?
- ✅ Assess candidates and employees with a GDPR & Privacy pre-employment test
What is the GDPR?
The GDPR (General Data Protection Regulation) is EU (European Union) legislation that aims to protect the rights of individuals whose personal data is being collected and processed.
It explains what companies can and can’t do when collecting, storing, and processing data, each of which is a separate practice.
It also outlines EU citizens’ rights when their data is collected, stored, and processed.
The GDPR came into force on May 25, 2018, and overhauled many European data privacy laws that had been in place since the 1990s. It is widely considered the world’s strongest set of data protection rules.
Although the GDPR applies to all of the EU (more on that soon), it allows individual countries to make small changes to suit their own requirements. This flexibility led the UK to create the Data Protection Act 2018, superseding the previous act from 1998.
The GDPR has also informed several other data protection laws, such as the California Consumer Privacy Act.
All of this gives rise to one of the most common questions about the GDPR:
Where does the GDPR apply?
Since the GDPR is European legislation, it raises a fair question:
Does the GDPR still apply in the US and the rest of the world? In short, yes, but not in all situations.
Let’s break that down.
The EEA GDPR (the original GDPR) applies specifically to the 27 member countries of the EU and all countries in the EEA (European Economic Area), which extends the EU to include Iceland, Norway, and Liechtenstein.
The UK has its own version of the GDPR, referred to as the UK GDPR, tailored by the Data Protection Act 2018 discussed above.
So, if your business is based in the EEA (regardless of where you process customer data), the GDPR applies to you. If you’re based in the UK, follow the UK GDPR guidelines.
Where things get a little tricky is that the GDPR still applies to businesses outside of these areas if they:
- Offer goods and services to people in the EEA
- Monitor their customers’ online behavior
If you’re based in the US and meet both of the above criteria, then you need to adhere to the GDPR’s requirements.
If you only sell to customers in the US (or other countries outside the EEA), then you don’t have to comply with the GDPR. Still, you may need to abide by local regulations. Skip ahead to our breakdown of other countries’ privacy regulations to learn more.
Understanding the GDPR
The official GDPR document is huge, with more than 250 pages and 99 individual articles.
We know you’re not going to read that whole thing (and who could blame you?), so let’s break it down into five parts and go through the Cliffs Notes version of the GDPR.
- Important GDPR definitions and concepts
- The 7 key GDPR principles
- The 8 GDPR rights for individuals
- The 6 lawful bases to process data
- Fines for GDPR breaches
Important GDPR definitions and concepts
Before looking at the key principles, rights, and lawful bases for data processing, it’s important to understand some key terms used in the GDPR.
Users (also referred to as data subjects) are the individuals whose data is collected and processed.
In most cases, these are your customers, but this term might also extend to third-party suppliers and employees.
A data controller is a person or legal entity involved in deciding how that personal data will be processed.
As an entity, this is your company, and as a person, it’s likely to be your chief technology officer.
A data processor is a person or legal entity who is involved in processing the data on behalf of the data controller.
This might be the same business if you’re processing data in-house.
However, larger organizations often contract third-party suppliers to process data and deliver insights. In this case, your business is still the data controller, but the supplier is the data processor.
Personal data is the details you capture about your users.
The GDPR specifically defines personal data as being from an “identified or identifiable natural person,” which is someone who can be identified by referring to details like:
- Phone number
- Personal identification numbers
- Date of birth
- Online identifiers, like an IP address
Data processing is any operation performed on personal data, including activities like:
Say that five times fast.
Pseudonymization is a way of processing data so that it can’t be attached to a specific user without additional identifiers. Personally identifiable information is replaced with artificial identifiers or pseudonyms to protect users’ anonymity.
The 7 key GDPR principles
The GDPR is underpinned by seven core principles related to collecting and processing personal data.
1. Lawfulness, fairness, and transparency
This principle is pretty straightforward. As a data controller, you must process personal data in a way that is fair, transparent, and compliant with the law.
2. Purpose limitation
You should only collect personal data for legitimate and specific purposes.
That means you can’t just collect data for the sake of it, and you can’t process data for any reason other than what you specify when you collect it.
3. Data minimization
Data minimization means that the data you collect needs to be relevant, adequate, and limited to the purposes of the process.
Basically, you can’t collect data that you don’t need according to the purposes you’ve described.
The accuracy principle says that as the data controller, you must ensure personal data is correct and kept up to date where possible.
If the data is inaccurate, it must be destroyed or rectified.
5. Storage limitation
You may only store personal data for the length of time necessary for the described processing purposes.
However, there are a few limited circumstances in which an exception can be made:
- Public interest
- Scientific or historical research
- Statistical purposes (so long as appropriate technical or organizational measures are in place to protect the data)
In short, you must destroy the data if you no longer require it.
6. Integrity and confidentiality
You must have appropriate organizational and technical/security measures in place to ensure data is secure while it’s being processed.
Examples include protecting data against unlawful or unauthorized processing and accidental loss, destruction, or damage.
This principle states that you are responsible for showing that you comply with the above six principles.
The 8 GDPR rights for individuals
The GDPR also outlines individuals’ specific rights when it comes to their data being collected and processed.
It is your responsibility as the data controller to ensure these rights are fulfilled.
1. The right to be informed
You have to tell users what data you’re collecting and how you’re processing it via a privacy notice.
The user must receive this information at the time you collect their data.
2. The right of access
You must allow users to access the data you’ve collected about them.
If requested, you must provide:
- The categories of the data being processed
- A copy of the actual data
- Details about the processing, such as the purpose of processing
- When the data was collected and with whom it has been shared
You have to provide this information free of charge, without undue delay, and within one month of the request.
3. The right to rectification
Your users have the right to rectify their data if it’s incorrect or incomplete. You must also pass this request along to any third-party processors (unless this is “impossible or disproportionately difficult”).
This must occur without delay, within one month of the user’s request (except under special circumstances), and without charge. However, there are some instances where the rectification request is considered “manifestly unfounded or excessive.” In these cases, you may request a “reasonable charge.”
4. The right to erasure
Users can withdraw their consent for you to use their data at any time and request that you erase it without delay. You must erase the data within one month of receiving the request.
There are some circumstances under which you may refuse this right, such as when:
- The data is necessary for legal defense
- The data processing is being carried out in the public interest or for health purposes
- You must retain the data to comply with a legal obligation
- The data is being processed for scientific research
- The data is necessary to exercise the right of freedom of expression
5. The right to restrict processing
Under certain conditions, users can request to restrict specific forms of processing of their data. This essentially means that the processing of their data stops, but you don’t erase it.
These conditions include when:
- The user contests the data’s accuracy
- The user objects to the processing, but your organization is considering whether it has legal grounds to continue processing (such as those mentioned in the above section)
- The processing is unlawful, but the user doesn’t request erasure
- The data isn’t required, but the user still needs it to establish, exercise, or defend some form of legal claim
6. The right to data portability
If requested, you must provide users data (in a machine-readable format) to transfer from one controller to another.
You must carry out the request without delay, within one month, and free of charge unless the request is found to be “manifestly unfounded or excessive.” In this case, you may be able to charge a “reasonable fee” for the data port.
7. The right to object
Your users have a right to object to any form of processing of their data.
They must state a motivation for their objection (unless the data is used for direct marketing purposes), and data processing must halt for the particular processing activities objected to until the objection has been resolved.
8. Rights in relation to automated decision-making and profiling
Your users have the right not to be subjected to a decision based on automated processing or profiling.
You are allowed to carry out automated decision-making if it:
- Is needed for contract performance
- Is authorized by the law of the applicable EU state
- Doesn’t have a legal or similar effect on the user
- Is based on the users’ consent
In short, if you need to make automated decisions about data, you’ll need to obtain explicit consent.
The 6 lawful bases to process data
To process user data, you must be able to meet one or more legal bases for doing so.
|Lawful base to process data||Definition|
|Consent||The user has given explicit consent for at least one scientific purpose|
|Contractual obligations||Data processing is necessary for carrying out a contract in which the user is participating|
|Legal obligations||Data processing is necessary to fulfill a legal obligation to which you, as the data controller, are a subject|
|Vital interests||Data processing is necessary to protect the vital interests of the user or another person|
|Public interest||Data processing is carried out in the public interest or contained under the data controller’s official authority|
|Legitimate interests||Data processing is necessary for the data controller’s legitimate interests, except where overridden by the rights, interests, and freedoms of the user (particularly when the user is a child)|
Fines for GDPR breaches
Officially, there are two tiers of GDPR breaches, with commensurate fines for each:
|GDPR breach tier||Fine|
|1. Less severe||Up to €10m, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher|
|2. More severe||Up to €20m, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher|
Historical GDPR fines due to non-compliance have reached some eye-watering numbers. These are the top five:
- Amazon – $847m
- WhatsApp – $255m
- Google – $56.6m
- H&M – $41m
- TIM – $31.5m
It pays to be compliant, doesn’t it?
How to be GDPR compliant: 9 best practices for employers
Is your organization in need of a GDPR tune-up?
Follow these nine steps to make sure your business is GDPR compliant.
- Perform a data audit to map your recruitment/employee data
- Run Data Protection Impact Assessments (DPIAs)
- Update your privacy notices for recruiting and hiring
- Plan to collect the minimum amount of information, get consent, and use it fairly
- Protect all personal data with advanced security systems
- Get rid of personal data once you don’t need it anymore
- Inform employees and candidates of the legal basis you’re using to process data
- Train your staff on GDPR compliance
- Put a plan in place for data breach notifications
1. Perform a data audit to map your recruitment/employee data
The GDPR applies to not only data you will collect in the future but the personal information you have already stored.
That means you’ll need to perform an audit of your existing data to document:
- What kinds of data you’ve collected
- How that data is being processed
- The purposes for which you’re keeping and processing the data
Be prepared to do a bit of a data cull: If there is information you’ve collected that you no longer require, you must erase it.
2. Run Data Protection Impact Assessments (DPIAs)
DPIAs are essentially risk assessment and mitigation activities.
Under the GDPR, you’re required to carry out DPIAs each time you start a new project that is “likely to involve a high risk to other people’s information,” such as implementing a new software platform.
That doesn’t mean you need to run DPIAs every time you collect data, but it’s good to assess any risks to the data you’re currently storing.
The GDPR states that a DPIA requires three elements:
- “A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller”
- “An assessment of the necessity and proportionality of the processing operations in relation to the purposes”
- “An assessment of the risks to the rights and freedoms of data subjects”
3. Update your privacy notices for recruiting and hiring
Whenever you recruit for a new role, you capture applicants’ data as soon as they apply. That makes them users and you the data controller. Therefore, you have an obligation to protect their privacy.
This obligation includes disclosing the types of data you’re collecting, the purposes of collection, and how you intend to process the data you collect.
Your privacy notice is how you communicate this.
Exactly how to write a privacy notice is outside the scope of this article, but the GDPR provides a great rundown on this process and a free template.
4. Plan to collect the minimum amount of information, get consent, and use it fairly
So, ensure that:
- You don’t collect unnecessary data in your collection processes (e.g., customer forms)
- You don’t process any data in ways other than those you describe in your policy
5. Protect all personal data with advanced security systems
It’s likely that your user data is stored across a variety of locations, such as your:
6. Get rid of personal data once you don’t need it anymore
To maintain compliance with GDPR rules, you’ll need to destroy any data you’ve collected once you no longer need it.
That means you can no longer process the data, pull any insights from it, or use it to manage customer relationships.
Considering the amount of some of the heftier GDPR fines, it’s probably also worth scheduling an annual or bi-annual data cull.
7. Inform employees and candidates of the legal basis you’re using to process data
The GDPR defines six lawful bases for capturing and processing data as we discussed earlier in this guide.
To uphold the GDPR’s principle of transparency, you should inform all users from whom you have collected or will collect data of which legal basis you’re using to process their information.
8. Train your staff on GDPR compliance
Chances are you’re not the only person in your organization coming into contact with user data. You are, however, responsible for the actions of everyone on your team.
To protect yourself and your company, it’s a smart idea to train your team on GDPR compliance, including:
- What gives your organization the right to collect and process data
- What the limitations are on data collection and processing
- What to do if they think your company might be in breach of the GDPR
9. Put a plan in place for data breach notifications
If you do happen to receive a breach notification from GDPR regulators, it’s likely to be a pretty stressful event.
You can make it a little less stressful by outlining how your business will act in such an event. Include details like:
- Who is responsible for responding to the notice
- How your company will investigate the breach notice
- Who is responsible for rectifying the issue
What about other privacy regulations around the world?
Glad you asked.
The GDPR has set off a domino effect across the world that has resulted in the creation of similar regulations aimed at protecting individual rights and digital privacy.
Here’s a quick summary of the regulations you should be aware of:
- The California Consumer Privacy Act (CCPA)
- Canada’s Protection and Electronic Documents Act (PIPEDA) and the proposed Consumer Privacy Protection Act (CPPA)
- Brazilian General Data Protection Law (LGPD)
- South Africa’s Protection of Personal Information Act (POPIA)
- New Zealand’s Privacy Act 2020
- Japan’s Act on the Protection of Personal Information (APPI)
Let’s look a little deeper at these privacy regulations: You might have to comply with more than one.
California Consumer Privacy Act (CCPA)
As of this writing, the California Consumer Privacy Act (CCPA) is the only US-based privacy act, though many other states are in the process of developing one following California’s legislation.
The CCPA is less intense than the GDPR.
At the highest level, it allows Californian consumers to request access to any data a company has on them and a list of the third-party businesses with whom it has shared that data.
Canada’s Protection and Electronic Documents Act (PIPEDA) and the proposed Consumer Privacy Protection Act (CPPA)
We know – this one’s quite a mouthful.
The Protection and Electronic Documents Act (PIPEDA) is now in effect and gives Canadians certain rights regarding their data, including the following:
- Generally, organizations must obtain consent to collect and process data
- Typically, businesses must disclose the data they collect
- Users have the right to access their personal information
- Users have the right to challenge data accuracy
- Organizations may only use data for the purposes for which they collected it
As you might be able to tell, the PIPEDA shares many similarities with the GDPR.
A more stringent set of guidelines known as the Consumer Privacy Protection Act (CPPA) has been proposed to give users more protection over the types of data businesses can collect and process.
Brazilian General Data Protection Law (LGPD)
The Brazilian General Data Protection Law (LGPD) is broadly aligned with the GDPR, outlining the specific rights of users and the obligations of data controllers and processors in Brazil.
South Africa’s Protection of Personal Information Act (POPIA)
The Protection of Personal Information Act (POPIA) is similar to the GDPR, except it also extends to protect legal entities, not just individual people.
POPIA fines are much smaller than potential GDPR fines, but they largely protect the same rights.
New Zealand’s Privacy Act 2020
New Zealand’s Privacy Act 2020 is a principles-based act, meaning it’s far less detailed and prescriptive than the GDPR.
Its purpose is simply to protect individual privacy by:
“(a) providing a framework for protecting an individual’s right to privacy of personal information, including the right of an individual to access their personal information, while recognising that other rights and interests may at times also need to be taken into account; and
(b) giving effect to internationally recognised privacy obligations and standards in relation to the privacy of personal information, including the OECD Guidelines and the International Covenant on Civil and Political Rights.”
Japan’s Act on the Protection of Personal Information (APPI)
Japan’s Act on the Protection of Personal Information (APPI) was originally put in place in 2005 but has had many amendments, especially since the initiation of the GDPR in 2018.
There were major updates in 2015 and 2020.
The APPI outlines obligations for:
- Data access controls
- Encryption requirements
- Data transfers
- Updates to be made to legacy systems
Go get GDPR compliant
This guide to GDPR gives you an in-depth but not overly complex rundown on how to be GDPR compliant.
However, just knowing the terms and principles isn’t sufficient. You’ll need to put them into action to protect your customers’ privacy and rights.
By the way, we have a GDPR & Privacy pre-employment test in our test library. Why not use it to assess your candidates’ knowledge of GDPR? You’ve got the cheat sheet right here!