GDPR compliance – 101

Most organizations find it difficult to process the requirements necessary to comply with GDPR primarily because of the extensive nature of the legislation as well as the lack of resources that come with implementing them. 

However, complying with the General Data Protection Regulation is not a choice, but a necessity, for firms and organizations with users based in the EU. So how can you go forward with implementing the right policies? 

By understanding the information security standard thoroughly. Below we have created a GDPR guide, listing everything you need to know about the GDPR regulations, from what it is to how it can be complied with, and an overview of its requirements. 

What is GDPR compliance?

GDPR stands for General Data Protection Regulation and is an information security standard that became law on May 25, 2018, after being approved by the EU parliament on April 14, 2016.

The primary objectives of this standard include harmonizing data privacy legislation across Europe, protecting and empowering the data privacy of all EU individuals, and changing how businesses in the region view data privacy.

In essence, GDPR is aimed at businesses on behalf of the residents for every EU resident to be able to exercise their right to privacy, which GDPR now recognizes as a fundamental human right. 

What are the requirements for becoming GDPR compliant? 

GDPR is a well-written legislation built upon the major privacy concerns of EU residents. It has been developed in an era of data democracy and is helping organizations tackle the trust deficit with consumers. How? By becoming GDPR compliant. 

But becoming compliant means aligning with GDPR requirements. Organizations need to follow the basic principles upon which the law has been based in order to ensure that the GDPR requirements are being met. Articles between 5 to 11 in the official GDPR document cover these principles, and they are as follows; 

  1. Lawfulness, fairness, and transparency – this principle means that the data processing should be done using legitimate means; organizations must hold themselves accountable and inform data subjects about using and storing their personal information. 
  1. Purpose imitation – there should be legitimate reasons for the processing of the personal data of the data subjects, and the processing should halt the moment the reasons are no more valid.
  1. Data minimization – this principle states that the company should request only the most relevant personal data for processing. For instance, a gaming website should not request the user’s medical records.
  1. Accuracy – according to this principle, controllers must collect the subject’s personal data to their knowledge. They should be able to update or erase their personal data, partly or wholly, whenever necessary.
  1. Storage limitation – per this principle, data should only be stored as long as it is useful to carry out the specified purpose for which it was acquired in the first place. The exceptions to this rule are pointed out in GDPR Article 89 (1).
  1. Integrity and confidentiality – this principle states that personal data shouldn’t be left in a vulnerable position for processing. There should be proper technical and organizational measures in place to prevent accidental damage, unauthorized access, and unlawful processing of data.
  1. Accountability – this states that demonstrating compliance is as important as compliance itself. Your organization will be held responsible for personal data in the event of a data breach. 
  1. Consent – this principle conveys that any personal data processing, which includes acquisition, processing, storing, and/or sharing of data, should be done only through an opt-in model. A consent request should be put out to the data subject so that they can accept or withdraw anytime they want.

Why should businesses comply with GDPR?

For organizations processing data of EU citizens, compliance with GDPR isn’t really optional. The regulation brought about major changes for organizations operating in Europe, regardless of where they are situated. 

These adjustments include stronger guidelines for consent, stricter guidelines for handling sensitive and personal data, and more stringent service standards for reacting to cyber incidents.

If organizations fail to comply with the GDPR requirements, penalties are imposed. There are two tiers under this; the first is where a fine of €10 million or 2% of your company’s annual income, whichever is bigger, may be imposed for less serious offenses. The second is where a fine of €20 million or 4% of the company’s annual revenue from the prior fiscal year, whichever is higher, is imposed for serious violations. 

The goal of GDPR compliance is to increase data protection measures in organizations doing business in the EU or with EU citizens. As a result, it provides stronger data protection and privacy for EU clients and workers.

Which organizations does GDPR apply to? 

The question ‘does my organization need to comply with EU GDPR when we’re not residing in the EU’ has come up more often than not. 

The answer to this question is quite simple – any company with any one of the following: a website, email, online marketing, SaaS solution delivery, or a cloud-based business with at least one EU citizen consumer falls under EU GDPR compliance. 

It also includes organizations that may wish to conduct business with EU residents and ask for their sensitive personal data. 

For instance; if a medicine delivery app that can receive direct information about the patient’s condition using the information on which medicines are being bought wishes to expand in the European Union, then its parent company and any subsidiaries leveraging this data will need to comply with GDPR guidelines before it can be operational.

How to become GDPR compliant?

Now that we have discussed the requirements, applicability, and penalties with regard to GDPR compliance, let’s dive into the process using which organizations can take the steps toward the same. 

One of the biggest mistakes organizations makes while trying to get GDPR compliant is looking at data privacy in bits and pieces. Small tweaks to your privacy policy without backing it up with the requisite processes, training, and controls are insufficient for GDPR compliance. 

To ensure GDPR compliance, companies need to think about privacy protection holistically. Below is a step-by-step guide that discusses how to take a holistic approach to GDPR compliance.

Start with the prep work

Start with preparing for the GDPR obligations. This includes involving appropriate and cross-functional stakeholders from across the company in the project and conducting a gap assessment to identify which areas need to be fixed before proceeding with the certification.

Prepare a data policy

Develop a clear and easy-to-understand data policy that describes legal reasons for data acquisition, processing, transfer, and retention processes across different categories. The data subject must know why you want their data, how you will get it, what it will be used for, and how long it will be stored.

Appoint a DPO

As per GDPR, any company with more than ten employees which processes user data has to appoint a Data Protection Officer (DPO). The company has the discretion to either name an internal employee as an internal DPO or to appoint an external one.

If an internal DPO is appointed, the company needs to ensure that he/she does not have a conflict of interest due to his/her work in IT, HR, or any senior management. Both internal and external DPO must provide expert professional guidance in IT security and data protection, the scope of which depends on the complexity of data processing and the size of the company.

The appointed DPO will be working independently and is responsible for ensuring the organization’s adherence to GDPR. They must ensure that every point on the GDPR checklist is met, which leads us to our next point.

Create a checklist

Create a comprehensive activity checklist to determine any vulnerabilities you may have in the data acquisition, processing, sharing, and/or retention processes. You will need to also explain the legal basis for each of these processing activities. 

Creating a data flow map will help in identifying vulnerabilities and risks. A data flow map and gap analysis will also allow you to comply with Article 30 of the GDPR since it requires keeping a record of all the data processing activities.

Define the process to address the rights of the data subject 

You will need cookie consent from your users before you store or process it. The request should be presented to the users concisely and simply, seeking permission to store user data and providing information on how long you intend to hold it.

Data subjects should also be able to withdraw their consent whenever possible. Here are a few requirements as stated in the official GDPR document for the cookie consent request sent to the users.

  • What cookies are your site using, and which categories do they belong to?
  • Non-essential cookies must only be used after users have consented to them.
  • Ensure users are aware of both your cookie policy and your privacy policy. The language of both these policies should be clear and concise.
  • Respect the preferences and consent of users. 
  • Enable the data subjects to give clear and explicit consent to the use of cookies.
  • Allow users to change their cookie preferences or withdraw consent completely at any time.
  • Maintain retrievable logs and records of consent preferences.

Conduct a data protection impact assessment

Before starting any new project which requires user data acquisition, retention, processing, and storage, a Data Protection Impact Assessment (DPIA) must be conducted by the DPO. Through DPIA, he/she will assess the company’s data processes and how they may impact user data privacy.

Secure data transfer with third-party entities

All third-party entities, partners, and vendors need to be GDPR compliant as well. A good way to enforce this and bring this into practice is to make this a part of vendor onboarding and contractual obligations.

Even if the data is being transferred out of the EU, it still needs to be done in a GDPR-compliant manner. Remember, GDPR applies to the data of EU data subjects and is not bound by the immediate location of the data.

Implement data breach contingencies

GDPR requires that data breaches, despite their size or nature, must be reported within 72 hours of discovery to the local data protection authorities. To comply with this, your organization should have pre-installed processes for detecting and responding to any data breaches and notifying the relevant supervisory authority.

What is Data Mapping, and why is it important? 

One of the essential parts of GDPR compliance legislation is its insistence on appropriate data mapping. It is the beginning step of each of the other requirements under GDPR, like documenting data subjects’ requests, data processing activities, or data protection impact assessment.

Following are the articles under GDPR that emphasize the importance of data mapping for GDPR compliance.

Breach notification – Article 33

One of the reasons why well-documented data mapping is useful is that it makes sending data breach notifications very easy. If the data within the organization isn’t linked together in an organized manner, then estimating how much of the data subject’s data is leaked or who were the data subjects whose data got leaked becomes a hassle. 

As per Article 33, all GDPR-compliant organizations are required to inform a competent supervisory authority as per Article 55 within 72 hours of any data breaches that may risk the rights and freedom of any of the data subjects. 

If the risk to the data subjects is high, then as per the official GDPR document, they should be notified without any delay. Having such a short window makes it near impossible to gather data on the extent of damage done to your organization’s security framework if the data previously isn’t mapped. 

Consent Management – Article 4

Article 4 of the GDPR legislation clearly states that the request for a data subject’s consent must be free, specific, informed, and unambiguous. Data subjects should have a clear knowledge of what, why, and how their information will be used. 

GDPR also requires organizations to allow the data subjects the freedom to withdraw their consent whenever they desire. 

This process can be highly complex, which is why data Mapping is essential to document which parts of the data acquisition, processing, and sharing require consent on a legal basis. 

RoPAs (record of processing activities) – Article 30

Under GDPR Article 30, all data processing activities are to be thoroughly tracked and recorded. Thus, GDPR-compliant controllers and processors are required to maintain a record of processing activities (RoPA). 

It must also include the reason for processing data, legal grounds, consent updates, DPIA status, cross-border transfers, and more. Data mapping enables organizations to track these activities with precision and document them under one roof. 

Such a map can link together various other dependencies required to fulfill the task of data processing.

DPIA (Data Protection Impact Assessments) – Article 35

Under Article 35 of the GDPR legislation, all compliant organizations are subject to carrying out data protection impact assessments (DPIAs). 

DPIA must document the nature, scope, context, and purposes of the processing. To conduct DPIA efficiently, organizations must map their impact assessments. 

What type of data is collected, when and how will it be collected and processed, where will the data be stored, who will it be shared with, and how will the data flow to various systems and vendors? All of this can be understood and recorded through appropriate data mapping.

To learn about GDPR Data Mapping in more detail, you can go through the article linked here

What are the rights granted to consumers under GDPR?

As mentioned above, there is a defined process that must be followed while requesting data subjects for their consent on sharing, storing, or processing data. This defined process is an undertaking that must be followed due to protect the rights of the data subject, as per the GDPR legislation. 

But the question to ask here is – what are the rights granted to consumers under GDPR? Below we have listed the 8 fundamental rights of data subjects and their elements for better understanding.

  • The data subject’s right of access entails two things (Article 15) – the ability to learn whether data relating to them is being processed and the ability to access their data.
  • The right to rectification (Article 16) of the data states that data subjects have the right to rectify or modify their data, and controllers must implement these corrections to their personal data without delay.
  • As per the right to erasure/right to be forgotten (Article 17), the controller must promptly delete any personal information that the data subject requests to be deleted, and the data subject has the right to do so at any time.
  • The right to restriction of processing (Article 18} states that GDPR gives data subjects the right to limit how their personal data is processed, with the exception of storing data.
  • The right to notification regarding rectification/erasure/restriction (Article 19) states that the controller should notify the data subject in lieu of any changes in their data. Simply put, the GDPR wants consumers to be informed at all times about the current status of their data.
  • The right to data portability (Article 20) states that the data subject can obtain a copy of the data that they have provided to the controller at any given time. The controller should also provide them with a framework through which subjects can download a copy of their data easily.
  • As per the right to object (Article 21), the data subject can, at any point of the data processing, object to an activity related to the data processing. Following this, the controller should halt the data processing activity with immediate effect. This must be done unless the controller can demonstrate the legitimacy of the data processing activity.
  • The right to decision-making (Article 22) asserts that the data subject has the right not to be subjected to choices that are wholly based on automated procedures, including profiling, that may have significant negative effects on him or her, legally or otherwise.

Conclusion 

GDPR is extensive legislation covering all facets of privacy for the sake of data subjects residing in the European Union. Hopefully, this all-encompassing guide to GDPR compliance will help you understand the ins and outs of the legislation holistically. 

While complying with the several articles under the official GDPR document is a challenging task, it is mandatory if you’re looking to serve consumers in the EU. What’s the best way to go about it? Using GDPR compliance software platforms like Scrut can be a game-changer for most organizations since we have all the tools at our disposal to make your compliance journey a painless one. 

Frequently asked questions (FAQs)

1. Are there any GDPR fines for non-compliance?

GDPR enables each country’s data protection authorities to impose sanctions and fines on firms that break the law. The maximum GDPR fines can range up to €20 million or 4% of worldwide sales. Aside from fines, data protection authorities may also impose restrictions on data processing or public reprimands.

2. What sort of data processing does GDPR compliance provide protection from?

GDPR applies to the processing of personal data in the EU/EEA by controllers or businesses and processors which are the entities that process the data for the corporations, regardless of whether the processing takes place in the EU/EEA.

3. What does a Data Protection officer do under GDPR?

A Data Protection Officer (DPO) is a member of your organization who is in charge of comprehending the GDPR legislation and maintaining compliance with it. The primary point of contact for the data protection authorities is the DPO. The DPO must be someone who has an understanding of both information technology and law.

4. How is personal data different from sensitive information?

Personal data is any information relating to a recognized or identifiable living human being, while sensitive personal data is any distinct personal data that is more sensitive in nature and can cause harm to an individual if released involuntarily.

5. Which countries in the EU GDPR compliance apply to?

All 27 of the EU countries are subject to GDPR compliance. Iceland, Norway, and Liechtenstein, all nations that are a part of the EEA, are also considered to be GDPR countries.

Scrut Automation is a smart and radically simple governance, risk, and compliance automation platform for growing startups and mid-market enterprises. With Scrut, compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, HIPAA, and CCPA. Schedule your demo today to see how it works.

Stay up to date

Get the latest content and updates in information security and compliance delivered to straight to your inbox.

Book Your Free Consultation Call

Stay up to date

Get the latest content and updates in information security and compliance delivered to straight to your inbox.

Book Your Free Consultation Call

Related Posts

ISO 27001 certification requires a substantial amount of time, energy, and money. […]

GDPR brings transparency to the entire Data Collection and Usage Lifecycle. General […]

Choosing the correct type of SOC audit is a crucial decision for […]