GDPR stands for General Data Protection Regulation. It is a legislation that aims to protect the privacy of all EU citizens. GDPR forces organisations to make major changes in the way they handle their customers personal data, affecting their business processes as well as software. It’s a whole system of principles, rights and obligations which you will need to be familiar with. GDPR has been applied since May 25th 2018.

GDPR has a very wide definition on personal data (more on that later). If you have a website at all, it’s very likely that you need to make some changes to it. Also note that GDPR is retroactive. This means that it applies to all customer data you’re storing and using, even if it was collected before May 25th 2018.

Technically, GDPR applies to everyone handling the personal data of EU citizens, even if they are not based in the EU. If you’re located outside of the EU and unsure if GDPR affects you, consult this knowledge base post.

Unlike the previous EU regulations regarding privacy (such as the legislation that required sites to use the annoying “This site uses cookies …” notifications), GDPR has “teeth” – and they’re sharp. If you fail to comply with GDPR, you could be fined for up to 20 million euros or 4% of your yearly turnover, whichever is higher. So it’s clear that the EU is taking privacy and data protection very seriously.

Starting from May 25, your website visitors have certain new rights. To give you a very short overview that omits a million details: they can request a copy of all of their data you are storing, both in human- and machine-readable format. They can request you to delete all of it. You need to have a good legal basis for gathering and using any data. Alternatively, you need to ask for consent for each purpose separately. Your customers must be able to withdraw the consent they’ve given at any time. And you are obliged to inform them of everything you do with their data, everyone you share their data with and all of their rights regarding GDPR.

Basically, a person’s personal data is always owned by that person. This means that they must have control over it (with some exceptions).

An important note is that if your website has comments or a contact form, it means that you are already storing someone’s personal data. Therefore, GDPR requires almost all website owners to take action.

Based on this summary, the situation might not look too bad. But as mentioned before, this is not the full list of rights and requirements.

GDPR also sets some new rules for you business in general. You need to keep a registry of all data processing activities. You might need to appoint a Data Protection Officer. You need to have contracts with everyone you share customer data with. You cannot transfer customer data to someone who does not comply with GDPR. Should a data breach occur (someone else getting access to customer data, by for example a hacked website or a stolen employee’s laptop), you need to notify your local supervisory authority and possibly your customers. If you store a lot of data or work with sensitive data, you might be obliged to make a Data Protection Impact Assessment. And you are responsible for demonstrating that you’re GDPR-compliant to your supervisory authority.

I’m Not Located In The EU. Do I Need To Do Anything?

It depends.

  • Do you sell and ship products to the EU? Yes.
  • Do you offer a digital service (free or paid) that’s targeted at customers inside the EU? Yes.
  • Do you systematically process or process on a large scale the personal data of EU-based customers? Yes.
  • Do you offer a digital service that’s also used by EU-based customers, but you don’t actively target them? Maybe not.
  • Do you have a simple blog or website with comments that is not aimed at EU-based visitors? Probably not.

If you are still unsure, we recommend getting legal assistance, as this is a confusing topic.

Note that if GDPR applies to you, it’s also likely that you might need to appoint an EU-based representative.

In legalese

The scope of GDPR is defined like this:

Territorial scope

GDPR applies to businesses (both controllers and processors) both in- and outside of the EU. If you are not located in the EU but offer goods/services to individuals in the EU or monitor their behaviour, GDPR applies to you too.

Material scope

If you process individual’s personal data wholly or partly by automated means and or process personal data which form part of a filing system or are intended to form part of a filing system, GDPR applies to you.

If your data processing falls into the scope, GDPR will most likely apply to you in the same way as it applies to EU-based companies.