- GDPR compliance is a moving target, but regulatory guidance is clarifying provisions in the law.
- Enforcement of the GDPR has been slow, especially for large tech companies and big data.
- For all businesses, especially small businesses, compliance with data protection regulations builds brand loyalty and trust with customers.
- This article is for small business owners who want to learn more about data privacy regulations.
The European Union’s sweeping data privacy law, the General Data Protection Regulation (GDPR), sent many companies scrambling to come into compliance prior to its implementation in May 2018. The EU law covers EU citizens’ data anywhere in the world, meaning companies globally have to comply or face fines of up to 10 million Euro or 2 percent of their annual global turnover (or revenue) per violation (whichever is greater).
Now, four years into the GDPR’s implementation, the landscape of data privacy has changed significantly. While big cases against tech giants still await final decisions, smaller companies have had to change their behaviors and improve their handling of user data. A number of other data privacy and security measures have emerged across the world, including many state regulations, such as the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA).
What does GDPR compliance look like?
The GDPR is an 88-page law that contains 11 chapters and 99 articles, all of which are intended to improve and unify data privacy practices in regard to the data of EU citizens. It is not limited to the borders of the EU; any company that collects and/or processes the data of any EU citizens must comply with the GDPR. Companies across the United States that do any business with EU citizens are included in the law’s scope.
Among the rules the GDPR put into place for the “data controller” and “data processor” to follow were rights and freedoms granted to the data subject, or each individual user. These include ethical concerns such as the user’s right to consent to data collection, the right of a user to request deletion of their data and the right of a user to access their data. To respond meaningfully to these rights, many companies had to put systems and processes into place that previously did not exist. Since 2018, efforts have been made to clarify specific GDPR clauses, but some questions remain for companies trying to comply.
Odia Kagan, a partner at Fox Rothschild LLP and chair of the GDPR compliance and international privacy practice, said there is no real blueprint for GDPR compliance. The question businesses must start with is, “Basically, what do the rules actually mean for my business?” The answer can be different from company to company, Kagan said.
“We tried to get started and get the basics done to get going, because there are rules common to everybody,” she said. “GDPR is not a snapshot in time; it’s an ongoing deal. You have to keep going and keep reassessing; it’s an ongoing compliance process. Even companies that have done a fair amount of work likely still have more to do and maintain.”
The GDPR codifies standards for data processing and collection, creating sweeping rules governing the use of EU citizens’ data even outside the EU. Essentially, Kagan said, every company must start with the following considerations when working toward GDPR compliance:
- Expanded disclosure: Companies must offer a clear description of what data they collect, why they collect it, and how they store and process it. This includes explanations of whom the data is shared with, how long the data is stored and how the data is protected.
- User control: Companies must grant users more control over what happens to their data. Users are entitled to a copy of their data, if requested. They can also request that their data be deleted, or that amendments be made to incorrect data. Users also have the right to consent to whether their data is shared with a third-party company for any purposes other than outsourcing processing.
- Downstream compliance: Any third-party companies and service providers must be compliant with the GDPR as well; otherwise, the company collecting the data can be held liable. In other words, if you collect user data by the book but outsource processing to a noncompliant company, you could remain on the hook for violations. This includes consideration of third-party cookies and how they might collect and track general data.
“The added complexity was that EU companies already had a big head start,” Kagan said. “The Data Protection Directive had national implementing laws across the 28 EU states; this basically covered like 80 percent of [the regulations within] GDPR.”
Subsequent improvements to the Data Protection Directive, such as the 2002 ePrivacy Directive, have meant the EU is ahead of the U.S. in data protection legislation. U.S. companies had to scramble to catch up during GDPR implementation, and many clients asked if Kagan had a checklist they could follow. Her response was, “Yes, but …” it’s not a one-size-fits-all program. Instead, Kagan said, they started with the requirements that are common to all businesses.
The consequences of failing to comply with GDPR
The penalties for failing to comply with the GDPR are potentially steep: fines of up to 10 million Euro or 2 percent of global annual revenue from the previous year. For many businesses, that could amount to a fatal blow. While large companies such as Marriott, British Airways and H&M have faced hefty fines, it’s unclear whether any smaller companies have folded as a result of the regulations. The cost of compliance with new guidelines did result in the exit of about a third of Android applications, according to a study from the National Bureau of Economic Research. For companies in the U.S. and beyond, staying on top of GDPR compliance is a priority and an ongoing challenge.
When it comes to ensuring compliance with any sweeping law such as the GDPR, it’s wise to partner with an attorney or consultant who demonstrates experience and specialization in that area. However, a great first step is to simply read the law, said Donovan Buck, vice president of software engineering at BrandExtract.
“If you don’t know where to start, the law is really easy to digest,” Buck said. “It’s kind of long, but it’s written in clear terms that normal people can understand. And there’s a preamble to it … [that] gets the spirit of the law across. The law itself is not that scary. Read the law; it’s not that bad.”
Clarifying GDPR regulations
Even for those who read the law, the GDPR left a lot of unanswered questions leading up to (and even after) its implementation in May 2018. Since then, the European Data Protection Board, the overarching supervisory authority governing the GDPR, has issued clarifications and guidelines to help companies ensure they are indeed compliant, including the following:
- Clear and transparent disclosure: To obtain explicit consent from a data subject, companies must disclose their collection, usage and sharing of data with users. That doesn’t just mean including fine print somewhere in the terms and conditions; it must be spelled out clearly in plain language. Otherwise, obtaining the explicit consent of a data subject might not qualify as valid under the GDPR.
- Territorial scope: In November 2019, the European Data Protection Board released clarifications on which companies the GDPR applies to. The guidelines help clarify what constitutes an EU establishment or company that targets users within the EU. It also considers the need for an international cooperation mechanism for enforcing the GDPR on companies outside the EU.
- Legal basis of processing: In April 2019, the European Data Protection Board issued guidelines for the legal basis of processing personal data under the GDPR. These guidelines clarified what constituted necessary data collection, termination of contracts and the applicability of these rules.
- Use of location data and contact tracing tools in the context of the COVID-19 outbreak: In April 2020, the European Data Protection Board had to respond to some of the data privacy complications brought on by the COVID-19 pandemic. Their guidelines emphasized the GDPR principle of “data minimization,” stressing that only data relevant to COVID-19 contact tracing — and not identifying information or exact location information — should be collected.
- The right of access: In January 2022, the European Data Protection Board published draft guidelines for implementing the right of data subjects to access their personal data. Controllers should interpret data requests in the broadest terms in most cases, instead of limiting access. However, they need not provide data subjects with the complete documents containing their data, and can instead provide a new document that contains only the user’s personal information.
The European Data Protection Board has released myriad updated guidelines, clarifications and best practices since the GDPR’s enactment in 2018. Major updates include information on which companies are bound to the GDPR, what consumer data is considered necessary to collect and how companies should fulfill data requests.
GDPR enforcement is underway but moving slowly
While the GDPR has certainly improved data security by weeding out some egregious violations, overall enforcement is taking longer than many people expected. Information moves quickly online, and the GDPR seems, to many, like it struggles to keep up, especially in the case of huge, wide-reaching tech companies such as Meta and Google. For example, data privacy nongovernmental organization noyb (which stands for “none of your business”) brought a complaint over forced consent against Instagram, Facebook, Google and WhatsApp the day the GDPR became active. Over four years later, a resolution is still under development.
There has been enforcement of the law, however. The GDPR has levied 1,216 fines, Privacy Affairs reported, and together they exceed $2.5 billion in penalties as of December 2022, according to Enforcement Tracker. That means companies need to ensure they’re following regulators’ definitions of elements of the law, like “disclosure” and “consent,” not their own interpretation of these terms.
According to Enforcement Tracker, the three biggest fines include 746 million euros (about $790 million) against Amazon Europe Core S.à.r.l. by Luxembourg officials in July 2021, as well as two big penalties against Meta in 2022. In September 2022, Ireland’s Data Protection Commission fined Meta Platforms Inc. 405 million euros (roughly $430 million), and in November 2022, they hit Meta Platforms Ireland Ltd. with a 265 million euro (about $280 million) fine. The same names dominate the highest-fines list, with Amazon, Meta (including Facebook and WhatsApp) and Google receiving eight of the top 10 largest fines.
The November ruling against Meta relates to a data breach of approximately 533 million Facebook users’ personal information, including email addresses and phone numbers. In addition to paying the fine, Facebook must take actions to improve users’ data safety and prevent further data scraping. The September ruling against Meta said Instagram was in violation of GDPR guidelines for children’s data, which is under specific protections. Instagram allowed children ages 13 to 17 to share email addresses and phone numbers on business accounts. It also made teenagers’ accounts public by default. Meta is appealing the ruling.
Luxembourg’s fine against Amazon Europe Core S.a.r.l. is related to the ways it uses customer data to develop targeted advertising. Amazon also appealed the decision.
“A big part of [many] regulations is how you collect consent, and how you inform the consumer in a clear, transparent and obvious way [about] what you’re collecting,” said Chris Slovak, co-founder and CEO of Challenger Interactive.
New data privacy laws and data protection trends to expect in 2023
While accountability for tech giants is moving slowly, the overall attitude toward data privacy is shifting. The average consumer has become more aware of the ways companies collect their information, and privacy concerns have become central to conversations about tech. However, even businesses that don’t consider themselves tech companies should evaluate their customer data practices and make sure their data management is secure.
The GDPR was just the “catalyst” of a tidal wave of global data protection laws, Slovak said, and companies should monitor similar developments around the world.
For example, California, Virginia, Utah, Colorado and Connecticut are putting new data privacy laws into place or updating existing laws. Other nations, such as South Korea and China, are also passing new regulations around data security.
Upcoming data protection laws and regulations in the United States emphasize consumer opt-out rights and privacy preference, according to law firm Thompson Hine. To comply, online businesses must make sure their websites provide customers with an approved, clear way to opt out of the sharing or selling of their personal information. That could mean a “do not sell or share my personal information” and/or a “limit the use of my sensitive personal information” link.
These are just some examples of upcoming guidelines designed to offer consumers more transparency and control. In 2023, you can expect many more guidelines surrounding communication with customers about their rights to data privacy.
“This isn’t isolated to EU citizens and California,” Slovak said. “It’s a trend that’s going to sweep the world. Get ahead by investing in the data flows you have today.”
The GDPR requires that disclosure to data subjects be “concise, transparent, intelligible and easily accessible, and use clear and plain language.” Make sure any data privacy communication with your customers is clear and light on jargon, both to ensure compliance and to build trust and loyalty with your clients.
Tips for GDPR and data protection compliance
Compliance with an all-encompassing law such as the GDPR can seem impossible, but if you take it one step at a time, your business will soon be on the road to compliance. To stay motivated, remember that full compliance doesn’t have to be the goal; even showing an effort could be enough to keep regulators at bay.
“Companies that have been on a path and worked with regulators … have had cases closed against them or their fines have been reduced,” Kagan said. “You need a plan. Conduct a risk assessment, figure out the riskier pieces of your processing, and start working through them. Be on a path.”
Follow these tips to get started:
- Don’t panic. Data protection laws are complex and wide-ranging. It can be overwhelming for companies, especially small and midsize businesses, to manage. However, it is important to break down the process into manageable pieces so you can accomplish one small task at a time. Think of it as moving toward compliance, rather than crossing it off the list in one fell swoop.
- Conduct a risk assessment. A great place to start, according to Kagan, is by conducting a risk assessment. Use this assessment to identify the biggest risk areas for your business where you might either be running afoul of the rules or vulnerable to a data breach.
- Start with the riskiest components. Once you have a comprehensive understanding of the risk profiles of each element of your data collection operation, you can determine which parts to address first. Always start with the riskiest elements of your company. For example, if your security is lacking, shore up your defenses to ward off data breaches. If you are not obtaining consumers’ consent to capture and use their data, implement a method for gaining that consent. Working with a GDPR compliance consultant can help you understand risk more clearly.
- Understand the data and why you collect it. A big piece of the GDPR and data privacy legislation across the United States is that companies must have a complete picture of the data they collect and why they collect it. Upon request, consumers must be furnished with a copy of their data, and companies must be able to edit or delete it. It is imperative for your business to understand which data it collects, how it is stored, where it is shared and why it is used. Failure to develop a complete understanding makes compliance with data protection laws virtually impossible.
- Establish a formal governance program. Once you’ve developed an internal process for complying (or at least working toward compliance) with data protection laws, establishing a formal governance program helps you demonstrate those efforts to regulators. A formal governance program can structure precisely how data is captured, stored, shared and used. This is especially important for large companies, Kagan said, but small to midsize businesses could benefit from formalizing their data governance as well. This could include appointing a data protection officer to oversee day-to-day data collection and processing to ensure it is in line with GDPR rules.
Compliance with the GDPR, CCPA and other data privacy legislation is an ongoing process. While each piece of legislation that has been passed or proposed has different requirements, the basic goals are the same. From properly managing the processing of personal data to preventing a breach, there’s a lot that companies are expected to do. That means you can start working toward compliance without knowing all the details or having all the clarification coming down the pike from regulators, Kagan said.
“It’s not too late to comply,” she said. “Disregard the fact that your sink is full of dishes. Don’t avoid it and put it off until tomorrow — just get started.”
By implementing and following best practices, you can reduce your risk of running afoul of data privacy laws and, in the worst-case scenario, demonstrate to regulators that you have made a good-faith effort to protect consumer data. Beyond compliance, there are compelling business reasons for adhering to the best practices set out in data protection regulations, Slovak said.
“If you do it right, you get auditability and transparency,” he said. “You can tell your customers what data you have and where you’re sending it. If you do it right, you’re going to have better conversations with your customers because you have a better understanding of what they want in the moment you’re talking to them.”
Protecting consumer data privacy is good business sense and helps you build a trusted brand, he added. GDPR readiness is a good way to start shifting toward putting consumer data protection first.
“At the end of the day, data is something that’s entrusted to you,” Slovak said. “A consumer is entrusting you with information about themselves so you can create better experiences and services for them. This is an opportunity to reevaluate how you treat your customers and prospective customers. It requires a different way of thinking, and an investment in data and the tools to manage the data itself.”
To stay ahead of the regulatory curve and start building better relationships with your customers, you can start by investing in your data infrastructure and governance.
Cailin Potami contributed to the writing and reporting in this article. Some source interviews were conducted for a previous version of this article.