What are the requirements of GDPR?
Consumers in the EU are granted a set of consumer and consent rights that businesses must fulfill. If your business is subject to GDPR, here are the rights you’re legally obligated to enable consumers to exercises.
Data Subject Requests
Data subject requests (DSRs) are requests that users can make to exercise control over the personal information businesses collect on them.
Under GDPR, EU residents have the following consumer rights:
Right of Access | Consumers have a right to know if a company is processing their personal data, what personal data is being processed, for what purpose, and for how long. Consumers may also receive a copy of the data businesses collect on them. |
Right to Rectification | Businesses should also make it easy for consumers to correct inaccurate or incomplete personal data. One way to do this is by letting consumers update their information via the settings in their account profile. |
Right to Erasure (Right to be Forgotten) | Businesses are required to delete a consumer's personal data from their systems upon request from the user. |
Right to Restrict Processing | Consumers are allowed to request businesses to stop or restrict the processing of their personal data. This typically occurs if there are disputes about 1) the lawfulness of processing the data, or 2) the accuracy of the data collected. |
Right to Data Portability | Your business must be able to provide consumers with a copy of their personal data in a machine-readable format that other systems can process and display. Common formats include JSON, CSV, or XML files. |
Right to Object | GDPR gives consumers the right to object to their data being processed at any time for direct marketing, |
Automated Individual Decision-Making, Including Profiling | Consumers also have a right to not be subject to automated decision-making, including for the purposes of profiling. |
Under GDPR, your business is obligated to make it easy for consumers to exercise their privacy rights. Additionally, you must respond within one month of receiving a request, and can extend for an additional two months if the request is particularly complicated, or if the request volume is too high.
Consent Requirements
One example of a legal basis for processing users' personal data under GDPR is informed consent. Informed (opt-in) consent means that an EU citizen consents to have their personal data collected and processed by a business. Consent must be "freely given" for a specific purpose, and can be withdrawn at any time.
GDPR requires yoru business obtain explicit consent before processing certain types of user data. For example, before collecting and processing the personal data of a child (under 16 years old), your business must obtain consent from a parent or legal guardian.
Businesses are also required to obtain explicit consent before processing a consumer's sensitive data, which is personal data that reveals:
- Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
- Genetic data and biometric data for the purpose of uniquely identifying a natural person;
- Data concerning health or data concerning a natural person’s sex life or sexual orientation.
- To ensure your business is compliant with GDPR's data collection and processing requirements, make sure you’re providing EU consumers the ability to exercise their consent rights.
Violations and Enforcement
Each member state of the EU has its own data protection authority (DPA) to enforce GDPR.
For example, in Ireland, it's the Irish Data Protection Authority. In France, it's the Commission Nationale de l’Informatique et des Libertés (CNIL), and in Italy, it's the Garante per la protezione dei dati personali (the Garante).
DPAs can launch investigations on companies for privacy violations and issue fines. Depending on which articles of GDPR were violated, fines could range from 2% of annual global revenue or €10 million, whichever is higher, and up to 4% of annual global revenue or €20 million, whichever is higher.
GDPR also allows private right of action, meaning that EU citizens can directly lodge a complaint with the court over a business' privacy violations. Consumers also have the right to receive compensation from the controller or processor for violations and damages.
To avoid these fines, your business must respect EU citizens' privacy rights from above.