GDPR: A PRACTICAL GUIDE FOR THE SMALL BUSINESS
Because we specialize in helping startups and small businesses comply with the GDPR, we wanted to design a GDPR Glossary of terms that speaks to small businesses, not large multinational companies with an army of lawyers able to decipher the GDPR for them. We wanted to avoid what too many GDPR glossaries already do by simply reproducing the definition in the text of the GDPR (which anybody can do, and often isn’t very helpful) and, instead, take a different and, we hope, more disruptive approach, and explain some of the most commonly found GDPR terms in non legalese, plain English, and in the context in which they are most relevant.
We are European lawyers practicing in the U.S. As such, we are used to having to explain in plain language EU legal concepts to U.S.-based companies that aren’t familiar with the laws of the EU. Some of the terms used in the GDPR are very complex, and also not very well defined as it is under the Regulation. We hope that our Glossary will help eliminate some of that complexity. Enjoy the reading!
What is the GDPR?
GDPR, which stands for the General Data Protection Regulation, is a European legislation which came into effect on May 25, 2018, replacing the EU Privacy Directive (95/46/EC) of 1995. This regulation imposes strict new rules for any organization or business coming in contact with the personal data of EU residents, regardless of where the organization is located.
What is a Regulation v. a Directive?
Regulations and directives are two instruments used to pass legislation at the EU level. A directive is a legislative act that expresses a goal but permits each individual member state of the EU to determine the means of how they will achieve that goal, thereby leading to as many sets of rules as there are member states in the EU. On the other hand, a regulation is automatically applicable to all EU member states and becomes the law of the land across the EU. The GDPR is unique in that, although it is a regulation, it is an incomplete regulation, and provides, in more than 50 areas, the right for member states to adopt revisions or supplemental rules to those of the GDPR. These national exceptions are commonly referred to as national derogations.
When does the GDPR apply?
The GDPR applies to organizations located within the EU or organizations located outside the EU that process personal data of EU residents when offering them goods or services, or that monitor the behavior of EU residents.
How do I become compliant with the GDPR?
|Binding Corporate Rules (BCR)||Internal rules for multinational groups which, when implemented, guarantee data transfers within the group are GDPR compliant. To have approved BCR’s, an organization must apply for authorization from one of the EU’s Data Protection Authorities (“DPA”). BCRs do not guarantee compliant data transfers outside of the group.
BCRs are one three main methods for validly transferring EU data outside the European Economic Area, the other main ones being (only for transfers to the U.S.) the EU-U.S. Privacy Shield Framework, and the EU Standard Contractual Clauses, aka the “Model Clauses”.
BCR’s are the least favored mechanism for small businesses, as they can be time consuming and expensive. They are also not applicable if the business has no legal entity in the EU.
|Biometric Data||This is one of the new categories of personal data that is now expressly stated as one of the “Special Categories of Data” under the GDPR. Biometric Data refers to identifiable data related to physical, physiological, or behavioral traits. This includes facial scans, fingerprints, and retinal scans.||Art. 4 §14 Art. 9|
|Consent||One of the 6 legal bases for processing personal data under the GDPR. To be deemed valid, consent must be freely given, be specific, affirmative, and informed.
For example, if you are requesting to store and use someone’s personal data, they might need to opt-in to such collection through clear and separate opt-ins for each instance of data collection.
Please note that consent is not always required. Processing may be lawful without consent if it falls under one of the other Article 6 categories of lawful processing.
|Art. 4 §11 Art. 7|
|Controller or Data Controller||
Whoever decides what data is collected, the way it is collected, and how it is used. This can include individuals or “legal persons” such as companies or organizations.
As a general rule, any organization that operates a website through which the personal data of EU residents is collected is deemed a data controller. Controllers have an obligation to make sure that their service providers who have access to the personal data of EU residents (aka “data processors” or “processors”) also comply with the GDPR.
|Art. 4 §7 Art. 24|
|Data Protection Authority (“DPA”)||AKA “Supervisory Authority”
Each European country (“Member State”) has their own authority responsible for enforcing the GDPR.
|Art. 4 §21 Art. 51|
|Data Protection Officer (“DPO”)||Person formally appointed to be responsible for compliant data processing practices within a company or organization.
Under the GDPR, you must appoint a DPO if:
|Art. 37 Subject to National Derogations|
|Data Processing Impact Assessment||AKA “DPIA”
Prior to processing personal data, Controllers are required to assess the privacy risks of their processing methods when their processing is likely to result in a high risk to the rights and freedoms of the data subjects.
DPIA’s are required where the processing involves:
DPIA’s should include:
|Art. 35 Subject to National Derogations|
|Data Subject||A person within the EU whose information is being processed. Data subjects covered by the GDPR physically reside in a European member state while their personal data is being processed.||Art. 4 §1|
|EU Representative||Companies or organizations that are not based in or do not have a physical presence in the EU must appoint a representative physically in the EU. The representative acts as the point of contact for DPA’s and data subjects.
Exceptions to appointing a representative include:
|European Economic Area||The European Economic Area consists of all 28 Member states (HIGHLIGHT MEMBER STATES) in addition to Lichtenstein, Iceland, and Norway.|
|E-Privacy Directive||AKA “the cookies directive”
The 2002 E-Privacy Directive. This directive, currently the subject of a draft Regulation aimed at replacing it, focuses on protecting internet users’ privacy by requiring websites to obtain user consent and provide users with control over when and why they are being tracked by cookies.
|Extra-territorial Effect||Before the GDPR, companies with no employees, offices or processing facilities, e.g., servers located in the EU would generally not be subject to the EU Privacy Directive.
The GDPR goes further and covers any organization, anywhere in the world, that either (1) offers “goods or services” to EU users or (2) “monitors the behavior” of EU data subjects.
|General Data Protection Regulation||AKA “GDPR”
European legislation which came into effect on May 25, 2018, replacing the EU Privacy Directive (95/46/EC) of 1995 which imposes strict new rules for any organization or business coming in contact with the personal data of EU residents, regardless of where the organization is located.
Find the language of the GDPR here.
|Genetic Data||Another new category of data that is now expressly stated as one of the “Special Categories of Data” under the GDPR. Genetic Data refers to identifiable data concerning data subjects’ gene sequences.||Art. 4 §13|
|Large Scale Processing||Large scale processing is not defined by the GDPR.
Considerations in determining whether processing meets this standard include:
Examples of large scale processing include:
When an organization processes data on a large scale they are required to designate a DPO.
|Art. 37 Subject to National Derogations|
|Legitimate Interest||Legitimate interest is one of the 6 lawful bases for processing personal data under the GDPR. This standard is very flexible but also unclear for controllers.
A 3-part test must be used to determine if your processing qualifies as a legitimate interest:
Examples of legitimate interests include fraud prevention, ensuring security, or identifying criminal or public security threats. Other processing like direct marketing and employee data transfers might be legitimate based on why and how it’s being done. More information can be found here.
|Art. 6 §1 Subject to National Derogations|
|Member States||Members states are subject to the GDPR and include the following 28 countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom|
|National Derogations||Certain provisions of the GDPR allow member states to add or modify the terms of the Regulation as they are applied to residents of their country. More than 50 provisions of the Regulation grant the member states the right to provide their own rules.
Companies with data subjects in multiple member states should be familiar with the derogations of those member states before processing data of those residents.
|Personal Data||Any information that can be used to directly or indirectly (i.e., alone or in combination with other information) identify an individual, including:
This is distinguishable from ‘Personally Identifiable Information’ which has a narrower definition in the US.
|Art. 4 §1|
|Privacy Shield||The EU-U.S. Privacy Shield is a self-certification mechanism designed in 2016 as an approved means for transferring personal data from the EU to the U.S. It is one of three main methods for validly transferring EU data outside the European Economic Area, the others being BCRs and the Standard Contractual Clauses, aka the “EU Model Clauses”.
Please note that being privacy shield self-certified does not mean you are GDPR compliant. The Privacy Shield only addresses the validity of the transfer of the personal data of EU residents from the EU to the U.S., which is only one of the requirements of the GDPR. For more information please see our article “Is Privacy Shield GDPR Compliant?”
|Processing||Anything done to personal data, including: collecting, storing, modifying, structuring, sending, using, accessing, and deleting.
Processing of personal data is lawful if it falls into one or more of the following six categories:
There are additional requirements depending on the quantity and quality of processing.
|Art 4. §2|
|Processor or Data Processor||Whoever holds or processes data on behalf of a controller, but is not responsible for making decisions regarding such data.
For example, an organization, as controller, may outsource the processing of personal data to a third party for email marketing and engagement tracking, making the outsourced company the processor.
|Art. 4 §8 Art. 28 Subject to National Derogations|
|Profiling||Automated processing of personal data used to classify, or make decisions or predictions about data subjects. This can include simple classifications based on age, sex, or numerical categories (e.g. credit score) regardless of if it is used for predictions.
Under Article 22 exceptions, controllers may only use automated processing where:
|Record of Data Processing Activities||Data controllers and data processors must maintain processing records. Controllers have more stringent requirements than processors.
Controllers must keep records of the following information:
Processors must keep records of the following information:
Organizations with less than 250 employees are not required to keep such records unless:
|Regular & Systematic Monitoring of Data Subjects||An organization that participates in regular and systematic monitoring of data subjects must designate a DPO. This includes when organizations track and profile data subjects in a recurring and organized method.
Examples of regular and systematic monitoring include:
|Art. 37 Subject to National Derogations|
|Right to Access||Data subjects have the right to know what data is processed about them. This information includes access to:
|Right to Data Portability||One of the new rights of data subjects under the GDPR.
Data subjects have the right to request, receive, and share any personal data collected on them in an accessible, readable format.
|Right to Erasure||AKA “Right to be Forgotten”.
One of the new rights of data subjects under the GDPR.
Data subjects have the right to request that data collected about them be erased. Controllers must also take reasonable steps to make sure that third parties with whom they shared the data erase it as well.
Data subjects may not exercise this right, and controllers are not required to erase such data, where processing is necessary to:
|Art. 17 Subject to National Derogations|
|Security of Processing||Controllers and processors should implement appropriate technical and organizational security measures around the personal data they process. These measures may include:
Pseudonymization: A data security measure where processed data is separated and cannot be connected to an identifiable person without additional information. Pseudonymized data is still considered personal data, subject to GDPR, since there is a chance of it being linked to a data subject.
Encryption: A data security measure where data is translated into code that may only be accessed with a key. Encryption is considered one of the most secure data protection methods.
|Art. 32 Subject to National Derogations|
|Sensitive Personal Data||AKA “Special Categories of Personal Data”
Sensitive personal data includes the following categories of data:
Processing of sensitive data is not prohibited if it falls under one of the Article 9 exceptions, which include:
|Art. 9 Subject to National Derogations|
|Standard Contractual Clauses||AKA “EU Model Clauses”
Approved language incorporated into contracts involving international data transfers to provide adequate safeguards of the data and data subjects.
Standard Contractual Clauses are the most favored mechanism for validly transferring within a small business.
This Glossary was written in collaboration with Monica Meiterman-Rodriguez