Enforceable since 2018, the General Data Protection Regulation (GDPR) requires companies across the European Union (EU) to protect the privacy of, and safeguard the data they keep on their employees, customers and third-party vendors—also referred to as data subjects. Companies are under legal obligation to keep the information of their data subjects safe and secure.

GDPR shepherded in a new era of data privacy law that offers a much higher level of protection for EU citizens and their data.Since its inception, GDPR has become the model for many other privacy laws now in effect around the world. Similar data protection security standards are being adopted in Brazil, China, Japan and many other nations, including the US implementation of the California Consumer Privacy Act (CCPA) in January 2020.

Under GDPR, companies are no longer permitted to be as negligent with personal data. This security standard has forever changed how the personal information of data subjects is protected—and for the better. Companies who carelessly allowed personal data to be lost are now accountable for the security and careful management of personal EU citizen data.

Here we take a closer look at GDPR data protection guidelines.

GDPR Guidelines: The basics

GDPR guidelines apply to any enterprise, inside the European Economic Areas, that processes personal information—regardless of its location and the citizenship or residence of its data subjects. The European Economic Areas consist of the Member States of the EU and three countries of the European Free Trade Association (Iceland, Liechtenstein and Norway; excluding Switzerland).

If your business offers services or products to EU citizens in Europe, then you are subject to GDPR guidelines. Because of this, businesses must appoint a Data Protection Officer (DPO) who is solely in charge of GDPR compliance.

GDPR has a specific set of regulations that deal with the definition of personal information— any data that can be used to clearly identify an individual. Some examples include national insurance numbers in the UK, mailing addresses, email addresses and phone numbers. The scope has grown considerably and now includes IP addresses, login ID details, social media posts and digital images, as well as geolocation, behavioural and biometric data, which is now all considered to be Personal Identifiable Information (PII).

Companies must have a lawful purpose to store and process the personal data of any data subject. EU citizens have a number of rights and policies in place to ensure their data is kept securely. If a company that stores data does not have the correct processes in place to manage that data in a secure manner, then EU citizens have the lawful right to request their information is securely deleted.

Companies must maintain detailed reports of when consent to store data is given along with the security precautions in place. They must notify individuals if their data is being used and the manner in which it is being processed.
The conditions around obtaining consumer data are stricter under GDPR because data subjects can withdraw their consent at any time, placing responsibility on the company to obtain separate consents for different processing activities.

Companies have to prove that the individual agreed to a certain action, for example, to receive their monthly newsletter by email. It is no longer enough to only add a disclaimer to communications or simply provide an opt-out.

Sales and Marketing teams have had to change how they operate, including making changes to business policies, procedures and forms to ensure they are compliant with double opt-in rules and email marketing best practices.

Overview of GDPR guidelines

GDPR is not for the faint of heart. Its data protection guidelines are dense—there are 11 chapters and 91 articles in total. It’s important that your company review GDPR guidelines carefully with the help of a legal advisor or legal counsel. The key takeaway is that GDPR has serious implications for non-compliance.Taking the time to plan for and address each of the measures applicable to your business is worth the extra effort.

GDPR is based on seven principles that establish how personal data should be managed, and guide how to implement compliance measures to meet GDPR guidelines.

  • Lawfulness, fairness and transparency. Data subjects must stay informed regarding the purpose or intention of collecting their data and the time period of data processing.
  • Purpose limitation. Data must be used only for the purposes you have outlined to data subjects.
  • Data minimization. Collect only the data that is necessary. With GDPR, you must justify the amount of data that is being collected.
  • Accuracy. Data must be accurate and kept up-to-date.
  • Storage limitation. Set a retention period for data and document it. Data must be removed when it’s no longer necessary.
  • Integrity and confidentiality (security). You must implement systems/methods to keep data subjects completely anonymous.
  • Accountability. You must be able to prove compliance with GDPR whenever requested by authorities.

DPOs are responsible for complying with these seven principles. They are also accountable for the processing of the regulations and must be able to demonstrate a company’s compliance.

Penalties for non-compliance

Companies are required to comply with a data subject’s request for access to their data no later than one month after receiving it. If the request is received digitally, a response needs to be provided in a commonly used file format, such as CSV, XML or JSON.

In the event of a data breach, all affected parties must be notified in no more than 72 hours. All data breaches must be reported to GDPR regulators, and even small quantities of data loss or minor cybersecurity issues must be communicated within the specified timeframe.

Strong penalties have been outlined for failing to comply with GDPR guidelines. Fines can be as high as 4% of the company’s global yearly revenue or 20 million Euro, whichever sum is the greatest.

Discover and remediate unsecure data to ensure customer data is protected

With more and more data protection guidelines being implemented, it is a continual challenge to keep pace and fully comply with fast-changing global security and privacy standards. Companies need to take a data-centric approach to secure data directly and make sure they don’t expose it to potential threats. Understanding what personal data you have and where it is will allow you to put processes in place to protect the vast amounts of data that you store, process and collect.

Technology such as Enterprise Recon enables you to quickly and easily discover, remediate and report on more than 300 predefined and variant personal data types across multiple systems, and makes compliance much easier to achieve. With Enterprise Recon, you have the information you need to take measures to ensure personal data is appropriately secured.

At Ground Labs, we work closely with our customers to help them navigate the ins and outs of GDPR’s data protection guidelines and many other data security standards. We’d be happy to help identify the areas of GDPR you need to address and customize a strategy that can take care of the first step of complying—finding personal data across your systems.

Ready to mitigate your company’s risk? Request a demo with one of our experts.

Want to keep up with all our blog posts? Subscribe to our newsletter!