What Is the General Data Protection Regulation? How to Maintain GDPR Compliance

I fondly remember the great GDPR email apocalypse of 2018. It was May 28 and half of my LinkedIn network was getting bombarded with emails asking for re-permissioning and outlining privacy policy updates. It was also the first time I really understood the importance of managing user data and how one acronym can radically change that.

The thing is, GDPR (aka. General Data Protection Regulation) is an EU law that controls how entities in and outside the EU process and protect the personal data of its residents. Massive in scope, it arguably represents the pinnacle of privacy and security regulation in the world.

But while it’s fundamentally focused on the European Union, GDPR goes well beyond its borders. More importantly, it extends across the pond, where U.S. businesses operating worldwide have a particularly keen interest — and often a problem — with it. I’m pretty sure the latter is why you’re reading this article, and I promise you some relief.

On a rudimentary level, GDPR aims to grant individuals greater control over their information by establishing a robust data protection framework. Digging a bit deeper, the law specifies appropriate ways to transfer and process personal data, protections for said personal data at rest and in transit, and the rights every EU resident has when it comes to the collection, use, and storage of their personal data.

All of the above is based on seven GDPR principles:

1. Lawfulness, fairness, and transparency: collecting and processing data with a valid legal basis, in the best interest of the individual whose data is at stake, while being clear about what, why, and how you process their data.
2. Purpose limitation: processing personal data only for the originally intended purpose.
3. Data minimization: gathering and processing the exact amount of data required.
4. Accuracy: processed data must be correct and up to date, while inaccurate data must be erased.
5. Storage limitation: not storing personal data that is no longer of use for the intended purpose
6. Integrity and confidentiality: making certain that personal data is correct, can’t be manipulated, and that only those who are processing it have access to it.
7. Accountability: being responsible for proper processing of personal data and compliance with GDPR directives.

As you may have noticed, I used ‘personal data’ a lot. It’s one of the GDPR’s defining terms, referring to any information relating to an identifiable human being (bear with me through legalese).

In a nutshell, this information is divided into direct identifiers, which are unique data points such as your name or credit card number, and indirect identifiers like hair color, date of birth, and anything else you and I might have that isn’t unique to either of us.

For better or worse, there is no shortage of ways a website tracks you online. A cookie in its first- and third-party iteration remembers your login details and various preferences. A tracking pixel identifies you even after you move on to another site. Device or machine fingerprinting collects information such as hardware and browser used, geographic data, and IP address to precisely identify you.

Hence, it’s clear that the uber-strict regulation of this area puts hosting providers right smack in the center of attention. They are now held to higher standards and have a far broader responsibility than providing server space, management, and all that jazz.

With GDPR in tow, web hosts must provide the infrastructure and tools to protect sensitive data and meet compliance requirements.

That said, it would be wrong to pawn off everything to them. Web owners have to pull their weight too here. Heck, they’re the ‘data controllers,’ as GDPR so affectionately calls them, responsible for how they handle and secure data collected through their websites.

So, it’s a shared responsibility between hosting providers and website owners. The former provide a secure environment, while the latter are in charge of data and applications within that environment (much like the landlord-tenant relationship).

With such rigorous data protection, there are quite a few things to keep up with. Here are the essentials:

Lawful Data Collection and Processing

Going by the first GDPR principle, you need to have a lawful basis for each data collection and processing activity.

This includes:

• Data subject has given their consent
• To meet contractual obligations
• To comply with legal obligations
• To protect the data subject’s vital interests
• Tasks in the public interest
• Your or third-party legitimate interests

Most of these are fairly straightforward and don’t require explanation. The interesting part here is legitimate interest that can include almost anything. Basically, you can have a good enough reason but need to thoroughly rationalize it in your documentation.

Typically, the basis applies when there is a clear benefit to a data subject or when they reasonably expect their data to be used in the way you use it.

In essence, you can process employee or client data, or do direct marketing (it says so in Recital 47). From GDPR’s point of view, fraud prevention and network and information security are types of processing considered legitimate interests.

The most common option is consent-based data processing, where you are freely and clearly given the permission. That means a genuine choice for a data subject to deny or withdraw consent, as well as explanation regarding the type of data processed, its implementation, and the purpose of collection.

Examples range from clicking on an opt-in button or link to signing a paper consent form and even dropping a business card — anything that requires a clear, positive action from the consenter.

Privacy Policies and Transparency

The bottom line here is that you have to be super clear about every detail, no matter how small.

Hence, your privacy policy has to be:

• Written in a plain and understandable language
• Concise, transparent, and easily accessible
• Delivered at the time of collection

A GDPR-compliant privacy policy must include who you are, what personal data you collect, why and for how long, how you use it, if you share it with any third parties, and what safeguards you have in place to protect it.

For instance, cookies are considered personal data under GDPR since they can identify users. Hence, you need to provide cookie consent notices and tracking disclosures on which cookies and trackers are in operation on your site, as well as why they are there and what they’re doing.

Data Security Measures

As a data controller, you are required to handle personal data securely by implementing “appropriate technical and organizational measures”. Don’t worry, GDPR goes into specifics on what it considers appropriate, listing encryption and pseudonymization (replacing personally identifiable information with similar data) as the first measure.

Your job is also to employ robust access control mechanisms to protect stored data from unauthorized entry and restore access to it in case it becomes unavailable. Whatever systems you’re using, they need to be resilient and consistent in terms of data integrity.

All of this should be supplemented with regular testing, updates, and monitoring to maintain the highest possible effectiveness of said measures.

Data Subject Rights

Harmonizing data protection laws across the EU, GDPR expanded on existing and introduced new rights and freedoms of EU citizens. These are:

• Right to be informed: Allows individuals/data subjects to know what personal data is collected about them, how, why, who is collecting it, for how long, how they can file a complaint, and if there is data sharing involved.
• Right to access: Individuals can request a copy of the data being processed, along with information on related processing activities (purpose, sharing, duration of processing, etc.).
• Right to rectification: Permits individuals to request the update or correction of any inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”): Individuals can request the deletion of their data when it’s no longer needed, consent is withdrawn, or data is unlawfully processed.
• Right to restriction of processing: Individuals have the right to restrict or limit the processing of their personal data.
• Right to data portability: Should they so choose, individuals can obtain a copy of their personal data or have it transferred to another organization.
• Right to object: Allows individuals to oppose the processing of personal data for purposes they don’t approve.
• Rights in relation to automated decision-making and profiling: Concerns scenarios where processing is performed without human involvement. Individuals can object to the processing of data or demand intervention.

While some exceptions exist (e.g. processing based on explicit consent or authorized by law), any violations or infringements are severe. We’re talking the upper limit of 20 million euros (over $21.65 million) or 4% of the business’ worldwide annual revenue from the preceding financial year — whichever is higher.

Data Breach Notification Requirements

In case you get the short end of a data breach, you are required to report it to a supervisory authority — the official body of each EU member state that oversees and regulates the application of GDPR. You have 72 hours to do so from the time you become aware of the unauthorized access.

Meanwhile, you have to communicate the unfortunate event to the affected data subjects by explaining what happened, the possible consequences, and the proposed or taken remediation measures. In addition, your obligation is to document the breach, including the facts of the matter, its impact, and the actions taken to rectify the situation.

Following the same GDPR principles as website owners, hosting providers have specific things to deal with as part of their shared responsibilities.

Let’s start with Data Processing Agreements (DPAs — not to be confused with data protection authorities) with website owners. These legally binding documents define the obligations and responsibilities of both sides when it comes to personal data processing, security, and compliance.

Then, there’s the matter of hosting data in GDPR-compliant regions. Luckily, it’s not a case of “EU good, non-EU bad” since GDPR doesn’t outright forbid moving data outside the EU (though to be fair, having an EU-based data center is certainly an advantage).

However, it sets stringent conditions, such as having specific contractual clauses or ensuring that the receiving country has appropriate data protection laws.

The word ‘appropriate’ is routinely used throughout GDPR, including ‘appropriate safeguards’ referring to the famed “technical and organizational measures” to preserve personal data. Here, it’s crucial for hosting providers to employ encryption for data in transit and at rest as part of GDPR’s emphasis on “data protection by design and by default.”

Similarly, backup policies are vital in ensuring the “availability and resilience” of personal data, as discussed before. Having backups ready also takes care of a scenario where a data subject exercises their right to rectification of data.

Due to its encompassing nature, some web owners can’t be bothered to comply with GDPR, making it easier to simply cut their losses by geoblocking users. Oh, well. But if you’re not cut from the same cloth, here’s how your site can become GDPR-compliant.

Conduct a Data Audit

First on the agenda is getting to know all your data collection points. Forms are obvious since they capture registrations, checkouts, search queries, and the whole nine yards, but don’t forget the more subtle ones like live chat and files uploaded by users themselves.

Then, there is an entire category of automatically collected data that includes referral URLs, browser information, and analytics data, in addition to the usual suspects that are cookies and tracking pixels.

The same logic applies to third-party integrations. Check whether your social media plugins, marketing tools, and whatnot collect data beyond what’s strictly necessary. It’s not unheard of for them to employ embedded tracking technologies (e.g., third-party cookies, web beacons) that collect data without users’ explicit consent.

Implement Proper Consent Mechanisms

Now that you know all the sources of your steady streams of data, you have to raise your consent game. I’ll take an educated guess and assume that your site uses some type of cookies, for which you’ll need a cookie consent banner. It informs your users about the cookies and trackers your site uses and asks for their consent to store cookies on their devices.

Now, there are two main types of cookie consent banners: opt-in and opt-out. An opt-in consent means that the visitor must explicitly allow the website to use cookies by selecting an affirmative option, whether by clicking on ‘Allow’, ‘Confirm’, or similar term or by ticking a checkbox. The opt-out version automatically accepts all permissions, but the visitor has the option to refuse them in similar fashion.

Oh, and don’t forget about email. In case you use an email marketing platform to send out any communication, you need permission from your users to send the emails. Once more, an opt-in and opt-out will get the job done.

Update Privacy Policy and Terms of Service

As integral parts of your website, privacy policy and Terms of Service must cover in detail how you obtain, use, store, and disclose personal data of your visitors, along with their rights and your obligations.

Everything must be clear and understandable (‘explain it to me like I’m 5’ vibe) so that a layperson knows what’s going on.

Specific details and plain wording aside, your new and improved privacy policy and ToS pages also need to be easily accessible. A link on every page (even the ones where no personal data collection happens) will do the trick.

Strengthen Data Security

The most straightforward choice is to go for (or switch to) a GDPR-compliant hosting provider that has both physical and digital protection of servers down to a T.

On your part, you can install an SSL certificate for site-to-server encryption and add an extra layer of protection by installing security plugins (reminding they need to be GDPR-compliant) that come with malware scanning, two-factor authentication, and security auditing (very helpful), to name a few things.

You can also erect a cloud-based web application firewall (WAF) to block malicious traffic and filter out suspicious requests.

Handling User Data Requests

It’s possible you’ll encounter a data subject access request (DSAR) at some point. In this case, a user wants access to personal data you have gathered from them so they can rectify, delete, or have it in a portable format.

You must first verify the identity of the person making the request. If everything is A-OK, you have one month to respond and securely provide the information in an accessible and intelligible format.

You can up the level of efficiency, accuracy, and consistency (not to mention save quite a bit of time) by automating the initial intake, verification, and tracking of DSARs. For even more automation, a consent management platform might be the answer.

GDPR’s complexity, combined with the nuances of data processing, creates numerous pitfalls — perhaps none more than these:

1. Relying on implied consent instead of explicit consent: Don’t assume anything. GDPR literally mandates “explicit consent” — pre-ticked boxes, silence, or inactivity are not it.
2. Not updating privacy policies and cookie notices: More often than not, this means outdated information, missing details about data processing, or a lack of transparency.
3. Ignoring third-party services that process user data: Businesses tend to predominantly focus on internal data processing, neglecting that they’re responsible for data being processed by third parties.
4. Failing to have a DPA: Web hosts are considered data processors as they process personal data on behalf of controllers, so the two parties must enter into a DPA.

Remember: GDPR compliance is far from a done deal — it’s an ongoing process.

The good news is that there is plenty of help on your path to GDPR excellence. You can use GDPR compliance checklists, often provided by cybersecurity companies, to systematically evaluate and make sure you adhere to the regulation.

There are also cookie consent management tools like Cookiebot and OneTrust that are specifically designed to help handle data privacy regulations, particularly concerning the use of cookies and other tracking technologies.

You also have various data encryption and security tools that take care of the “integrity and confidentiality” parts of GDPR.

The struggle to become and remain compliant while keeping the business in motion is the stuff of legends. And with GDPR, the circumstances irrevocably changed. Its heavily legal language and explanations can be too much at times (it is a law, after all), though its “heart” is in the right place.

Fret not, I say. Everything you’ve read so far hinges on attention to detail and a commitment to data protection. Those will undoubtedly see you through.