GDPR Compliance - 101

Updated: Jul 29

Vector image of a laptop screen displaying GDPR logo
Introduction to GDPR Compliance

As a business owner, reaching a point where you need to adhere to certain compliances yet don't know how to can be frustrating. But that is normal as information security compliances aren't something that can be understood or interpreted properly without proper guidance.

GDPR is one such information security compliance that came into effect in 2018 and has been the pinnacle legislation guarding the privacy of European Union residents. It has directly impacted businesses that conduct within EU countries, while its effects are also indirectly felt by businesses around the world.

So let's see what GDPR is really about, its basics and when you need it.

What is GDPR?

General Data Protection Regulation, or GDPR, is a regulation that governs how businesses collect, store, and process personal data about residents in the European Union (EU). It has been described as "the biggest shake-up of online privacy since the birth of the internet." The legislation covers all companies that offer goods or services to people living in the EU.

It is a law that has been created to keep the personal data of EU residents safe and secure. GDPR was passed by the European Parliament on April 14th, 2016, and went into effect on May 25th, 2018.

Basically, GDPR is aimed at businesses on behalf of the residents so that every EU resident is able to avail their Right to Privacy, now treated as a basic Human Right under GDPR.

Does it apply to your business?

This question is actually much more nuanced than it seems. At the risk of over-simplicity, any company with any one of the following: a website, email, online marketing, SaaS solution delivery, or a cloud-based business in combination with at least one EU citizen consumer, is under GDPR criterion. For a more nuanced answer, do check out our blog detailing who does GDPR apply to?

Basics of GDPR

GDPR is a well-compiled set of guidelines that were passed as legislation for the safety and security of the privacy of EU residents. A few key GDPR requirements are:

  • Mandatory consent of subjects before data processing.

  • Anonymization of data collected to protect privacy.

  • Proactive data breach notifications.

  • Safe handling of data transfer across borders.

  • Appointment, in certain cases, of a data protection officer (DPO) to oversee GDPR compliance.

GDPR classifies any data that can be used to identify a natural person as the personal data of the person. This includes information like name, photos, email, banking info, social media posts/info, medical history, or IP Address. In a nutshell, GDPR mandates a baseline set of standards for companies that handle EU residents' data to better secure the processing and movement of residents' personal data.

Need for Consent

Every time that any personal information is to be taken from the user, then a request should be presented to the user asking for consent. The English used in the Terms and Conditions should be British English. These should be easy to understand with no confusing terms or rambling. The process to withdraw consent should be made simple and accessible to all users, so they can do it anytime they want.

Breach Notification

In case of a data breach, the organization has to inform all its users about the breach and the data affected within 72 hours of the discovery. The relevant mediums that can be used for this purpose include Email, Phone, and Public Announcements.

Right to Erasure

Personal information of a person is owned by only themselves. Therefore, they should have the option to have their data completely erased and redacted from the company's cloud and servers with no further distribution of the data to any third-party vendors or SaaS companies.

Right to Access

All EU residents under GDPR have the right to know how their data is being used and processed by the organization. Also, why is their data needed, where is it getting stored, and who else is it being shared with outside the organization. This should be a completely free service at the behest of the users.

Privacy by Design

Absolutely the minimum required personal data needed to deliver a service or product to the users should be asked from the users. Not only this, but the data collected so, should be stored and processed by only the relevant personnel and systems. This data should be essential to the organization so they can conduct their business with the users.

Appointment of DPOs

Data Protection Officer's (DPO) job profile is to ensure the protection of Data Privacy of all the consumers of the organization. They oversee the transfer and processing of the user data. Following are the conditions under which an organization requires the appointment of a DPO, irrespective of its size.

  • It is a public body or authority.

  • The core activity includes data processing activities such as acquiring, processing, monitoring, and retaining user information regularly.

  • The user information consists of sensitive information of its users, including medical records, race, religion, sexual orientation, and/or data concerning past criminal history sheets, etc.

7 Fundamental Principles of GDPR

GDPR is well-written legislation that is built upon the major privacy concerns of the EU residents. It has ushered in an era of data democracy that is helping organizations tackle the trust deficit both among themselves and with consumers. Articles between 5 to 11 in the official GDPR document cover the base principles upon which the law was made.

  1. Lawfulness, fairness, and transparency- The personal data of the data subjects shall be processed lawfully, fairly, and transparently.

  2. Purpose Imitation- There should be legitimate reasons for the processing of the personal data of the data subjects, and the processing should halt the moment the reasons are no more valid.

  3. Data Minimisation- Only the most relevant personal data should be requested by the company for processing. For example, a gaming website has no business asking medical records of the user.

  4. Accuracy- The personal data must be accurate to the best of the data subject's knowledge, and they should be able to update or erase their personal data partly or wholly.

  5. Storage Limitation- The data should only be stored as long as it is useful to carry out the specified purpose for which you acquired it in the first place. Essentially data that can be used to identify an individual must not be stored for longer than necessary. Although some exceptions to the rule are also pointed out in GDPR Article 89 (1).

  6. Integrity and Confidentiality- Personal data shouldn't be left in a vulnerable position for the sake of processing. There should be technical and organizational measures in place to prevent accidental damage or loss, unauthorized access, and unlawful processing.

  7. Accountability- Demonstration of compliance is as important as compliance itself. You will be held responsible for the personal data and for any data breaches.

  8. Consent- Any Personal Data Processing, which includes acquisition, processing, storing, and/or sharing of data, should be done through an opt-in model. A consent request should be put out to the data subject so that they can accept and be able to withdraw anytime they want.

Penalty for GDPR non-compliance

By being not compliant with GDPR, your organization may incur a heavy fine. GDPR fines can go to 4% of annual global turnover or a €20M loss, whichever is higher. However, some violations are more costly than others as per GDPR. Still, regardless of the severity of the violation, the authorities often penalize with the heaviest fines.

The leading tech giants have also been under the tight scrutiny of GDPR, with some of the largest fines under GDPR levied on them. In the 2021 Q2, Amazon recorded a hefty fine of 888 Million Euros for GDPR non-compliance. Whatsapp was levied a huge fine of $255 million for opaque privacy notice.

Becoming GDPR Compliant with Scrut

GDPR compliance may seem daunting at first, but we at Scrut Automation are experts at making you GDPR compliant on the clock.

Scrut Automation is a smart and radically simple Governance, Risk, and Compliance automation platform for growing startups and mid-market enterprises. With Scrut, Compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, and privacy laws like HIPAA, GDPR, and CCPA. Schedule your demo today to see how it works.


Recent Posts

See All