Blog Post

Everything you need to know about the GDPR guidelines

BY Stephen Cavey | 3 April 2020

What is the General Data Protection Act (GDPR): A definition

Enforceable since 2018, the General Data Protection Regulation (GDPR) requires companies across the European Union (EU) to protect the privacy of, and safeguard the data they keep on their employees, customers and third-party vendors—also referred to as data subjects. Companies are under legal obligation to keep the information of their data subjects safe and secure.

GDPR shepherded in a new era of data privacy law that offers a much higher level of protection for EU citizens and their data. Since its inception, GDPR has become the model for many other privacy laws now in effect around the world. Similar data protection security standards are being adopted in Brazil, China, Japan and many other nations, including the US implementation of the California Consumer Privacy Act (CCPA) in January 2020 and the California Privacy Rights Act (CPRA) which will go into effect in 2023.

Under GDPR, companies are no longer permitted to be as negligent with personal data. This security standard has forever changed how the personal information of data subjects is protected—and for the better. Companies who carelessly allowed personal data to be lost are now accountable for the security and careful management of personal EU citizen data.

Who is subject to GDPR compliance?

Any company that markets or sells goods to EU citizens, regardless of location, is subject to the GDPR. More specifically, companies that are required to comply with the GDPR include:

  • Those that have a presence in a EU country
  • Those that process personal data of EU residents
  • Has more than 250 employees
  • Has fewer than 250 employees but has data processing systems that regularly impact the rights of data subjects

What are the basics of the GDPR & its guidelines

GDPR guidelines apply to any enterprise, inside the European Economic Areas, that processes personal information—regardless of its location and the citizenship or residence of its data subjects. The European Economic Areas consist of the Member States of the EU and three countries of the European Free Trade Association (Iceland, Liechtenstein and Norway; excluding Switzerland).

If your business offers services or products to EU citizens in Europe, then you are subject to GDPR guidelines. Because of this, businesses must appoint a Data Protection Officer (DPO) who is solely in charge of GDPR compliance.

GDPR has a specific set of regulations that deal with the definition of personal information— any data that can be used to clearly identify an individual. Some examples include national insurance numbers in the UK, mailing addresses, email addresses and phone numbers. The scope has grown considerably and now includes IP addresses, login ID details, social media posts and digital images, as well as geolocation, behavioural and biometric data, which is now all considered to be Personal Identifiable Information (PII).

Here is a breakdown of some GDPR basics to know:

  1. Companies must have a lawful purpose to store and process the personal data of any data subject. EU citizens have a number of rights and policies in place to ensure their data is kept securely. If a company that stores data does not have the correct processes in place to manage that data in a secure manner, then EU citizens have the lawful right to request their information is securely deleted.
  2. Companies must maintain detailed reports of when consent to store data is given along with the security precautions in place. They must notify individuals if their data is being used and the manner in which it is being processed.
    The conditions around obtaining consumer data are stricter under GDPR because data subjects can withdraw their consent at any time, placing responsibility on the company to obtain separate consents for different processing activities.
  3. Companies have to prove that the individual agreed to a certain action, for example, to receive their monthly newsletter by email. It is no longer enough to only add a disclaimer to communications or simply provide an opt-out.
  4. Sales and Marketing teams have had to change how they operate, including making changes to business policies, procedures and forms to ensure they are compliant with double opt-in rules and email marketing best practices.

GDPR Guidelines: Everything you need to know

GDPR is not for the faint of heart. Its data protection guidelines are dense—there are 11 chapters and 91 articles in total. However, the following articles are arguably the most important to know:

  • Articles 17 & 18 - Gives data subjects more control over personal data that is automatically processed. This means users are able to transfer personal data between services more easily and they also have the right to ask a controller to remove or erase their data under certain circumstances.
  • Articles 23 & 30 - Requires companies to have procedures and measures in place in place in regard to data protection of consumers.
  • Articles 31 & 32 - Specifies the requirements for a single data breach including notifying Supervising Authorities of the breach within 72 hours of learning about it and notifying data subjects as quickly as possible of the breach when their rights and freedoms are at risk. 
  • Articles 33 & 33A - Requires companies to perform regular Data Protection Impact Assessments and Data Protection Compliance Reviews to identify any potential risk and ensure those risks are addressed.
  • Article 35 - Requires that certain companies - specifically, any company that processes data related to a subject’s genetic health, race, ethnic origin, religious beliefs, etc - appoint a Data Protection Officer (DPO).
  • Articles 36 & 37 - Outlines what encompasses the DPO position, including its responsibilities in ensuring GDPR compliance and reporting to Supervisory Authorities and data subjects in the case of breach.
  • Article 45 - Extends data protection requirements to any international company that collects EU citizens’ personal data to the same requirements and penalties of a EU-based company.
  • Article 79 - Outlines the penalties for non-GDPR compliance which can be up to 4% of the company’s global, annual revenue. 

It’s important that your company review GDPR guidelines carefully with the help of a legal advisor or legal counsel. The key takeaway is that GDPR has serious implications for non-compliance. Taking the time to plan for and address each of the measures applicable to your business is worth the extra effort.

7 GDPR guidelines to Know

GDPR is based on seven principles that establish how personal data should be managed, and guide how to implement compliance measures to meet GDPR guidelines.

  1. Lawfulness, fairness and transparency. Data subjects must stay informed regarding the purpose or intention of collecting their data and the time period of data processing.
  2. Purpose limitation. Data must be used only for the purposes you have outlined to data subjects.
  3. Data minimization. Collect only the data that is necessary. With GDPR, you must justify the amount of data that is being collected.
  4. Accuracy. Data must be accurate and kept up-to-date.
  5. Storage limitation. Set a retention period for data and document it. Data must be removed when it’s no longer necessary.
  6. Integrity and confidentiality (security). You must implement systems/methods to keep data subjects completely anonymous.
  7. Accountability. You must be able to prove compliance with GDPR whenever requested by authorities.

DPOs are responsible for complying with these seven principles. They are also accountable for the processing of the regulations and must be able to demonstrate a company’s compliance.

Penalties for non-compliance of GDPR

Companies are required to comply with a data subject’s request for access to their data no later than one month after receiving it. If the request is received digitally, a response needs to be provided in a commonly used file format, such as CSV, XML or JSON.

In the event of a data breach, all affected parties must be notified in no more than 72 hours. All data breaches must be reported to GDPR regulators, and even small quantities of data loss or minor cybersecurity issues must be communicated within the specified timeframe.

Strong penalties have been outlined for failing to comply with GDPR guidelines. Fines can be as high as 4% of the company’s global yearly revenue or 20 million Euro, whichever sum is the greatest.

Discover and remediate data to ensure customer data is protected

With more and more data protection guidelines being implemented, it is a continual challenge to keep pace and fully comply with fast-changing global security and privacy standards. Companies need to take a data-centric approach to secure data directly and make sure they don’t expose it to potential threats. Understanding what personal data you have and where it is will allow you to put processes in place to protect the vast amounts of data that you store, process and collect.

Technology such as Enterprise Recon enables you to quickly and easily discover, remediate and report on more than 300 predefined and variant personal data types across multiple systems, and makes compliance much easier to achieve. With Enterprise Recon, you have the information you need to take measures to ensure personal data is appropriately secured.

At Ground Labs, we work closely with our customers to help them navigate the ins and outs of GDPR’s data protection guidelines and many other data security standards. We’d be happy to help identify the areas of GDPR you need to address and customize a strategy that can take care of the first step of complying—finding personal data across your systems.

Ready to mitigate your company’s risk? Request a demo with one of our experts.

Want to keep up with all our blog posts? Subscribe to our newsletter!

Subscribe