GDPR Compliance Explained in Simple Terms by an Attorney & Developer

GDPR Compliance Explained in Simple Terms by an Attorney & Developer

This is a brief introduction to GDPR compliance guide for entrepreneurs, written by an EU-trained New York attorney and developer.

It provides an overview of the legal requirements for achieving GDPR compliance.

Key Takeaways
  • The General Data Protection Regulation (GDPR) applies to you if you have a business that processes personal data from EU/EEA residents, even if you operate from the US.
  • To comply with the GDPR, you must implement systems that allow users to give consent, access, correct, or delete their data, and more.
  • You also need to draft GDPR-compliant privacy policies to inform users of their data privacy rights and how you intend to use their personal data.
  • In certain cases, you also need to change your governance structure by appointing a DPO and train your employees on GDPR compliance.
  • If you don't comply with the GDPR, your EU/EEA customers can bring their case directly to the national authority, free of charge. The national authority has the power to fine you or prohibit your company from processing EU data.
Work with me
European Union (EU) flag

Determine if you need to comply with the GDPR

Cases where you must comply with the GDPR

The GDPR applies to you if you are a business that process personal data from physical people residing in one of the GDPR countries.

Therefore, if you do anything with personal data from people residing in the EU or EEA, you need to comply with the GDPR requirements.

🔍Personal data are information that may directly or indirectly identify an individual (e.g., names, addresses, numbers, emails, IP addresses, biometric data…).

🔍 Processing personal data include any action taken with that piece of information (e.g., collection, storage, tracking, sharing, deletion…).

For example, the GDPR applies to you if you are

  • an e-commerce website owner that sells products in GDPR countries,
  • an advertising agency that tracks EU/EEA users' behaviors through cookies,
  • a medical mobile application startup that stores EU/EEA patients' data, or
  • a blogger that collects EU/EEA-residents' emails.

⚠ Note though, that your GDPR compliance requirements vary based on your company's size and the kind of personal data you handle.

Some cases where you don't need to comply with the GDPR

You only collect personal data for personal use (not business)

The GDPR doesn't apply if you only process personal data for purely personal use (not business) (e.g., phone book or photo albums for purely personal use).

⚠ However, be sure to comply with general privacy civil laws in that case. Even though the GDPR doesn't apply in that case, you'll obviously need to have the person's permission before taking their picture in their home.

You don't have any EU/EEA residents

The GDPR also doesn't apply if you don't have any EU/EEA residents.

⚠ With that said, note that the GDPR isn't the only data protection framework out there. There might be similar data protection laws in the countries where you are processing data from so always be sure to check with an attorney.

Some examples of GDPR equivalent in foreign countries include

  • The UK - Even if the UK isn't part of the EU anymore, it has adopted the UK Data Protection Act 2018 (or UK-GDPR) that mirrors the GDPR,
  • Switzerland - Another example is Switzerland also adopted its own data protection framework called the Federal Act on Data Protection (or FADP) that closely align with the GDPR,
  • California - In California, you have the California Consumer Privacy Act (or CCPA), which provides certain rights to consumers regarding their personal information,
  • New York - In New York, you have the SHIELD Act and the New York Privacy Act (NYPA) is still in discussions and should be followed closely
hand holding wooden block with word compliance written on it on top of other wooden blocks with legal words such as law, regulations, policies

How to ensure GDPR compliance?

Here is a quick overview of the legal requirements for compliance with some good practices.

Collect users' consent before processing personal data

The GDPR requires you to get users' permission before processing their personal data, meaning users must actively approve it first (aka, opt-in consent).

Under GDPR, user' consent must be informed, freely given, and not conditional upon receiving a service. Users also have the right to withdraw consent at any time, and this process must be easy. Additionally, certain types of personal data (e.g., data concerning children) are subject to extra GDPR requirements.

For example, on your checkout form, your customers should be able to buy a product without first having to agree to things like tracking cookies or marketing emails. They should be able to complete their purchase without extra steps or consent for things they don't need.

💡 Some ways to meet GDPR consent requirement include

  • Having a cookie banner or a data collection form with an optional checkbox that users can actively tick that is separate from your services,
  • Using a double opt-in system where users first sign up, then confirm their consent via a confirmation email. This ensures only interested users receive communications. This method is more cumbersome, but it also reduces the risk of having your email fall into spams, is more secure and increases users' engagement

In any case, the wording of your demand must be clear, simple and understandable by anyone. You must also inform users of their rights under GDPR (see GDPR privacy policies).

Be sure to keep records of the consent at these can be requested by the national authorities in case of control.

Personal data protection and cybersecurity

Once you obtained users' consent, you are required to protect the personal data you collected. This GDPR requirement is even more important if you collect sensitive data (e.g., medical records).

That means that you must take proper measures to ensure that only the user and third parties authorized by the user have access to their personal data.

💡Some ways to meet GDPR cybersecurity requirement include setting up

  • Regular cybersecurity audits,
  • Strong admin passwords for your databases to protect their personal data,
  • Multi-factor authentications to prevent unauthorized access to the personal data you collected,
  • Encryptions to handle and transmit users' data more securely,
  • A robust incident response plan that handle data breaches. This plan should include things like procedures for assessing and mitigating risks for further breaches, notifying the users or authorities

Prepare GDPR Data Privacy Policies

Transparency is key when it comes to GDPR compliance. Before you collect personal data, you must provide users with a link to your Data Privacy Policy.

This policy should be written in simple, clear terms and updated whenever your intentions change. When that happens, you must notify your users and obtain a new consent from your users.

💡Examples of information your data privacy policy must include

  • how personal data are collected, used, and shared with third parties,
  • what you intend to do with their personal data,
  • users of their rights under GDPR,
  • procedures for data access and deletion of personal data requests,
  • data breach notifications

Be sure to check with an attorney to ensure that your Data Privacy Policy comply with GDPR.

woman controller wearing grey suit and glasses holding a tablet device in office environment
startup team discussing business strategies over laptop in friendly environment

Promote a company's environment that encourages GDPR compliance

Building a company environment that supports GDPR compliance is key to protecting personal data and earning customer trust.

Small to Medium Company

Small to medium businesses (SME less than 250 employees) aren't required to appoint a Data Protection Officer (or DPO) or to have employees that work independently and solely on ensuring GDPR compliance.

However, if your SME processes personal data, you are still required to comply with the GDPR and to make sure your employees understands the importance of data protection.

💡 To ensure GDPR compliance within your company, you could setup

  • Regular training sessions on GDPR,
  • Establish clear governance policies for data handling, accurate data maintenance,
  • Conduct regular audits to ensure that your employees follow governance policies on data protection

Large Company

Bigger businesses on the other hand, are legally required to appoint a DPO, whose role is to ensure that the organization comply with GDPR regulations.

This person must meet certain competence requirements and is in charge of monitoring data processing activities, employees' trainings and liaising with national authorities.

Comply with specific GDPR requirements for special categories of data

Under GDPR, if you handle sensitive data (e.g., health information, racial or ethnic origin, sexual orientation…) there are additional rules you must follow.

You must obtain explicit consent before processing these categories of personal data and ensure that those are only processed under certain conditions (e.g., employment purposes, healthcare, legal claims, or significant public interest…).

You must also evaluate the risks associated with your processing activities, implement enhanced security measures to protect this information and establish strict access controls to ensure that only authorized personnel can access it.

When it comes to handling sensitive data related to children under GDPR, you must obtain parental consent before doing so. This means ensuring that the parent or guardian is fully informed about how their child's data will be used.

Additionally, you should take extra care to ensure that your privacy notices are clear and understandable for both children and their guardians.

Conclusion

GDPR is a legal obligation that helps your reputation

Staying ahead of GDPR compliance is a legal obligation and non-compliance can result in fines up to €20 million or 4% of the annual global turnover, whichever is higher. As of now, the biggest GDPR fine is €1.2 billion, imposed on Meta in 2023.

With that said, taking GDPR compliance seriously will also help you build trust with your customers and help you stand out in today's digital economy.

Data privacy laws can shift so perform regular audits

GDPR compliance audits aren't a one-time thing.

Data privacy laws, including GDPR, are continually evolving to keep pace with technological advancements and changing societal expectations. This dynamic landscape means that compliance requirements can shift, making it essential for organizations to stay informed and perform regular GDPR audits.

GDPR compliance is an ongoing obligation that requires continual assessment and adaptation.

Disclaimer: This article is written by Valine Mayer-Trinh, a New York attorney with an LLM degree from Cornell and master’s degrees in business and financial law from top French law schools.

While I strive to provide accurate and up-to-date legal information, this article is for general informational purposes only and does not constitute legal advice. This is a platform for me to express my thoughts and reading this article does not create an attorney-client relationship.

Although I have extensive education in French law, please note that I am only licensed to practice in New York, not Europe. The legal landscape is complex, new regulations may emerge, and the application of existing laws can vary depending on specific circumstances. Therefore, I strongly encourage you to consult with an expert and qualified attorney to address your specific legal concerns.

Newsletter

Get more insights straight to your inbox







person subscribing by pressing on a blue technology button featuring a justice scale