GDPR compliance is necessary for all organizations that collect and process personal data on European Union (EU) citizens. Maintaining compliance is necessary to avoid fines and penalties levied by the EU.
This guide discusses GDPR’s underlying principles, the terminology used in the regulation, and the compliance requirements that organizations must follow.
In this article:
The European Union’s General Data Protection Regulation (GDPR) was adopted by its member states in 2016. It was developed to replace the 1995 Data Protection Directive, which was used in some European nations.
The GDPR was designed to address data privacy concerns as the growth of the Internet made the digital exchange of information more common. The regulation was put into effect on May 25, 2018, and is considered to be the strongest data privacy law in the world.
The GDPR’s primary purpose is to protect the personal data of EU citizens. The regulation defines the circumstances under which personal data can be collected and processed, the steps organizations must take to comply with the regulation, and the rights of data subjects.
The GDPR originally applied to all the EU member states. While the United Kingdom (UK) left the union in January 2020, it has incorporated the provisions of the EU GDPR into law as the UK GDPR. It is essentially the same regulation with changes made to address domestic laws.
Photo by Glenn Carstens-Peters on Unsplash
The following seven core principles are at the heart of GDPR data protection. All organizations that collect, process, and store the personal data of EU citizens are required to follow these guidelines to comply with GDPR.
Collecting personal data must be for a lawful reason and cannot be used for any illegal purpose. Data subjects need to understand how their personal data will be used. We look more closely at the lawful reasons for data collection and processing later in this guide.
This principle limits the purposes for which personal data can be used by a data controller. Data subjects must understand why their personal data is being collected and what will be done with it. Individuals can decide whether to provide the requested data to a data controller or processor.
Data controllers are required to collect the minimum amount of data to meet their purpose. The collected data must be adequate, relevant, and limited to serve the purposes of the data controllers. Organizations are forbidden to collect additional personal data elements to be used at a later time for a different purpose.
Organizations must ensure the accuracy of the data they collect and process by implementing the appropriate technical and administrative processes. Data subjects have the right to correct any inaccuracies found in their collected personal information.
Photo by Carlos Muza on Unsplash
Personal data can only be stored for the length of time required to fulfill the explicit purposes of the data controller. The timeframe an organization retains data must be justified and keeping it any longer is a compliance violation. In cases where the data is being used for research, archiving, or statistical analysis, it can be retained for extended periods.
Appropriate and sufficient security measures are required to be in place to restrict the unauthorized use of personal data and to prevent data breaches. Collected personal data must be recoverable to restore its availability if it is lost or destroyed.
The last principle requires accountability from all entities involved in processing personal data. They must meet compliance standards and produce documented evidence of compliance measures when necessary.
Personal data is defined in GDPR Article 4 as any information relating to an identified or identifiable natural person known as the data subject. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Examples of personal data elements subject to GDPR protection include:
Sensitive personal data is a special category of personal information defined in Article 9 of the GDPR. This data must be processed more securely than other personal data due to its sensitive nature and the fact that it can potentially be used to discriminate against individuals.
Categories of sensitive data include:
Article 6 of the GDPR explicitly defines the lawful reasons for which personal data can be collected and processed. At least one of the following reasons must apply for the collection and processing of personal data to be considered lawful.
Consent under GDPR needs to be implemented by an opt-in methodology where data subjects must clearly indicate their consent to the collection and processing of their personal data.
GDPR defines multiple roles that address different aspects related to the collection and processing of personal data. It is essential to understand the responsibilities of each role to maintain GDPR compliance. The following are the most important roles defined by GDPR.
A data controller is the natural person or legal entity responsible for determining the purposes and methods used when processing personal data. Data controllers are key decision-makers and are required to ensure that all actions taken related to personal data comply with the GDPR.
A data controller can be an individual or a company or another legal entity.
GDPR Article 24 defines the data controller’s responsibilities which include:
Data controllers are held to the strictest standards regarding GDPR compliance and are ultimately responsible for data breaches and violations.
A data processor is a person or legal entity that processes personal data on behalf of a data controller.
Article 29 of the GDPR defines the limits imposed on a data controller. It states that the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process the data except on instructions from the controller unless required to do so by Union or Member State law.
Data processors must abide by the data controller’s instructions when processing data. If they do not follow these instructions, the processor can be liable for data breaches.
As such, data processors, which are often third parties engaged by data controllers, need to ensure their processes comply with GDPR.
While processors have a reduced level of legal obligations compared to controllers, they still need to ensure the proper measures are in place to protect the rights of data subjects. Both data processors and controllers can be penalized in the event of a data breach based on each entity’s degree of responsibility for the violation.
The data protection officer is responsible for overseeing an organization’s data protection strategy and implementation. A DPO can either be an employee of the data-controlling organization or an external expert but must have the requisite knowledge to ensure compliance with GDPR.
Photo by Scott Graham on Unsplash
A supervisory authority is a public entity in an EU member state that monitors compliance with GDPR. The responsibilities of a supervisory authority include advising companies regarding GDPR, addressing complaints from data subjects, conducting compliance audits, and issuing fines to companies in non-compliance with the regulation.
GDPR representatives are required to be appointed by companies located outside the EU that are targeting EU citizens. Their role is to ensure compliance and facilitate communication with European data protection authorities.
Data subjects are another role defined in GDPR that warrants a more detailed discussion due to the rights they are afforded by the regulation. These rights must be respected by data collectors and processors to remain compliant with GDPR. These are the rights data subjects can exercise under GDPR:
Image by Pete Linforth from Pixabay
All companies doing business with EU member states or the UK must comply with GDPR if they collect and process personal data. The regulation is designed to protect EU citizens no matter who is collecting and processing their personal data.
Ecommerce and the globalized nature of modern businesses mean that many organizations — even small businesses — outside the EU must comply with GDPR when processing personal data. Simply put, GDPR compliance is the price that must be paid to do business in the EU.
Companies need to successfully address multiple requirements to comply with GDPR. Failure to meet any of these requirements is considered a violation and can result in financial penalties.
Organizations can only process personal data with a lawful justification, as outlined earlier in this guide.
After data is collected and stored, it can only be used for the specific stated purpose. When data is no longer needed for this purpose, it should be securely deleted.
The rights of data subjects under GDPR must be respected by data controllers and processors. The rights granted to data subjects by GDPR were also outlined in a previous section of this guide.
Consent for processing personal data is required under certain circumstances. When necessary, it must be obtained following specific guidelines, with individuals deliberately opting in and agreeing to the data collection and processing.
Organizations must take all necessary measures to avoid data breaches involving personal data. Incidents that result in the unavailability of personal data, such as natural disasters and outages, are considered data breaches by the GDPR.
Image by Thomas Breher from Pixabay
Data collection and processing procedures need to be developed with a privacy-by-design approach. Companies need to implement technical and administrative controls and safeguards to protect the rights of data subjects and enforce GDPR principles.
A data protection impact assessment is required when processing can result in high risks to personal data. These risks include the monitoring of data subjects in public places and profiling.
Data transfers can only be conducted in approved methods, which will vary based on where the data is located and how it will be moved. This requirement affects data controllers processing personal data outside of the member state in which it is collected.
Companies required to comply with GDPR should appoint a data protection officer (DPO). The DPO is responsible for advising the organization on how to comply with the regulation and acts as a contact point for questions related to data privacy.
Employee training on GDPR compliance is required for everyone involved in handling personal data. Training should include a discussion of the preventative measures that can be taken to ensure the protection of the collected data.
Photo by Christina Morillo via Pexels
Non-compliance with GDPR is enforced through the authority of each member state’s data protection authority (DPA).
A DPA is an independent organization that monitors and supervises the application of data protection laws. They have investigative and corrective powers and can levy fines against violating organizations.
The cost of GDPR non-compliance can be substantial, and the framework for fines is defined in Article 83 of the GDPR. The amount of a particular fine is determined by the severity of the violation and the size of the violating organization.
There are two tiers of GDPR fines that depend on the severity of the infringement:
Photo by Karolina Grabowska via Pexels
Protecting the privacy, security, and integrity of collected personal data requires that the appropriate technical and administrative measures are in place. A modern data loss prevention (DLP) solution, such as the Reveal platform by Next, addresses multiple aspects of maintaining GDPR compliance.
Reveal automatically enforces an organization’s data handling policies — which should be developed with GDPR compliance in mind — and helps protect a company from accidental or deliberate mishandling of personal data.
More than this, Reveal categorizes data as it is ingested into the environment so information subject to GDPR standards can immediately be securely protected.
Reveal also offers user training at the point of risk and helps elevate a workforce’s security IQ. A DLP solution can be instrumental in minimizing the possibility of a data breach resulting in serious financial repercussions.
Contact Next today and schedule a demo of Reveal to see how it works with your security stack and provides additional security for your valuable data resources.
Check out the video below for more information on GDPR compliance.
While regular audits are not a legal requirement of the GDPR, one may be conducted by a DPA in the wake of a data breach or other regulatory violation. Companies that need to comply with GDPR should institute a program of regular internal audits to ensure they are meeting the requirements for compliance.
EU citizens can request a copy of the personal data an organization stores on them. The organization must meet the request within one month by providing a free copy of the information in an accessible format. The citizen can then exercise their right to rectification and request that the data controller or processor correct the inaccurate data.
Meta was fined a record $1.3 billion for a violation in the way it transferred data from the EU to the U.S. for processing. The penalty was announced by Ireland’s Data Protection Commission and addresses the differences in the national data privacy laws in various nations. The specific violation involved transferring the data from EU Facebook users to the U.S., where it was to be stored and processed.