The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union (EU) that went into effect on May 25, 2018. It establishes strict guidelines for businesses on how they must handle and protect the personal data of EU citizens. GDPR empowers individuals with greater control over their personal data and imposes significant obligations on organizations to ensure transparency, security, and lawful data processing. You can learn more by visiting the official GDPR website.
For information on how to implement GDPR-compliant forms in BDOW!, see our article on the GDPR Opt-In field.
Definitions
This chart captures the essential terms and concepts of GDPR, providing a quick reference for understanding the regulation’s key components.
Key Term | Definition |
Personal Data | Any information related to an identifiable person (e.g., name, email, IP address). |
User | An individual whose personal data is processed. |
Data Controller | The entity that determines the purposes and means of processing personal data. |
Data Processor | The entity that processes data on behalf of the data controller. |
Consent | Freely given, specific, informed, and unambiguous indication of the user's wishes. |
Processing | Any operation performed on personal data (e.g., collection, storage, use). |
Lawful Basis for Processing | Legal grounds for processing personal data, including consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. |
Data Protection Officer (DPO) | An individual appointed by the entity to oversee GDPR compliance within an organization. |
Right to Access | Users' right to obtain confirmation about whether their data is being processed and access to their data. |
Right to Rectification | Users' right to have inaccurate personal data corrected. |
Right to Erasure (Right to be Forgotten) | Users' right to have their personal data deleted under certain conditions. |
Right to Restrict Processing | Users' right to limit the processing of their personal data under certain circumstances. |
Right to Data Portability | Users' right to receive their personal data in a structured, commonly used, and machine-readable format. |
Right to Object | Users' right to object to the processing of their personal data based on legitimate interests or direct marketing. |
Data Breach | A security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. |
Pseudonymization | Processing personal data in such a way that it cannot be attributed to a specific user without additional information. |
Encryption | The process of converting personal data into a secure format to prevent unauthorized access. |
Supervisory Authority | An independent public authority responsible for monitoring the application of GDPR. |
Data Protection Impact Assessment (DPIA) | A process to help identify and minimize the data protection risks of a project. |
Who needs to be GDPR compliant?
Businesses must comply with GDPR if they meet either of the following criteria:
Physical Presence in the EU:
Any business with an employee, agent, or branch in the EU must comply, even if based outside the EU (GDPR Article 3(1)).
Example: A US-based retailer with a remote employee in the EU.
Targeting Individuals in the EU:
Businesses offering goods, services, or monitoring behavior of individuals in the EU must comply, regardless of their location (GDPR Article 3(2)).
Example: A US business selling to EU residents or tracking their behavior or information online. Thus, if your business tracks Google Analytics or pixels anyone in the EU as a potential customer/client, the GDPR applies.
Steps to become GDPR compliant
By following these steps, you as a business and user of BDOW! can ensure compliance with GDPR and CCPA/CPRA, protect user privacy, and avoid hefty fines.
Perform a Privacy Audit:
Identify what personal data you as the Entity and Data Controller collect and ensure you have lawful purposes for processing it.
Assign Lawful Purposes:
Under GDPR Article 6, every data collection method must have a lawful purpose:
Legitimate interest
Consent
Contractual necessity
Vital interest
Legal obligation
Public interest
Implement Encryption:
Secure personal data through encryption and other appropriate technical measures.
Opt-In Consent:
Ensure users “Opt-In” to data collection in a clear way.
Example of a clear Opt-In approach by Spotify*
Opt-Out of Cookies:
Ensure users can opt-in to cookie tracking with clear pop-ups (usually located near the bottom footer of your website).
This pop up should identify what cookies you use
Give users the ability to consent or decline cookie tracking
Link to your privacy policy that should detail your cookie policy.
Example of a pop-up from Cookieinfo*
Withdraw Consent:
Make it easy for users to withdraw consent and notify them of this right. This is usually included as an “unsubscribe” button on each email they receive from your company.
Appoint a Data Protection Officer:
Required if processing data on a large scale, monitoring behavior regularly, or handling special categories of data.
Privacy Policy Requirements
Include the following information in your privacy policy:
Organization and Data Protection Officer contact details.
Purpose and legal basis for data processing.
Legitimate interests, if applicable.
Data recipients.
Data transfer details and safeguards.
Data retention period.
User rights and withdrawal of consent.
Right to lodge a complaint.
Statutory or contractual data requirements.
Automated decision-making details.
California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA) Compliance
Details regarding these California laws can be found at the official CCPA website and at the Law & Regulations page of the California Privacy Protection Agency.
Who needs to be CCPA/CPRA compliant?
For-profit businesses that meet any of the following:
Earn $25 million+ in gross annual revenue.
Buy, sell, or receive personal data from 50,000+ California residents, households, or devices.
Generate over 50% of revenue from selling data.
Steps to become CCPA/CPRA compliant
Right to Opt-Out:
Offer consumers the right to opt-out of data sales and email marketing.
Right to Non-Discrimination:
Ensure consumers are not treated differently if they exercise their privacy rights.
Transparency:
Provide clear privacy policies and notices on data collection and use.
Allow consumers to limit the use of sensitive personal information and correct inaccuracies.
Penalties
GDPR: Fines up to €20 million or 4% of global revenue.
CCPA/CPRA: Fines up to $7,500 per intentional violation or $2,500 per unintentional violation.
*Screenshots in this guide are for educational purposes only and in no way is BDOW! affiliated with these brands.