A guide to GDPR data privacy requirements
The EU General Data Protection Regulation isn’t just about protecting sensitive information against hackers and leaks. The GDPR says just as much about data privacy. Here’s what businesses need to know about data privacy in the GDPR.
For organizations subject to the GDPR, there are two broad categories of compliance you need to understand: data protection and data privacy. Data protection means keeping data safe from unauthorized access. Data privacy means empowering your users to make their own decisions about who can process their data and for what purpose.
Below is a summary of the GDPR data privacy requirements. It may be helpful to first check out our GDPR overview to understand the GDPR’s general structure and some of its key terms.
GDPR data privacy
Chapter 3 of the GDPR lays out the data privacy rights and principles that all “natural persons” are guaranteed under EU law. As an organization, you are obligated to facilitate these rights. Failure to do so can result in penalties (see “GDPR fines”). Here’s a very basic summary of each of the articles under Chapter 3.
Article 12 — Transparency and communication
Read GDPR Article 12
You have to explain how you process data in “a concise, transparent, intelligible and easily accessible form, using clear and plain language” (see “privacy notice”). You must also make it easy for people to make requests to you (e.g., a right to erasure request, etc.) and respond to those requests quickly and adequately.
Articles 13 & 14 — When collecting personal data
Read GDPR Article 13
Read GDPR Article 14
At the moment you collect personal data from a user, you need to communicate specific information to them. If you don’t collect the information directly from the user, you are still required to provide them with similar information. These articles list the exact information you have to provide.
Article 15 — Right of access
Read GDPR Article 15
Data subjects have the right to know certain information about the processing activities of a data controller. This information includes the source of their personal data, the purpose of processing, and the length of time the data will be held, among other items. Most importantly, they have a right to be provided with the personal data of theirs that you’re processing.
Article 16 — Accuracy
Read GDPR Article 16
The accuracy of the data you process is only tangentially an aspect of data privacy, but people have a right to correct inaccurate or incomplete personal data that you are processing.
Article 17 — Right to erasure
Read GDPR Article 17
Also known as the “right to be forgotten,” data subjects have the right to request that you delete any information about them that you have. There are five exemptions to this right, including when processing their data is necessary to exercise your right to freedom of expression. You must make it simple for data subjects to file right to erasure requests. You can find a template for such requests here.
Article 18 — Right to restrict processing
Read GDPR Article 18
Read GDPR Article 19
Short of asking you to erase their data, data subjects can request that you temporarily change the way you process their data (such as removing it temporarily from your website) if they believe the information is inaccurate, is being used illegally, or is no longer needed by the controller for the purposes claimed. The data subject has the right to simply object to your processing of their data as well. Also important to note: If you decide to take any action related to Articles 16, 17, or 18, then Article 19 requires you to notify the data subject.
Article 20 — Data portability
Read GDPR Article 20
Remember that data privacy is the measure of control that people have over who can access their personal information. In line with this principle, the GDPR contains a novel data privacy requirement known as data portability. Basically, you have to store your users’ personal data in a format that can be easily shared with others and understood. Moreover, if someone asks you to send their data to a designated third party, you have to do it (if technically feasible), even if it’s one of your competitors.
Article 21 — Right to object
Read GDPR Article 21
Data subjects have the right to object to you processing their data. You can only override their objection by demonstrating the legitimate basis for using their data.
Final thoughts on data privacy
As you can see, the data privacy principles of the GDPR are fairly straightforward. The law asks you to make a good faith effort to give people the means to control how their data is used and who has access to it. To facilitate this, you must transparently and openly provide them with the information they need to understand how their data is collected and used. And you have to make it simple for your customers and users to exercise the various rights (of access, of erasure, etc.) contained in Chapter 3.
Check out our GDPR compliance checklist, which is another resource to ensure your organization is meeting the standards set out in the GDPR.