General Data Protection Regulation (GDPR) Compliance – How to Comply with GDPR for free

Spread the love

This post will explain how to comply with GDPR (General Data Protection Regulation).

Note: we are not legal experts and are not liable for any damages that result from your use of this site. It is your responsibility to ascertain the facts. We do our best to provide you with the credible sources with which to do so.

What is GDPR?

GDPR stands for “General Data Protection Regulation” which is a regulation by the European Union (EU) for EU citizens (citizens of EU countries) and citizens in the European Economic Area (EEA). It tries to prevent EU and EEA citizens from getting their personally identifiable information misused.

Personally identifiable information is any information that can be used to identify an individual.

Examples of personally identifiable information [1]:

a name and surname;
a home address;
an email address such as name.surname@company.com;
an identification card number;
location data (for example the location data function on a mobile phone);
an Internet Protocol (IP) address;
a cookie ID;
the advertising identifier of your phone;
data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

Which countries are EU and EEA countries?

EU countries include [2]:

Austria
Belgium
Bulgaria
Croatia
Republic of Cyprus
Czech Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
Ireland
Italy
Latvia
Lithuania
Luxembourg
Malta
Netherlands
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden

EEA countries include:

Iceland
Liechtenstein
Norway

How to comply with GDPR?

If you do not collect any personally identifiable information, you are already complying with GDPR.

Otherwise, if you are to do any collection or processing of personally identifiable information (PII) of EU or EEA citizens, you must [3]:

process the PII in a lawful and transparent manner (not do anything illegal with the data and inform the users about exactly what the data will be used for as soon as you collect the information)
collect and process only the information that is necessary for the purposes in which you have informed the users about
not store the information for any longer than is necessary to achieve the purpose stated to users
make sure the information is accurate and up to date
not use the information for any purpose other than what the users were informed about
make sure the information is protected against unauthorised/unlawful usage and damage/destruction
get explicit consent to collect and process the information [4]

To inform the users of what information you collect and how it is processed, the standard way is to explain in a “privacy policy“. Templates for such privacy policies are available for free on the internet.

Do I need to comply with the GDPR?

If you don’t collect any personally identifiable information from users to begin with, there is no need to worry about dealing with GDPR. Furthermore, on the official website for the EU is the following [5]:

Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

Therefore, as long you don’t target specifically individuals in the EU, you don’t need to comply with GDPR. By targeting users outside the EU in addition to EU users, you would be not specifically targeting EU individuals. However, there is no harm to telling everyone one how you collect and handle their data anyway to be safe.