What is the GDPR?

First and foremost, the GDPR recognizes that data privacy is something everyone should be afforded, stating: “The protection of natural persons in relation to the processing of personal data is a fundamental right.”

The GDPR enforces this fundamental right by holding organizations accountable for the appropriate requesting, processing, storing, and transferring of sensitive personal data. Citizens are granted greater control over their data through privacy, consent, and legal authority. As such, businesses must adjust their data collection and data security practices to accommodate citizens’ rights and to ultimately comply with the GDPR.

Who does the GDPR belong to?

Any organization that processes the personal data of EU citizens within an EU state, or offers goods and services to them, must comply with the GDPR. This pertains to collected, transmitted, stored, and analyzed data. If, for example, your retail business operates out of the United States but transacts an online sale with an EU citizen, it must protect the consumer’s information based on the conditions of the GDPR.

Your business falls under the GDPR if:

  • Operating in the European Union.
  • Processing personal data of European residents, regardless of operating location(s).
  • Employing more than 250 people.
  • Processing qualified sensitive data from EU citizens at a frequent rate, even if employing fewer than 250 people.

Related: How U.S. based companies will be affected by the GDPR

What types of information is protected under GDPR?

GDPR.EU defines personal data as any information that relates to an individual who can be directly or indirectly identified. Names, mailing addresses, email addresses, and phone numbers are obvious examples, though identifiable information also extends to:

  • Race
  • Ethnicity
  • Sexual orientation
  • Health and genetic data
  • Biometric data
  • National insurance numbers
  • IP addresses
  • Cookie data

The ubiquitous nature of the World Wide Web makes personal user exposure nearly impossible to avoid. Not only are organizations required to protect the above information, but also more flexible information, such as geolocations, social media posts, digital images, and character revelations – even religious beliefs or political opinions – need to be protected as well.

That’s why organizations must be exceptionally meticulous in the way they secure data.

Who in your company will be responsible for GDPR Compliance?

GDPR compliance is an organizational effort; however, a select few positions take care of much of the heavy lifting.

The GDPR categorizes data handlers as controllers and processors. Data controllers determine the purposes and means of data processing and then communicate them to data processors, who are responsible for the execution. In other words, controllers provide instruction, and processors act on instruction.

Data controllers play an influential role in compliance by design, as they have the intuition and foresight to ensure new systems, products, and services meet compliance standards from the start. Data processors deal directly with the threat of security breaches; therefore, they must maintain records of personal data and document their processing actions.

Controllers and processors typically report to the Data Protection Officer (DPO), who stands at the nucleus of an organization’s compliance strategy. One should oversee and enforce GDPR security requirements, manage audits, act as the liaison between their organization and compliance officials, and ensure the alignment of all data privacy operations.

While a DPO can considerably contribute to an organization’s overall compliance, an organization is not required to appoint a DPO unless it meets three conditions:

  1. The organization is a public authority.
  2. The organization partakes in systematic monitoring of people.
  3. The organization processes sensitive information on a large scale.

What happens if your company isn’t GDPR compliant?

Non-compliant organizations endure serious fines. The GDPR judges non-compliance on two levels:

Lower-level violations can result in a fine of 10 million euros or two percent of a non-compliant company’s worldwide annual revenue, whichever is higher. The most egregious violations double those monetary totals, punishing a company by taking the higher of 20 million euros, or four percent of its worldwide annual revenue.

The GDPR leverages considerable fines as a way to steer companies towards compliance. Whether big or small, or rich or poor, a company will face a critical setback if hit with a GDPR-related penalty.

Of course, it helps to know how GDPR officials evaluate violations and assign them a fine. Here are 10 emerging considerations:

  1. How long was the infringement going on?
  2. How many data subjects were affected by the infringement?
  3. What was the level of damage to the impacted data subjects?
  4. Was the violation of an act of intent or negligence?
  5. What actions were taken to mitigate the damage?
  6. Has the offender committed any violations in the past? If so, how many?
  7. Did the offender cooperate with supervisory authorities in resolving the data breach?
  8. What categories of personal data were affected by the breach?
  9. At what point were regulatory officials and impacted parties notified of the breach?
  10. What was the offender’s degree of responsibility regarding technical and organizational data security measures?

Use these considerations to help guide your compliance program. Train your staff on the immediate steps to take if a breach does occur. Review your breach reporting process to ensure the necessary information is transferred and communicated to minimize the duration of the vulnerability. Also, prepare your data security software and protocols with potential pitfalls in mind.

A Checklist to become GDPR compliant

Train your employees on the GDPR

Everyone in your organization should, at the very least, be aware of the GDPR and its significance. Employees that will regularly encounter the GDPR or work in accordance with it should receive detailed and ongoing training regarding it.

Prep applicable staff members with GDPR reading materials, create assessments to test their knowledge, hold weekly meetings to discuss updates and to field questions, and shadow them to ensure their understanding of systems and processes.

Conduct a full data audit

Before adjusting for future data, conduct an audit on the data that you already have. Determine where all GDPR-related data resides, where it came from, who has access to it, and what it’s being used for. Addressing your data inventory is an imperative early step in compliance efforts.

Review and update your company’s privacy policy

A thorough, fully-transparent privacy policy is not only an essential communication to your site’s users but also a necessity for GDPR compliance. Thus, make sure your privacy policy bolsters clear language and properly informs users of their data rights. Also, ensure the policy appears as an obvious pop-up notification on all of your communication channels (web, mobile, etc.).

Evaluate all systems and processes for preparedness

Individuals have certain rights over their data, including the right to erasure, the right to access, and the right to opt-out. Your staff must have processes in place to complete individuals’ requests within the regulated time frame (typically a month).

Confirm how requests are documented, how quickly your team is informed of a request, and how data subjects are being updated while waiting for their request to come full circle.

Review your data breach reporting process

Preparation extends to data breaches as well. A data breach is perhaps the worst occurrence for an organization, as it compromises user trust and compliance efforts, and can ultimately lead to sanctions, lawsuits, and a damaged reputation.

That’s why your data controllers and data processors must be on the same page regarding data breach protocols. Make sure both sides understand their roles in the reporting process and leave no stone unturned in pursuit of a 100% breach reporting success rate.

Appoint a compliance team

Strongly consider appointing a compliance team to span all GDPR matters. The first step might be to hire a DPO if you don’t already have one. Then, surround the DPO with top IT performers and GDPR data security experts. The team will be responsible for monitoring compliance measures, developing compliance strategies, and keeping department heads up to date with compliance-related initiatives.

The Role of Data Discovery

Companies face the immense challenge of obeying GDPR rules while still leveraging data legally to catalyze business growth. Such objectives are nearly impossible to accomplish without precise data discovery.

Data discovery provides solutions to vital questions, including:

  • What sensitive data does my company possess?
  • Where is the data stored?
  • Why was the data collected?
  • How is the data being used?

By incorporating data discovery tools, your company can quickly and proactively locate, track, and trace data, whether it’s stored in the cloud, on employee devices, or within network repositories.

You’ll greatly benefit from organized databases capable of finding information through metadata indexing, keyword searching, and classification.

The best current data discovery tools will also keep your company GDPR compliant. Compliance software has built-in intelligence that accounts for regulations and alerts processors when an input or output is off base. Ultimately, it provides automated efforts to help identify the source of data breaches in a timely fashion.

Other Common GDPR Compliance FAQs

What rights does the GDPR grant data subjects?

The GDPR refers to online visitors and customers as “data subjects.” Data subjects have the following privacy rights:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights concerning automated decision making and profiling

What are the seven principles of the GDPR?

The seven protection and accountability principles stand firmly as the foundation for GDPR compliance. Here they are:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

What is data protection by default?

To promote data minimization and purpose limitation, the GDPR requests companies exercise data protection by default, which means processing only the amount of data necessary to fulfill your intentions.

A company should calculate its data pool before the processing phase and communicate its limitations with users.

Related articles

Guarantee your GDPR data protection by contacting Ground Labs, a data solutions company entirely devoted to helping organizations fulfill compliance standards. Discovering, managing, and securing data is what we do.