10 Facts About GDPR Compliance You Need to Know

Updated: Jul 29


A lock enclosed within the EU Flag stars enclosed within a circle
GDPR is an EU legislation to protect the privacy of EU Data Subjects

GDPR brings transparency to the entire Data Collection and Usage Lifecycle. General data protection regulation (GDPR) is a law that provides citizens more control over their personal data and compels businesses to be more transparent about their use of data. GDPR was activated on May 25, 2018, to protect European Union citizens and companies from data violations. GDPR brought all of its 27 member countries under the same data protection law.

From hotel businesses to online shops, this universal law applies to every business. GDPR brought all of the 27 EU member countries under the same data protection law.

What is GDPR?

GDPR is a 2016 legislation passed by EU countries to ensure privacy protection of the people within the European Union (EU) countries. It came into full effect on May 25, 2018. It covers all EU residents and provides organizations with clear guidelines for ensuring the privacy of the data subjects. GDPR protects personal information like name, age, DOB, and address and sensitive information like race, religion, political affiliations, sexual preferences, medical data, insurance data, biometric or genetic data, and any other information that can be used to identify an individual.

10 Facts about GDPR Compliance

Before looking for options to achieve GDPR compliance, you should know the following 10 facts. We outlined all the minute elements of GDPR that most people could overlook and condensed it into an easily understandable format so that you understand the what, why, and how of GDPR.

1. GDPR isn’t applicable to all EU sites and apps

The GDPR legislation doesn’t specifically target EU-based companies that host web portals like websites and apps. GDPR targets all the entities that conduct business, acquire or process information of even one EU resident that falls under the GDPR jurisdiction. Therefore, organizations do not require GDPR unless they expressly deal with EU consumers.

For example, if your EU-based organization has an app that provides information about the nearest health services that are in the group of your insurance provider, but that app is not operational within EU countries, then you do not fall under GDPR.

2. GDPR isn’t only for EU citizens

When we say EU residents, we do not specifically mean EU citizens. The data subjects that are protected by GDPR are well defined in the legislation as those citizens who are currently within EU borders. So GDPR doesn’t distinguish between data users based on their citizenship but their geographical location.

For example, if a US citizen visits any EU country, his personal information will be protected under GDPR.

3. GDPR works proactively

The GDPR states that an organization must obtain the consent of the data subject before acquiring, processing, or disclosing the data to any third-party providers. In order to comply with GDPR, the EU users must be prompted for consent at every stage of any personal or sensitive data-related activity of the user.

In contrast to the policies practiced by the US government, which proactively ask for consent and work on an “opt-out” model, GDPR is based on an “opt-in” model.

4. GDPR classifies privacy breach as a violation of human rights

Privacy is deemed as a fundamental human right in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8), and the European Charter of Fundamental Rights (Article 7). Therefore, by extension GDPR also follows the same principles and regards any privacy violation as seriously as a human rights violation. GDPR Article 88 states that rules and regulations of the organization must include suitable and specific measures to protect and safeguard the data subject’s human dignity, legitimate interests, and fundamental rights.

5. GDPR sets essential rights of the data subjects

GDPR has set many rights that should be respected by organizations so that they can get GDPR-compliant status. A few of such rights are:

Right to erasure

Data Subjects have the right to have personal data erased. This is also known as the ‘Right to be forgotten’. Therefore, they should have the option to have their data completely erased and redacted from the company’s database.

Right to access

All EU residents under GDPR have the right to know how their data is being used and processed by the organization.

Right to knowledge

The EU citizens should have knowledge of how their data is needed, where is it getting stored and who else is it being shared with outside the organization. This should be a completely free service at the behest of the users.

Right to rectification

Data Subjects should have the full freedom to alter the information that they provided, whenever they want.

Right to stop data processing

At any point in time, data subjects should be able to restrict the entity from processing both their personal and sensitive data.

Right to the data transfer

Data Subjects should be given absolute freedom to transfer their data to another service provider of their choice.

Right to object

GDPR allows its data subjects to object to data acquisition, processing, or transfer and be given the choice to opt-in or not.

Right to make self decisions

Data Subjects should be allowed to make their own decisions and have the right to be free from any automated decision-making.

6. GDPR applies to all personal and sensitive data

GDPR covers all the personal and sensitive information of EU citizens that includes name, age, DOB, address, race, religion, political affiliations, sexual preferences, medical data, insurance data, biometric or genetic data, and any other information that can be used to identify an individual.

7. Non-EU organizations will need an EU representative

It is required that all organizations who are complying with GDPR have a representative present within the EU so that the authorities can easily get in touch with a representative of the company in person. Thus, it is encouraged for all non-EU organizations to hire a representative within the EU.

8. GDPR requires the appointment of a DPO

Article 37 of the GDPR clearly states the criteria for the designation of a DPO (Data Protection Officer). DPO is an enterprise security leadership role. To determine whether your organization requires a DPO, you must assess your requirements on the basis of the following four criteria:

  • Data subjects

  • Data items

  • Length of data retention

  • The geographic range of processing

9. GDPR penalties are serious

GDPR non-compliance incurs a heavy fine. GDPR fines can go to 4% of annual global turnover or a €20M loss. Regardless of the severity of the violation the authorities often penalize with the heaviest possible fines. Google was penalized with a €50 million fine for not correctly disclosing how it collected data across its different services like YouTube, Search Engine, etc.

10. You need not be alone to deal with GDPR compliance

The good news is that you don’t need to deal with GDPR compliance alone. Automated platforms can scan your website and data security system to check for all essential GDPR compliance. You will be able to make a list of all the additional things required to ensure GDPR compliance. Scrut Compliance ensures that you get GDPR compliant in the least time.

Scrut Automation is a smart and radically simple Governance, Risk and Compliance automation platform for growing startups and mid-market enterprises. With Scrut, Compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS; and privacy laws like HIPAA, GDPR, and CCPA. Schedule your demo today to see how it works.


6 views

Recent Posts

See All