A guide to reading the full-text GDPR
The official full text PDF of the GDPR is a 261 page beast. However, as we describe below, for SaaS companies who want to understand how this regulation impacts their product, they should read the 34 page abridged version of the GDPR we’ve compiled.
Approaching the GDPR
There has been a lot of advice written about how companies, developers and the technology industry, in general, should approach GDPR. Our posts covering this topic are taken from a very-specific perspective: How should the creators of modern business applications (aka SaaS) think about GDPR in context of their businesses. But no matter how well researched and reasoned our (or any other approach) might be, it is still someone else’s opinion.
For this reason, it can be helpful to explore the primary sources when evaluating a topic this complex. Because reading the GDPR can be quite intimidating, we’ve outlined our approach to reading the full text in a way that is more approachable.
Where to find the full text
The first thing you’ll notice about the official version of the GDPR is that the full text is long— 261 pages long, to be exact!. However, much of that is whitespace, and there is a better formatted version that trims the whitespace and leaves us with 88 pages of GDPR text. Alternatively, a more “browsable” and deep linkable version can be found here https://gdpr-info.eu/. Even when evaluating the 88 pages of the GDPR text, the first 31 pages of the text consists of 173 recitals that serve as a preamble to give context to the regulation.
The actual regulation is made of up of 11 Chapters, which are comprised of 99 Articles in total. Of those 99 Articles, only about 40 might really matter to someone who is trying to make sense of how to comply with the regulation. Many of the later Articles are designed to provide the mechanics of how the Supervisory Authorities, Commission, Committee, Board, Member States and other administrative entities should interact. This leaves 34 pages of GDPR text to read through, which feels very doable for most folks who are going to invest days or weeks thinking and engineering solutions to comply with the law.
We’ve outlined the Articles we think should be read closely by SaaS companies trying to wrap their heads around compliance, as well as the Articles are skimmable and those we think can be largely ignored. We’re not trying to keep you from reading the whole thing, but just trying to give you a framework that might the process a little faster and more digestible.
Read these Articles closely
1-4: General overview, including the definitions of the foundational terms of the regulation (super important for context)
5-11: The principles on which this regulation is written, sort of the “spirit of the regulation”
12-20: The meat of the regulation in terms of the ownership rights of individuals to their data (erasure, portability, transparency, access, restriction etc).
21-22: Automated decision making (probably only relevant if you’re making decisions that impact EU residents)
23: Some restrictions and carve-outs for special cases
24-31: Section is most directed at SaaS companies in relation to their responsibilities of the controller and processor
32-34: How security implementation and incidents should be handled for personal data
35-36: Establishes Data Protection Impact Assessment as a concept that SaaS companies will likely need to undergo (similar to a pentest or certification)
37-39: Establishes the Data Protection Officer. Defines the role, tasks and independence.
40: Establishes the Code of Conduct for companies to produce
42: Suggests that voluntary certifications will be available in the future
44-46: Rules around how data can be transferred out of the EU
47: Establishes the Binding Corporate Rules that companies will produce and have approved
48-49: More details on transfer of information to international organizations
82-83: The fines are defined (up 4 percent of annual revenue), processors and controllers can pursue each other for their portion of the liability
87: Manage nation ID numbers
88: Processing personal data of employees
99: Establishes May 25, 2018, as the day GDPR goes into effect
Skim or skip these articles:
41: Establishment of a body to monitor codes of conduct
43: The future establishment of certification bodies
50-81: How the Commission, supervisory authority, committees, boards, member states, and officers should interact and share responsibilities; who controls what, the transparency they should have, opinions they can provide and the paths of remediation
84-86: How member states handle penalties, some carve-outs for special situations
89-91: More carve outs (historical research, public good, churches)
92-98: Mechanics of implementation, procedures of the Commission
More reading
Convinced that GDPR will matter to your company and looking for some more guidance on how and where it might apply, or how other SaaS companies are thinking about it? You can check out some of our other pieces on this topic: