NOTE: The information in this document is for guidance only. It’s not meant as a substitute for a consultation with an attorney for your specific business needs and circumstances.
Let’s look at what GDPR is and what you need to do.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new law designed to protect the privacy of consumer data. While created by the European Union (EU) for its citizens and residents, it also affects American businesses and any organization or business that interacts in any way with EU or UK residents. Previous privacy protections undertaken by the EU were limited to companies with locations in Europe. GDPR goes much further, potentially affecting even small American businesses with a single location within the United States.
This change in territorial scope is a major shift from the Europe’s prior privacy law. The 1995 EU Data Protection Directive, which was mostly limited to EU member nations.
All 28 EU member nations have adopted GDPR, plus the United Kingdom and European Economic Area, which is a free trade zone between the EU and the European Free Trade Association. EEA members are Iceland, Norway and Liechtenstein.
Israel and New Zealand have struck deals with the EU to ensure that their data protection rules match GDPR standards to allow information to flow easily between the countries. Argentina has pending data protection reforms that will make it mostly equal to the EU’s new rules. Japan passed a free-trade agreement with the EU in 2017 as well as reforms to mirror the EU’s existing standards. It’s awaiting an adequacy decision to ensure Japan meets the EU’s requirements.
Other nations, ranging in size from Columbia to the tiny island of Bermuda, are revising their domestic data protection legislation, sometimes copying the GDPR rules closely. Those countries include Andorra, Canada (in a limited fashion so far with opportunities to revise them further in 2022), the Faroe Islands, Guernsey, the Isle of Man, the Isle of Jersey, South Korea, Switzerland and Uruguay.
How does GDPR protect consumers?
GDPR creates a uniform set of regulations to protect consumers by:
- strengthening consumer rights
- requiring better systems for data processing and storage
- creating a broad jurisdiction for the regulations
- introducing strong penalties for non-compliance
- setting mandatory breach notification rules
- creating specific protection for children
Why is GDPR being implemented?
Technology tends to outpace privacy law updates, especially within the United States. The EU has argued that companies have taken advantage of that, to the detriment of consumers. GDPR is an effort to bring regulations up to date with website electronic data collection and processing practices, and to protect the privacy rights of Europeans from any website, regardless of its geographical source.
The fundamental difference between American and European privacy laws is that the United States tends to favor business and corporate needs over the rights of the consumer. The EU, by contrast, focuses on consumer privacy rights first, and has worked through various regulations over the years, such as the Safe Harbor agreement with the United States, the Protection of Privacy and Transborder Flows of Personal Data, and the Data Protection Directive.
Google, for example, has fought with the EU over privacy rights, including losing the Costeja case. In that decision, the Court of Justice of the European Union ruled that the “right to be to be forgotten” – more on that below – is a human right.
Why should I care about GDPR?
Unless you completely block all EU residents from interacting with your website, GDPR also applies to websites owned by companies outside the EU, which is why American companies need to comply. GDPR is the latest evolution in a process that has been going on for years to protect personal data.
GDPR is designed to protect European consumers from companies of all sizes, especially ones like Google with a long reach, give them greater control over their personal information and how it’s used. GDPR also gives businesses a legal environment that is more clear and easier in which to operate. The EU estimates that this will save businesses 2.3 billion Euros a year.
So, if your website collects data from visitors and customers such as:
- phone numbers,
- email addresses,
- IP addresses, etc.
You either have to comply with GDPR guidelines or, after purging records from EU citizens and residents from your database, you must completely block European citizens from accessing your website. Compliance is the easier path in most cases, especially since more and more countries are passing laws mimicking the GDPR standards. Plus, in today’s climate, the GDPR guidelines can foster greater trust between you and your prospective clients and established customers.
GDPR is also retroactive, meaning material you already collected is not exempt from the regulations. You also might have to get permission again for the material you already have.
Does this European regulation really affect my American business?
Yes, it does. GDPR affects businesses of all sizes if you have even a single European citizen or resident in your database. Since that could include a European subscribed to your newsletter via a Gmail address, you might have European data without realizing it. No one is exempt so you either have to comply or purge records of EU citizens from your database in accordance with GDPR guidelines and then block all European users from all future interaction, which might be difficult if, for example, it’s a European citizen living in the U.S. and using a Gmail address.
GDPR also regulates cross-border data transfers so if you receive Personal Data from or transfer Personal Data to an organization within the EU, your company must comply with GDPR rules.
Other countries are also passing their own privacy laws. Some of them mirror GDPR’s language exactly, especially in regard to jurisdiction and penalties.
Additionally, on April 10, 2018, inspired by GDPR, U.S. Senators Edward J. Markey (Massachusetts) and Richard Blumenthal (Connecticut) introduced a “privacy bill of rights” to protect American consumers’ personal data. As of this writing, the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act is in the early stages of the legislative process so much of it could change. While it’s not as thorough as GDPR, it would require the Federal Trade Commission (FTC) to set privacy protections for users of online services.
My business has less than 20 employees. Am I exempt from GDPR?
No, GDPR does not issue any exemptions based on company size. If you have even one EU resident or EU citizen in your database, email list, purchase list, etc., you must comply with GDPR regardless of the size of your company.
Large companies might have additional requirements, like having to appoint a Data Protection Officer, but small companies that have collected, or could collect, Personal Data from EU citizens are still subject to GDPR regulations.
We don’t sell products/don’t charge for services/only offer a free newsletter. Are we exempt from GDPR?
No, lack of payment doesn’t matter. GDPR regulations apply to companies that offer products or services to EU residents and citizens, or collect data from EU residents and citizens whether payment is made or not.
Can I ignore GDPR? What are the odds the EU will notice my company?
Your company may not be a priority for a EU audit, but if a EU citizen or resident files a legitimate complaint, you would be subject to GDPR regulations and its penalties. You might even be subject to a civil suit separate from the GDPR penalties.
Prior privacy laws had fines that were not deterrents to large companies like Google, Facebook, Microsoft, etc. GDPR solves that problem by making its fines 10 million Euros or 2 percent of the company’s worldwide annual revenue of the prior financial year for lesser fines and 20 million Euros or 4 percent of the company’s worldwide annual revenue of the prior financial year for major infractions, whichever is greater in either category of fine. By being scalable, it’s a deterrent to even large companies. For small companies, the 10 million Euros or 20 million Euros option is just as bad.
What do I need to know about GDPR?
The TL;DR version is that if a business or website collects, stores or uses any data related to an EU citizen or resident, the business or website must:
- Clearly and plainly tell users who you are, why you’re requesting that data, who accesses it and how long you’ll hold onto that information
- Get clear consent for the data collected and not request more data than is necessary for the reason cited
- Allow users to access their data and move it if desired
- Allow users, upon request, to have their data deleted completely
- Notify users of data breaches in a timely manner
That’s the super short version. Below is a more thorough explanation of what you need to know about GDPR and how it will affect your organization.
OK, so I have to deal with it. How do I comply with GDPR?
GDPR has several components, plus very specific terminology. Each component of GDPR will be addressed separately for ease of use and understanding.
Personal Data, Consent, & Processing
The first thing you need to determine is whether you are a Data Controller, Data Processer or both. Then you need to understand what Personal Data is under GDPR and how it defines “Consent” and “Lawful Processing” because all five items work together, followed by penalties and how to handle data breaches.
Data Processors and Data Controllers
GDPR has two categories for the type of organization that handles consumer Personal Data – Data Controllers and Data Processors. Some businesses might be both. Each category has its own responsibilities.
What are examples of Data Processing?
- Sending promotional emails
- Managing staff records and payroll
- Posting a photo of a person on a website or social media (yes, even employee photos)
- Shredding Personal Data documents
- Using CCTV video monitoring of your premises
- Storing IP or MAC addresses
Typically, the business or organization is the Data Controller. Then, depending upon the circumstances, they either process the data themselves or, more commonly, use a third-party service for Data Processing. An organization can also be the Data Controller for one set of Personal Data and the Data Processor (or both controller and processer) for another set of Personal Data.
Under GDPR (and the UK’s Data Protection Act), a Data Controller is a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and mean of processing personal data.” In more simple terms, the Data Controller decides what Personal Data is collected and processed by an organization, and why.
- Must have a data protection policy
- Should have a Data Privacy Officer
- Ensure that Personal Data is only collected and processed in accordance with GDPR regulations for Consent and Lawful Processing
- Guarantee that Personal Data is only processed in accordance with the reason given when it was collected. For example, data collected as part of a subscription to an email newsletter shouldn’t be sold off to other companies for unrelated marketing efforts.
According to GDPR, a Data Processor is a “person, pubic authority, agency or other body which processes personal data on behalf of the controller.” A Data Processor stores and processes Personal Data on behalf of a Data Controller, such as a payroll service for employers or an email list service a business might use to manage contact with their customers and an email newsletter.
- Must maintain Personal Data records, including information on how it is processed and stored
- Must maintain secure systems to keep Personal Data private and safe
- Are responsible for breaches
- Must notify the Data Controller of the breach as soon as it is detected so they can work with you during the GDPR-mandated notification period to alert the data subjects of the breach
These definitions are basically the same as those used in the 1995 EU Directive. If you qualified as a Data Controller or Data Processor under those regulations you will probably still be a Data Controller or Data Processer under GDPR.
Certain activities are exempt from GDPR such as processing:
- covered by the Law Enforcement Directive
- for national security work
- done by individuals solely for personal and/or household activities
GDPR imposes specific legal obligations on Data Processors. For example, Data Processors responsible for a breach have legal liability for it. You also must maintain records of Personal Data and processing activity. If a Data Processor is not GDPR compliant then any Data Controllers who use that service are not compliant as well.
Data Controllers must have a written contract with the Data Processor and are required to ensure that their contracts with Data Processors comply with GDPR. Not doing so is a legal breach. The contract must include:
- The nature and purposes of the processing
- The types of Personal Data that will be processed
- Whether special categories of data will be involved and the protections for it
- The rights and obligations of both parties in the contract
- The Data Processor must receive the consent of the Data Controller before using sub Processors
- The Data Processor must have adequate security in place
- If there is an inquiry, the Data Processor must cooperate with the appropriate Data Protection Authorities
- Data breaches must be reported to the Data Controller immediately
- The Data Processor is required to help the Data Controller manage the aftermath and consequences of data breaches
- Processes to handle data breaches are detailed within the contract
- The Processor must help the Controller copy with GDPR regulations for the rights of data subjects
- The Processor should have a Data Protection Officer
- Records documenting processing activities must be maintained by the Processor
- Data Processors must comply with EU trans border information transfer regulations
- Mechanisms for the Data Processor to cooperate with the Data Controller and Data Protection Authorities
- The Data Processor must have appropriate security in place to protect the data
- If processing instructions from the Data Controller violate GDPR regulations the Data Processor must notify the Data Controller immediately so a GDPR-compliant solution can be found
- The contract includes appropriate confidentiality clauses
- At the end of the contract, the Data Processor must delete or return all Personal Data to the Controller, depending upon the Controller’s preference.
I use third-party Data Processing services. Does that let me off the hook with GDPR?
No, you still have responsibilities, such as:
- Not requesting more information from prospective clients and customers than you actually need to fulfill whatever you are promising them
- Ensuring that the third-party service you’re using is GDPR compliant
- Having a GDPR-compliant contract with any third-party processor you use
- Ensuring that all Personal Data is deleted thoroughly once its purpose is no longer required to serve the consumer
Privacy by Design and Privacy by Default
In addition to everything else, GDPR requires that organizations use “Privacy by Design” and “Privacy by Default.” Protecting Personal Data “by design” means that GDPR privacy regulations must be taken into account throughout the entire process of designing data flow processing procedures. For example, they cannot ask for more data than is needed to fulfill the request, they must document internally which departments and third-parties have access to the data and limit that access to only those that need it to fulfill the request, they must use adequate data security procedures and encryption, etc. Pseudonymization and Anonymization (NOTE; MAYBE ADD LINK TO THE PSEUDONYMIZATION AND ANONYMIZATION SECTION FURTHER DOWN) are often components of privacy by design.
Protection by default means that the most privacy compliant choice is the default setting when you collect and process data. For example, a social media platform should set a new registrant’s account to the highest privacy setting by default and allow the user to make changes rather than defaulting to the most open setting. According to privacy by default, organizations should minimize the data they request. Privacy by default can actually improve the trust factor with your customers so it shouldn’t be seen as a burden.
What is Personal Data?
GDPR protects an individual’s personal information. The definition of “personal information” and how it is controlled is quite different under GDPR than American companies are accustomed to. American privacy regulations typically refer to Personally Identifiable Information (PII), which includes things like:
- credit card numbers
- home addresses
- birth date and location
- driver’s license numbers, etc.
GDPR instead uses the term “Personal Data” and gives it a much broader definition for tighter security and to be more adaptable to changing technology uses.
Officially, GDPR Article 4(1) defines “Personal Data” as:
“ ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
In practical terms, Personal Data includes everything from PII plus additional categories such as:
- Email addresses
- Location data
- Login information
- Behavioral data
- Biometric data
- Vehicle identification numbers (VIN)
- And more
Under GDPR, even cookies can qualify as Personal Data because it recognizes that people can be identified through their devices and related technology because they can leave trace material that can be combined with unique identifiers to identify and create profiles of individuals.
Personal Data identifiers in technology include:
- Cookie identifiers
- Internet Protocol (IP) addresses
- Radio frequency identification tags
- Customer numbers held in a cookie
- Unique device identifiers
- A processor or device serial number
The GDPR definition of Personal Data also covers how information combines for identification purposes so an extremely common name like “John Smith” by itself might not be considered Personal Data because it’s so common, but when combined with data that also seems too broad to be personal, such as a city and birth year, it becomes identifiable.
Names aren’t even required for something to be considered Personal Data. A phone number can qualify by itself. Due to the broad definition of Personal Data in GDPR, most services, online product sales, memberships, etc. will fall within GDPR’s scope.
Even more importantly, GDPR flips the definition of information ownership. PII and American standards tend to view data as being owned by the company that has collected it. Under GDPR guidelines, individuals own their own data and have a right to control how it is used.
For example, let’s say you have Greta O’Malley’s email address in your database because she signed up for your free newsletter. Greta has also previously purchased products from your business so you also have her mailing address, full name, and purchase history, and maybe payment information was also saved to her file. Greta asks to be removed completely. In the past, she’d be unsubscribed from your email list, but if you had already added her information to a custom audience for ad targeting, remarketing campaigns, etc., those entries could remain, and it could sometimes be shared with your business partners. You also could have kept Greta’s order history and any preference or behavioral information indefinitely. GDPR’s regulations don’t allow that.
GDPR allows customers to request copies of their records, request corrections to that record or ask that the record be purged completely, giving them total control over their data. Also, companies must ask for permission when service changes affect a person’s data. Permissions are not indefinite or broad.
GDPR is also technology neutral so it applies to records in an electronic database as well as paper records.
What is Special Category Data?
Under GDPR, some types of Personal Data are so sensitive or have such significant risks for an individual’s personal safety or subject them to unlawful discrimination that it is labeled “Special Category Data” and either prohibited or strictly limited and regulated. Special Category Data requires a lawful basis for process, much like Personal Data, and it must satisfy one of 10 conditions listed under GDPR Article 9.
The type of lawful basis for consent can be cited separately from the Special Category conditions that apply. For example, if you use “consent” as your lawful basis for processing you are not tied to “explicit consent” or “public disclosure” for your Special Category conditions.
Special Category Data includes:
- Racial origin
- Ethnic origin
- Politics and political affiliation
- Religious or philosophical beliefs and memberships
- Trade-union membership
- Sex life, sexual orientation, and sexual preferences
- Biometric or genetic data that reveals the specific identity of a person or is used for ID purposes
However, it’s not always forbidden. Special Category Data can be processed when:
- EXPLICIT CONSENT is given for that specific data – unless prohibited by law that cannot be overruled by the individual
- EMPLOYMENT – Legal obligations by the controller in regard to employment, social security, etc. require it as per EU or member country law.
- MEMBER ORGANIZATIONS – Legitimate activities by a non-profit organization for the purpose of the political, philosophical or trade-union group so long as the processing relates solely to members of the organization, former members (if they haven’t requested erasure) or people who have connection to it for the organization’s purposes and that the Personal Data is only disclosed outside of the group with the consent of the data subjects.
- VITAL INTERESTS – It is necessary to protect the vital interests of the data subject or another person when the data subject is physically or legally incapable of providing consent.
- PUBLICALLY DISCLOSED DATA – The individual has already made the Personal Data public
- LEGAL PROCEEDINGS – The Special Category Data is needed to establish, exercise or defend legal claims or necessary actions by courts to fulfill their judicial duties
- PUBLIC HEALTH – It is required for public health needs, such as ensuring standards of health care safety and quality or to protect against serious cross-border health threats, as per EU or member country law.
- RESEARCH – Archiving is needed for substantial public interest, research and statistics in accordance with Article 89(1), is proportionate to the aim while respecting the data protection and safeguarding the data subject’s fundamental rights and interests.
- PUBLIC INTEREST – Substantial public interest is involved, based on EU or member country law, when proportionate to the goal pursued so long as specific efforts to protect the fundamental rights of the data subject and respects the right to data protection
- or MEDICINE – It is necessary for preventative or occupational medicine, medical diagnosis, assessment of working capacity, health or social care or treatment or the management of health and social care systems, medical diagnosis, and services under EU or member country law.
Additionally, Personal Data in regard to criminal convictions and charges may only be carried out under the control of an official authority or when authorized by EU or member country law. That means that technically employers may not be allowed to do a criminal background check on prospective hires unless it is required by law for that position, such as certain security positions or jobs that involve working with children.
However, due to concerns about balancing privacy rights with companies that may have a legitimate right to background checks not addressed by GDPR, a Data Protection Bill was published on September 13, 2017, to supplement GDPR. As of this writing, DPB does not have an effective date.
GDPR requirements for criminal background checks only affect companies that hire EU citizens or, if the company has locations in Europe, EU residents. As such, smaller American companies are mostly exempt from this by default – unless an EU citizen residing in America applies for a job with your company.
PSEUDONYMIZATION AND ANONYMIZATION
To further ensure privacy, GDPR encourages pseudonymization, anonymization, and data encryption. Pseudonymizing data means replacing identifiers with artificial replacements. Anonymization means any identifiers have been stripped from the data. While they sound similar – and are – they have very different results.
With pseudonymization, the Data Controller (and perhaps the Data Processor) could potentially remove the masking and view the Personal Data with all the identifiers intact. Encryption is similar to pseudonymization only the masking information is coded so that only approved users can access the original Personal Data. Encryption and pseudonymization can be used together or separately.
If anonymization is done correctly and thoroughly, the identifiers are gone and the Personal Data cannot in any way be reverse engineered to identify the individual. In that case, the material no longer qualifies as Personal Data, though that is a standard Data Controllers and Data Processors rarely meet.
The EU has a much stricter standard for anonymization than the United States. By comparison, the American Health Insurance Portability and Accountability Act (HIPAA) considers data anonymized if 18 specific data points are removed. The EU requires more but doesn’t set a specific number.
LAWFUL PROCESSING OF DATA
Under GDPR, Lawful Processing of Data requires one of the following:
- The individual consented to having their data processed (See rules for Consent below)
- Processing is essential for the creation of a contract or for information requested by the individual prior to entering a contract
- It’s necessary to comply with a legal obligation
- Processing protects the vital interests of the data subject or another natural person
- The processing of the data is in the public interest
- Doing so is in the controller’s legitimate interest to prevent fraud and so forth
The types of lawful processing fall into three categories: legal obligations, contract requirements, and legitimate interest.
Lawful basis for processing is a core foundation of GDPR. If you collect or process data, you need to identify which type of lawful basis you are using. Not knowing the legality upon which your work is based means that your processing will violate GDPR regulations.
9 examples of GDPR lawful basis are:
- Sales process: A prospective client’s information is needed as part of pre-contractual data processing, such as prequalifying for a loan.
- Contracts: Processing is essential to complete a new contract or fulfill an existing contract.
- Employee information: Processing is needed to comply with regulatory or government regulations that affect your employees. For example, a government might need the employee information for taxation purposes, etc.
- Court orders: Subpoenas and such that require processing Personal Data
- Criminal investigation: Personal Data processing is required as part of a criminal investigation.
- Health and Safety: Data is required for health and safety records. This is especially true for things like accident report data, contagious disease data, etc.
- Internal employee operations: Personal data must be processed for internal operations such as benefits and payroll
- Fraud Prevention: Processing is essential to detect and prevent fraud
- Market Research: This category is usually closely tied to getting consent from from the individual. Refer to the consent details below. Being clear as to what the material being requested will be used for and not requesting more information than is necessary for that is key.
The way many American companies, large or small, have been handling consent is non-compliant under GDPR and could invalidate the data collected prior to May 25, 2018. Since GDPR is not backward compliant and does not grant any exemptions for previously collected data, it’s very important to evaluate what consent might have been used when collecting the past data (and future data collections). If it doesn’t comply with GDPR guidelines, you need to update the consent or remove the information.
The most common GDPR consent violation is pre-checked boxes to agree to something. Consent must be active and conscious so the individuals need to check the box themselves or – even better – type something like “I agree” in a box.
GDPR also impacts the recruiting process. Employees gain new protections. For example, prospective employers must formalize why the data is being requested (as with all Personal Data under GDPR) and the period of time it will be retained.
Also, due to the inherent imbalance of power between an employer and employee or recruit, both GDPR and compliance experts warn against using consent as the sole legal foundation for processing since employees can withdraw consent at any time. Instead, consent based on contract, legal obligations, and an employer’s legitimate interest are better options.
The common marketing tactic of providing “an ethical bribe” must change under GDPR. With this tactic, an e-book, recording, white paper, etc. is offered in exchange for a person’s email address and, usually, name. Sometimes other data is demanded as well. Under GDPR, the email address can be requested so long as you make it clear that it is being requested in order to send you the electronic media.
However, you can’t make subscribing to a newsletter, for example, a requirement for getting the item. You cannot require data that isn’t relevant to getting the idea. So, the email can be OK to send them the link where they can download the item. Demanding that they provide personal income or business revenue information, for example, to also pre-qualify them for your services is much more sensitive and would be an invalid request under many circumstances. Requiring a subscription to their newsletter in exchange for the e-book, white paper, etc. is invalid.
Consent cannot be the default status while requiring the individual to opt-out. Due to Privacy by Default standards, privacy/opt-out must be the default and the individual must purposefully, consciously opt-in. This includes things like automatically subscribing to your blog those people who leave comments on your blog or even automatically subscribing them to comments on that particular blog post.
Purchased lists might be allowed under GDPR if handled correctly in the original subscription but it’s a bad idea – especially if you are not guaranteed that the original list was created using GDPR compliant practices. Generating your own may take longer but, if you follow GDPR rules, is safer.
Withdrawing consent must be easy, free, and you must inform users of the process.
To summarize, legitimate consent requires:
- A clear, affirmative action (no pre-checked “agree” boxes).
- No coercion. Consent must be freely given, and consent cannot be the sole reason for the agreement.
- That the individual has genuine choice and control.
- Maintaining records of when and how an individual gave consent along with their data.
- That consent must be separate from other terms and conditions. Do not require people to visit multiple pages to grant consent.
- Consent is specific and granular – get consent for separate item, not blanket or vague consent.
- Regularly review consent and data processing and revise procedures as necessary to stay up to date with GDPR compliance.
- That withdrawing consent is easy, clear and free.
Data Privacy Officers
Because GDPR compliance can be so involved, it’s smart to appoint one person to be in charge of your data privacy efforts. Depending upon your organization, it might even be required. GDPR requires an organization to appoint a Data Privacy Officer if it is 1) a public authority, or 2) engages in large-scale systemic monitoring, or 3) engages in large-scale processing of sensitive Personal Data. If your business doesn’t do one of those three, then a DPO is not required but is advised. Organizations that do match one of those three conditions must have a DPO or face a fine.
A DPO can be an employee you already have or a new hire. The DPO monitors the organization’s GDPR compliance and acts as the organization’s contact point with both data subjects and the supervising authority. DPOs must be independent, reporting to the highest levels of management, have proper resources, and should be an expert in data protection.
As part of GDPR’s data security provisions, strict rules are enforced in regard to security breaches. If an information breach involving data such as name, address, date of birth, bank information, health records, etc. occurs that risks the privacy rights of individuals or could cause economic or social problems, financial loss, reputation damage, discrimination, or loss of confidentiality, the breach must be reported to the data subjects and the relevant supervising authority within 72 hours of the initial discovery.
While an organization can issue a press release about the breach and post it on its website and/or social media, none of those methods qualify as proper notification to those affected. You must use a one-on-one correspondence method with those affected.
Because the initial notification time frame is so short, few companies will know exactly what happened when sending out the initial notice. It should outline the nature of the affected data, how many people are impacted, what the consequences could be, what actions have been taken so far to address and correct the breach and any planned response.
Failure to notify data subjects of a breach within 72 hours of its detection could lead to a fine of 10 million Euros or up to 2 percent of your annual worldwide revenue, whichever is higher. To put into perspective how seriously GDPR treats data breaches, consider the TalkTalk case. In 2016, the telecom company was fined a record amount – £400,000 – by the UK’s Information Commissioner’s Office (ISO) for having lax security standards that allowed a cyber attack to easily breach customer data. Under GDPR the penalty would be £59 million.
Using another company for data processing and storage does not eliminate liability under GDPR. A Data Processor that subcontracts work to another Data Processor must get permission from the Data Controller, and if the subcontracted Data Processor has a breach, the original Data Processor is still liable.
Data Controllers and Data Processors are still liable for breaches caused by their employees as well. It might be a secondary liability, depending upon the circumstances, but the employer is not absolved of blame.
Penalties for Non GDPR Compliance
Penalties for non-compliance with GDPR fall into two categories – minor fine and major fine. GDPR solves the problem of how to create fines that actually penalize violations by giant companies by making them scalable.
Major fines are for:
- infringing on the rights of data subjects under Articles 12-22
- not having sufficient customer consent
- unauthorized, international Personal Data transfer under Articles 44-49
- ignoring data subject access, rectification, and erasure requests/failure to create processes to do that
- violating the basic principles for processing, including consent, under Articles 5, 6, 7, and 9
- Any obligations pursuant to Member State law adopted under Chapter IX
- Any non-compliance with an order by a supervisory authority (83.6)
Major fines are 20 million Euros or up to 4 percent of the violator’s annual global turnover, whichever is larger.
Minor fines are for, but aren’t limited to:
- failing to report a security breach
- failing to build privacy by design
- failing to ensure data protection is incorporated at the beginning of a project
- if it’s an organization that requires a Data Protection Officer by GDPR regulations, failing to appoint a Data Protection Officer
- controllers and processors under Articles 8, 11, 25-39, 42, 43
- certification body under Articles 42, 43
- monitoring body under Article 41(4)
Minor fines are 10 million Euros or up to 2 percent of the violator’s annual global turnover, whichever is larger.
Penalties apply to both Data Controllers and Data Processors, depending upon the violation. Cloud storage and the like are not exempt from GDPR regulations.
If an organization has multiple violations of GDPR, it will be penalized based on the gravest infringement.
While the penalties are severe, most likely only the most extreme violations would be fined without any prior notice. In general, non-compliance would be met first with a warning, then a reprimand before a fine. Needless to say, complying with regulations is the better solution.
Consumer Rights Under GDPR
How does GDPR protect consumers?
GDPR improves individual rights by mandating:
- Personal Data Access
- Data usage transparency
- Control personal a data usage
- Error correction
- Data Breach Notifications
- Right to be forgotten
Additionally, GDPR expands businesses’ data responsibilities in regard to:
- Consent requirements
- Data protection officer
- Data breach notifications and fines
- Privacy by design and privacy by default
- Data network security
- Data transfer restrictions
What rights does GDPR grant?
GDPR grants consumers eight primary rights, though some aspects of it convey other benefits and rights, such as “the right to compensation and liability.” Each right will be explained in detail below.
The 8 rights GDPR gives consumers are: (NOTE: THESE ITEMS CAN BE LINKED TO THE LARGER SECTIONS BELOW)
- The Right to Be Informed
- The Right to Access
- The Right of Rectification
- The Right to Be Forgotten
- The Right to Restriction of Processing
- The Right to Data Portability
- The Right to Object
- The Right Not to Be Subject to Automated Decision Making and Profiling
What does the GDPR “Right to be Informed” mean?
Prior to the implementation of GDPR, it’s been very common to find the phrase “By clicking ‘submit’ you agree to the use of your personal data” on websites, or as part of the process of signing up for a newsletter, free service or product, or while making an online purchase. That phrase creates the impression that you’re informed of the data being collected, but it really tells you nothing, does little to protect consumers and, is essentially useless in terms of GDPR guidelines.
The GDPR “Right to Be Informed” gives consumers the right to know exactly what consumer data is being collected (while people realize they’re giving an email address, most people don’t know when companies are also tracking their IP addresses or what may be contained in cookies, for example) and what it’s being used for. Data cannot be held indefinitely either. Data collectors must notify consumers how long the material will be held, whether it will be shared with another party and if so, why.
Personal, demographic, and behavioral data is incredibly valuable. As a result, companies frequently collected data that they didn’t really need. That data was then used to build a profile for future marketing, to sell to third parties and other things consumers may or may not prefer.
Businesses can ask for Personal Data, but it must be handled according to GDPR specifications. For example, you can ask for a client’s birth date if you send out a discount coupon or special offer on their birthday, and you specify that is the reason for it. You can’t ask for a birth date because that makes demographic data more valuable for resale to a third party or “just in case.”
Asking for a phone number so you can contact a customer about order fulfillment or delivery problems is fine. Asking for a phone number for other uses, like cell phone tracking, will probably be an issue.
Under GDPR, only ask for the minimum amount of information you need. If they’re joining a newsletter, that might mean only collecting their email address.
GDPR requires that you clearly disclose to customers:
- who you are
- why you’re asking for it
- how long you’ll keep it
- who has access to it.
U.S. regulations for email marketing already require that the sender disclose who they are, where their business is based and how to contact them, so such regulations are not unusual. GDPR is just more thorough and has a focus on consumer needs.
These requirements aren’t just for email newsletters. It also applies to your contact form, check out pages, sign-up forms and anywhere else consumers would give you their information.
GDPR, Terms of Service, & Privacy Policies
Your Terms of Service/Terms & Conditions statement must also comply with GDPR guidelines. Then have explicit, required fields on both forms to accept both documents. Check boxes are fine if the checkmark is not pre-filled. Text fields where users type, “I agree,” are even better for compliance, though annoying.
The Terms of Service should also include information on:
- How consumers can access their complete data record
- How consumers can completely delete their data from your records, as per “the right to be forgotten,” not just unsubscribe.
- How you will notify users of data breaches
- Information about your company, what you’re using the customer data for, who has access to it and how long data is held.
What does the GDPR “Right to Access” entail?
The GDPR Right to Access gives individuals the right to their Personal Data and related information, such as a profile of them built on that data. It also requires an organization to notify the individual of the processing, its lawfulness, and how to verify the lawfulness of the data processing.
Organizations comply with GDPR by:
- Having a clear, simple way for individuals to submit requests to access their Subject Access Requests (SAR)
- Maintaining clear, specific records for the categories of data collected and why the data was originally requested. For example: “Birth dates are requested because customers are given a special discount on their birthday.”
- Maintaining clear records as to what other organizations have access to the data and why.
- Explaining to customers who request their data either how long the data will be stored or, if that’s not possible, explain the criteria that is used to determine how long data is stored
- Creating a chain of command for managing data requests
- Ensuring that data access requests are within one month
- Providing the requested Personal Data free of charge
- Deleting personal data that doesn’t meet the GDPR requirements
Organizations must use “reasonable means” to verify the identity of the person making the request to avoid giving out Personal Data to the wrong individual. If the request for the Personal Data is made electronically, you can provide the information electronically as well. When you have large amounts of Personal Data for an individual, you are allowed, under GDPR regulations, to ask the person to specify the information being requested.
Organizations cannot charge a fee for the Personal Data requested under this right. If, however, a data subject’s request is excessive, such as when it is unduly repetitive, you are allowed to charge a “reasonable fee” based on the administrative cost of providing the material.
Organizations must comply with requests for Personal Data under the Right to Access and must do so within one month of the receipt of the request, as per the compliance time frames listed elsewhere within this document. An extension of up to two months is possible when requests are numerous or complex so long as that is explained to the requestor within the initial one-month time frame.
The only reason to refuse to fulfill an access request is when a request is unfounded, excessive or repetitive. For example, if a person has requested their information every month for a few months and nothing in their Personal Data records with you have not changed during that time period. You are still required to respond within one month of the request, explain why you are refusing, notify them of their right to appeal to the appropriate supervising authority, and how to appeal to a judicial remedy.
What does the GDPR “Right to Rectification” mean?
In the Right to Rectification, the GDPR grants individuals the ability to correct inaccurate or incomplete information. Individuals can request rectification verbally or in writing. Corrections must be made swiftly and clearly.
GDPR mandates one calendar month to respond to a correction request. The time period starts the day after the request is received, regardless of whether the day after is a working day, and ends on the same day in the following month. For example, if a rectification request is made on September 3, the organization must fulfill the request between September 4 and October 4.
If the last day of the response month ends on a weekend or holiday, the organization has until the end of the next working day to respond. For example, if a rectification request is made on November 30, the response period begins on December 1 (the day after November 30). However, the last day of the response period can’t be January 1 because that is a holiday so instead it would end on January 2 — unless January 2 was on a weekend.
If the following month does not have the corresponding date, then the response period ends on the last day of the next month. For example, if a rectification request is made on January 28, the response period would begin on January 29. Because February only has a 29th day during Leap Years, in non-Leap Years the response period would end on February 28.
You can request an extension of up to two months if the material to be corrected is especially complex or if many corrections are requested or if there is a dispute as to the accuracy of the correction. However, you must notify the individual of the extension and why.
If there are concerns as to the identity of the person requesting the rectification, you can ask for proof of identity. The request for proof, however, must be in proportion to the amount of data you hold and the request.
If you shared the data with another organization, GDPR requires you to have the changes applied to their records as well. If asked, you must also notify the individual about the other organization.
Under limited circumstances, a request for rectification can be refused. If you refuse a request for rectification you must:
- Name the specific reason for turning down the rectification request. For example, if the information the consumer wants to substitute is blatantly wrong, such listing them as having won an election they lost.
- Notify the individual that they can file a complaint about the refusal to a supervising authority and provide the name and contact info for that authority
- Notify them that they can seek a judicial remedy to the dispute.
What is the GDPR “Right to be Forgotten,” a.k.a. “Right to Erasure”?
The Right to Be Forgotten, which is also referred to as the Right to Erasure, allows people to request that their personal data be completely removed from an organization. Individuals have the right to demand that their Personal Data be erased if any of the following apply:
- The Personal Data is no longer required for the reason it was originally collected
- The person withdraws consent they previously granted for the information, provided that the controller isn’t required to keep it for legal reasons. For example, while consent for data used to send a newsletter can be revoked easily, employers might need to retain Personal Data contained in a payroll system for 7 years due to IRS audit regulations. Once that time period ended, it could be removed.
- The data controller and/or processer is handling the information in an unlawful manner
- There is a legal requirement for data erasure
- The individual was a child at the time of collection
However, the right is not absolute. Data controllers can refuse to erase information when the Personal Data is necessary:
- To exercise the right of freedom of expression and information. This primarily applies to news organizations so long as they are reporting accurately without infringing on individual rights
- To comply with a legal obligation for a public interest task or to exercise official authority
- For public health reasons or when there is a public interest
- To archive information in the public interest, such as statistical data, historical research or scientific research, especially if it is anonymized so that an individual’s identity cannot be discerned
- For legal claims. For example, if a bank is the subject of a class-action lawsuit and Mary Smith’s account falls within the terms of the class for that lawsuit, the bank can refuse Smith’s request to be erased for the length of time required for the legal case to be fully resolved.
However, GDPR places the burden on the organization to prove that they have legal reasons for retaining the information rather than requiring the consumer to prove their right to be removed.
The effects of the GDPR Right to be Forgotten on legal discovery in the United States is of interest to the legal community and conflicts between the two sets of standards might require a legal challenge to resolve. In the U.S., data held in regard to litigation is not considered to be undergoing processing. However, the GDPR definition of “processing” is much broader and does not allow Personal Data to be held for an indefinite period of time due to possible impending litigation in the U.S.
How to respond to a valid Right to Erasure request?
The following are the recommended steps for complying with requests to be forgotten.
- Verify this is a legal request by the actual data subject.Verifying the identity of the person making the erasure request is intended to protect the individual from fraud. It cannot not be used to create obstacles to legitimate, legal requests or make the process so difficult that it deters request. Verifying the identity of the data subject must be done quickly and promptly, combined with step 2.
- Confirm receipt of the request from the individual.Erasure requests must be answered within one month. Assuming that it is a normal request that must be honored according to GDPR regulations, the deletion must also be completed within one month.If the process of deleting the data is unusually complicated and involved, the fulfillment period can be extended by two months, so long as the individual is notified of the reason for the delay within one month of the initial request.If the data controller cannot comply with the request, such as for one of the legal reasons already cited, the organization must notify the individual within one month of the original request.
- Locate the individual’s Personal Data from all applicable departments.
This includes Marketing, Human Resources, IT Operations, etc. Create data flow diagrams and inventories to simplify identifying Personal Data so you can comply efficiently with information requests.
- Identify all data processors and third parties with which you shared the Personal Data.Using the data flow and storage information previously documented, make a list of what third-party organizations have the requesting individual’s Personal Data and what information they have.
- Notify all applicable, identified third parties with the individual’s Personal Data to thoroughly and completely remove the data from their systems and confirm the erasure.
- Remove the Personal Data from your organization.
- Respond to the individual to confirm that their Personal Data was erased from your systems and all related third parties.
What does the GDPR “Right to Restriction of Processing” mean?
Under the GDPR Right to Restriction and Processing, individuals can request, verbally or in writing, that their Personal Data be restricted or suppressed. While this right is closely related to the Right to Rectification and the Right to Erasure, it is not an absolute right. It applies when one of the following applies:
- The individual contests the accuracy of their data, in which case the data is restricted while the data controller verifies its accuracy
- The data processing is unlawful and the individual objects to the Personal Data’s deletion and requests restriction instead
- The original reason the Personal Data was shared is no longer needed for data processing but the data controller must retain the information for legal reasons, such as while a lawsuit is being tried.
- The individual has objected to data processing as per Article 21(1) and it is pending verification that the data controller has a legitimate reason to override the request.
When data processing has been restricted, the Personal Data will only be processed 1) with the data subject’s permission or 2) for the legal claims or rights’ protection of another person. For example, the second point could apply when the data subject falls within the category for a class-action lawsuit filed by another person.
While data processing is restricted, the data controller can still store it so long as it is not used. If the reasons for a restriction are lifted for any reason, the data subject must be notified by the data controller first that their Personal Data will resume processing.
As per the Right to Rectification and the Right to Erasure, data controllers have one month to respond to requests with the same provisions.
What does the GDPR “Right to Data Portability” mean?
GDPR’s Right to Data Portability allows people to ask that their Personal Data be transferred to another organization or business, or to request and reuse their Personal Data with another service. Because GDPR considers the data subject to own their Personal Data, including usage data compiled by another company, it’s very important for a company to carefully consider the data they collect and use. An individual could request their Personal Data, including usage data, and through this right, transfer all of it to another organization.
The Right to Data Portability gives individuals the right to move, copy, or transfer their Personal Data from one database to another in a safe, secure manner. It even allows consumers to use applications and services that can use the Personal Data held by another data controller to help them find a better deal or understand their habits.
To comply with data portability requests, you must freely provide the Personal Data in a commonly used, structured, machine-readable format, such as CSV files. “Machine readable” means the Personal Data is organized in such a way that software can extract the data, thereby making it easy for other organizations to use.
Upon request, you might have to transmit the data directly to another organization, if it’s technically feasible. You do not have to add or maintain data processing methods that are technically compatible with other organizations.
If the Personal Data involves more than one individual, you must take into account whether providing the information would affect the right of the other person.
The time period to comply with data portability requests is one month with the possibility of a two-month extension for complex requests, as per the Right to Rectification and the Right to Erasure. Also, as with those rights, if you cannot act on the request, you must explain why within one month and inform the individual of their right to complain to a supervising authority, a judicial remedy, and how to contact that authority within the one month time frame.
What does the GDPR “Right to Object” entail?
The Right to Object must be listed in your privacy notice and “at the point of first communication” with any customer, regardless of the type of business or service you offer, free or paid. This GDPR right allows individuals to object the processing of Personal Data on grounds relating to their personal situation in regard to:
- direct marketing and profiling
- processing based on the performance of a task in the public interest or for the exercise of official authority, including profiling
- data processing for scientific and historical research and statistics
How to comply with the Right to Object depends upon the type of processing to which the person is objecting.
If an individual objects to having their Personal Data processed for direct marketing purposes, you must comply as soon as you receive the objection. GDPR does not grant any exemptions or grounds to refuse in this situation. The objection request must be handled immediately, swiftly, and free of charge.
If an individual objects to having their Personal Data processed for scientific or historical research purposes, or for statistical purposes, the data controller can override the request if the project is for the public interest or for the exercise or defense of legal claims, and you can cite compelling, legitimate reasons to override the right of the individual. As with other GDPR rights, you must respond within one month and provide information on the supervising authority to which the individual can appeal.
If your processing activities are carried out online, then you must offer a way for individuals to object online.
What does the GDPR “Rights Related to Automated Decision Making and Profiling” mean?
This right is a safeguard against harm caused by increased automation. Individuals have the right to not be subjected to a decision made solely by automated processing, including processing, without human intervention, which causes negative or harmful results.
When using profiling to process applications for legally binding agreements, such as those for loans, GDPR compliance requires that you:
- Notify the people applying
- Ensure that a person checks the process. Purely machine processing for automated decision making is not allowed.
- Offer the applicant the right to contest the refusal if the application is refused.
This right does not apply if the decision:
- is based on the individual’s explicit consent
- is required for entering into or performing a contract between an individual/data subject and a data controller
- is authorized by European Union or EU member state law that the data controller is subject to and which includes appropriate measures to protect the individual’s rights, freedoms and legitimate interests.
In either case, the automated decision-making must not be based on the special categories of Personal Data previously cited.
GDPR and Social Media Advertising
GDPR-compliant social media advertising requires explicit opt-in consent from customers before using their data or tracking them for advertising. To be compliant:
- You must specify what data will be collected and how it will be used
- Consent requests must be in clear, plain language
- Customers must have a free, genuine choice to accept or reject, and easily withdraw their consent
- Customers must take a clear action to agree. Pre-checked boxes are not allowed.
It’s also important to realize that if you use Facebook for business, for example, your company’s role as Data Processor or Data Controller varies. For example, if you have a Facebook business page and people like or follow your page, then Facebook is the Data Controller. If, however, you load a custom audience into Facebook Ad Manager, then you are the Data Controller and Facebook is the Data Processor.
As the Data Controller, if you use social media advertising services or features that involve uploading, collecting and/or tracking data you need to be sure that they are GDPR compliant. You can’t assume that their Terms of Service will protect you – especially since GDPR will hold both the Data Controller and Data Processor liable in many cases. Despite that, some large companies are trying to shift liability to users so you need to understand what you are agreeing to. Examples of these sorts of features and services are:
- Facebook Pixel
- Facebook Custom Audiences
- Facebook Lead Ads
- LinkedIn Matched Audiences
- LinkedIn Insight Tag
- LinkedIn Sponsored InMail
- LinkedIn Lead Gen Forms
- Twitter Pixel
- Twitter Tailored Audiences
- Pinterest Tag
- Pinterest Audiences
While Pinterest hasn’t posted any official information for advertising on its site and GDPR, the following links take you to each site’s official statement:
GDPR and E-Discovery/Legal Discovery
The one area where American legal requirements and GDPR are definitely in conflict is in regard to the discovery process for legal cases and Electronically Stored Information (ESI). In the EU and many non-EU European nations, the right to privacy is an explicit fundamental right. The U.S. Constitution protects free speech but the right to privacy and the definition of that privacy is implied, not explicitly stated. U.S. law does protect the right of litigants to receive evidence relevant to their defense and claims for any court case, regardless of where that information is located. European courts have no equivalent and the right to discovery in Europe is far more limited than the American standard.
At the moment, there’s no good way to reconcile these conflicting standards. A business owner needs to evaluate their comfort threshold in regard to GDPR’s high penalties and American discovery law, and possibly consult with your lawyer depending the specific needs for your business. It is likely that at some point after GDPR’s full implementation a case will settle the contradiction legally.
What can you do in the meantime when you can’t comply properly to conflicting laws or risk violating either one? Design a compliance strategy that demonstrates good faith with both regulations and create recordkeeping processes that comply with GDPR as best you can, set up a method for data subjects to obtain, correct or request erasure of their data, train your staff, improve your data security, and create a data breach response plan.
Mostly like the initial GDPR regulatory efforts will be focused on topics like data mining, security breaches and the sale of Personal Data. In the meantime, the conflict between the two sets of laws may be resolved. Being able to demonstrate good-faith efforts to comply might protect you from penalties. Ignoring the new regulations has far greater risk.
How to Comply With GDPR
Now that you have a better understanding of GDPR, here is a list to get you started with GDPR compliance.
Disclaimer: Because it’s impossible to cover every single point that could be relevant to every organization, realize that you might need to dive deeper into certain topics for questions relevant to you and perhaps even consult an attorney in some cases.
- Realize that previously collected Personal Data is not exempt from GDPR regulations. Depending upon how you complied your database, you may need to get new, GDPR-compliant consent to retain it.
- Do an audit of all the Personal Data collected and stored by your organization, how it’s used, what is the legal basis for having that data and what departments use which parts of the Personal Data. This includes third-party services and processors you may use and the terms of the contracts with those providers.
- Determine which parts of that data are essential for the purpose under which it was collected.For example, subscribing to an email newsletter does not generally require a person’s physical address. A game app doesn’t need access to all the contacts in a person’s address book to operate. Making a purchase doesn’t require information on political or religious beliefs.
- Review whether you are required to appoint a Data Protection Officer. Even if it’s not required for your organization, you might want to appoint one.
- You cannot collect information from anyone under the age of 16 without parental consent.
- Create a plan for updating your data collection and retention policies and website, especially any form that requests data from prospects or customers.
- Set up a system for responding to requests for an individual’s data, rectifying mistakes and fulfilling erasure requests.
- Train employees on GDPR compliance.
Related GDPR information:
The complete text of the GDPR regulations:
Official GDPR documents https://ec.europa.eu/info/law/law-topic/data-protection_en
Contact details for every GDPR jurisdiction
Proposed CONSENT bill to improve American privacy law, inspired by GDPR:
GDPR and pending clarifications to background check compliance
The official WordPress information on how it and WP plug-ins are complying with GDPR
WordPress Core changes to comply with GDPR
WooCommerce on its changes to comply with GDPR
EU resources for GDPR implementation
Google loses “right to be forgotten” case in UK High Court
What marketers need to know about changes Facebook made to Business Tools Terms in light of GDPR
The actual notification from Facebook for changes to its Business Tools
A “flaw-by-flaw” guide to Facebook’s GDPR compliance
Publishing groups say Google’s “GDPR compliance” update actually shifts liability to them inappropriately and blocks them from being fully compliant
Google’s response to the publishers’ complaint
GDPR compliant email marketing guidelines
More information on how a Human Resources department can be GDPR compliant
Because WordPress powers so many websites, someone made a WordPress GDPR Compliance plug-in to help you evaluate your website. Efferent Media does not recommend or endorse this plug-in. It is simply listed as an information resource.
Compliance Check Lists
GDPR consent compliance check list
GDPR lawful basis for processing data check list
GDPR data usage compliance check list
GDPR error correction/rectification compliance check list
GDPR right to be forgotten/right to erasure compliance check list
GDPR right to restrict processing compliance check list
GDPR Data Protection Officer compliance check list
NOTE: The information in this document is for guidance only. It’s not meant as a substitute for a consultation with an attorney for your specific circumstances.
 Because GDPR applies to the “personal data of data subjects who are in the Union,” it applies to EU citizens, EU residents regardless of citizenship and even visitors to the EU.
 While the UK is in the process of leaving the European Union, it was an active part of the creation of GDPR, and it has passed its own privacy laws to remain compliant with GDPR and match GDPR’s regulations, except that the UK cites age 13 as the age when children themselves can give consent for data usage while GDPR sets that age as 16.
 EU member nations include Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. While the UK is in the process of leaving the EU, the UK has already incorporated GDPR guidelines into UK law so it will be in effect even after Brexit.
 See the prior footnote for an explanation.
 For more information on the EU Law Enforcement Directive see http://www.consilium.europa.eu/en/policies/data-protection-reform/data-protection-law-enforcement/
 A famous study proved that 87% of the U.S. population can be identified from three “broad” data points such as gender, date of birth and five-digit ZIP code. While individually, the three data points would be considered too broad to identify a particular data subject, when combined they can be used to identify a single person. For more information on this study see https://dataprivacylab.org/projects/identifiability/paper1.pdf.
 GDPR requires organizations to fulfill an individual’s request for access to their Personal Data free of charge unless the requests are “manifestly unfounded or excessive” with that especially referring to unreasonably repetitive requests. In that case the data controller can charge “a reasonable fee” for administrative costs or refuse to submit information because it’s identical to information previously provided multiple times. Otherwise, they must comply with all requests.
 The Right of Rectification is closely linked to the data controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).