A Comprehensive Guide to GDPR Compliance

What is the General Data Protection Act (GDPR)?

The General Data Protection Act (GDPR) is a set of privacy rules and standards that covered entities need to follow in order to protect the online information of EU citizens. It is the largest and most impactful data privacy regulation of the last 20 years, and failure to comply can cost companies severe fines. First and foremost, 

The GDPR recognizes that data privacy is something everyone should be afforded, stating: “The protection of natural persons in relation to the processing of personal data is a fundamental right.” 

The GDPR enforces this fundamental right by holding organizations accountable for the appropriate requesting, processing, storing, and transferring of sensitive personal data. As a result, Citizens are granted greater control over their data through privacy, consent, and legal authority. Maintaining GDPR compliance has become more important than ever and businesses must adjust their data collection and data security practices to accommodate citizens’ rights and to ultimately comply with the GDPR.

How Did the GDPR Come About?

The GDPR came about due to public concerns over privacy. The EU has long been leading the way in regard to data privacy and how companies handle and use the personally identifiable information (PII) of its consumers. The GDPR that is in place today is the result of technology transforming our lives in ways that could not have been expected, and a need for rules and regulations that are relevant to the world we live in. It replaces the EU’s Data Protection Directive which was established in 1995 when the internet was in its infancy. 

Which Companies are Affected by GDPR Compliance?

Any organization that processes the personal data of EU citizens within an EU state, or offers goods and services to them, must comply with the GDPR. This pertains to collected, transmitted, stored, and analyzed data. If, for example, your retail business operates out of the United States but transacts an online sale with an EU citizen, it must protect the consumer’s information based on the conditions of the GDPR.

Your business must maintain GDPR compliance if:

• Operating in the European Union.
• Processing personal data of European residents, regardless of operating location(s).
• Employing more than 250 people.
• Processing qualified sensitive data from EU citizens at a frequent rate, even if employing fewer than 250 people.

Related: How U.S. based companies will be affected by the GDPR

What Types of Personal Data is Protected Under GDPR?

GDPR.EU defines personal data as any information that relates to an individual who can be directly or indirectly identified. Names, mailing addresses, email addresses, and phone numbers are obvious examples, though identifiable information also extends to:

• Race
• Ethnicity
• Sexual orientation
• Health and genetic data
• Biometric data
• National insurance numbers
• IP addresses
• Cookie data

The ubiquitous nature of the World Wide Web makes personal user exposure nearly impossible to avoid. Not only are organizations required to protect the above information, but also more flexible information, such as geolocations, social media posts, digital images, and character revelations – even religious beliefs or political opinions – need to be protected as well.

What Rights Does the GDPR Grant Data Subjects?

The GDPR refers to online visitors and customers as “data subjects.” Data subjects have the following privacy rights:

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Rights concerning automated decision making and profiling

These rights give individuals a large amount of control over their data and ensure that they can access, withdraw consent, correct, or transfer their data anytime, upon request.

What Are the Seven Principles of GDPR Compliance?

The seven protection and accountability principles stand firmly as the foundation for GDPR compliance. Here they are:

1. Lawfulness, fairness, and transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

What are the requirements of the General Data Protection Act?

GDPR is not for the faint of heart. Its data protection guidelines are dense—there are 11 chapters and 91 articles in total. However, the following articles are arguably the most important to know:

• Articles 17 & 18 – Gives data subjects more control over personal data that is automatically processed. This means users are able to transfer personal data between services more easily and they also have the right to ask a controller to remove or erase their data under certain circumstances.
• Articles 23 & 30 – Requires companies to have procedures and measures in place in regard to data protection of consumers.
• Articles 31 & 32 – Specifies the requirements for a single data breach including notifying Supervising Authorities of the breach within 72 hours of learning about it and notifying data subjects as quickly as possible of the breach when their rights and freedoms are at risk. 
• Articles 33 & 33A – Requires companies to perform regular Data Protection Impact Assessments and Data Protection Compliance Reviews to identify any potential risk and ensure those risks are addressed.
• Article 35 – Requires that certain companies – specifically, any company that processes data related to a subject’s genetic health, race, ethnic origin, religious beliefs, etc – appoint a Data Protection Officer (DPO).
• Articles 36 & 37 – Outlines what encompasses the DPO position, including its responsibilities in ensuring GDPR compliance and reporting to Supervisory Authorities and data subjects in the case of breach.
• Article 45 – Extends data protection requirements to any international company that collects EU citizens’ personal data to the same requirements and penalties of a EU-based company.

Article 79 – Outlines the penalties for non-GDPR compliance which can be up to 4% of the company’s global, annual revenue.

Who Is Responsible for GDPR Compliance at Your Company?

GDPR compliance is an organizational effort; however, a select few positions take care of much of the heavy lifting.

The GDPR categorizes data handlers as controllers and processors. Data controllers determine the purposes and means of data processing and then communicate them to data processors, who are responsible for the execution. In other words, controllers provide instruction, and processors act on instruction.

Data controllers play an influential role in compliance by design, as they have the intuition and foresight to ensure new systems, products, and services meet compliance standards from the start. Data processors deal directly with the threat of security breaches; therefore, they must maintain records of personal data and document their processing actions.

Controllers and processors typically report to the Data Protection Officer (DPO), who stands at the nucleus of an organization’s compliance strategy. One should oversee and enforce GDPR security requirements, manage audits, act as the liaison between their organization and compliance officials, and ensure the alignment of all data privacy operations.

While a DPO can considerably contribute to an organization’s overall compliance, an organization is not required to appoint a DPO unless it meets three conditions:

1. The organization is a public authority.
2. The organization partakes in systematic monitoring of people.
3. The organization processes sensitive information on a large scale.

What Happens if Your Company Isn’t GDPR Compliant?

Non-compliant organizations endure serious fines. The GDPR judges non-compliance on two levels:

1. Lower-level violations can result in a fine of 10 million euros or two percent of a non-compliant company’s worldwide annual revenue, whichever is higher.
2. The most egregious violations double those monetary totals, punishing a company by taking the higher of 20 million euros, or four percent of its worldwide annual revenue.

The GDPR leverages considerable fines as a way to steer companies towards compliance. Whether big or small, or rich or poor, a company will face a critical setback if hit with a GDPR-related penalty.

Of course, it helps to know how GDPR officials evaluate violations and assign them a fine. Here are 10 emerging considerations:

1. How long was the infringement going on?
2. How many data subjects were affected by the infringement?
3. What was the level of damage to the impacted data subjects?
4. Was the violation of an act of intent or negligence?
5. What actions were taken to mitigate the damage?
6. Has the offender committed any violations in the past? If so, how many?
7. Did the offender cooperate with supervisory authorities in resolving the data breach?
8. What categories of personal data were affected by the breach?
9. At what point were regulatory officials and impacted parties notified of the breach?
10. What was the offender’s degree of responsibility regarding technical and organizational data security measures?

Use these considerations to help guide your compliance program. Train your staff on the immediate steps to take if a breach does occur. Review your breach reporting process to ensure the necessary information is transferred and communicated to minimize the duration of the vulnerability. Also, prepare your data security software and protocols with potential pitfalls in mind.

How Can My Company Stay GDPR Compliant? A Checklist and Best Practices

1. Train your employees on the GDPR

Everyone in your organization should, at the very least, be aware of the GDPR and its significance. Employees that will regularly encounter the GDPR or work in accordance with it should receive detailed and ongoing training regarding it.

Prep applicable staff members with GDPR reading materials, create assessments to test their knowledge, hold weekly meetings to discuss updates and to field questions, and shadow them to ensure their understanding of systems and processes.

2. Conduct a full data audit

Before adjusting for future data, conduct an audit on the data that you already have. Determine where all GDPR-related data resides, where it came from, who has access to it, and what it’s being used for. Addressing your data inventory is an imperative early step in compliance efforts.

3. Review and update your company’s privacy policy

A thorough, fully transparent privacy policy is not only an essential communication to your site’s users but also a necessity for GDPR compliance. Thus, make sure your privacy policy bolsters clear language and properly informs users of their data rights. Also, ensure the policy appears as an obvious pop-up notification on all of your communication channels (web, mobile, etc.).

4. Evaluate all systems and processes for preparedness

Individuals have certain rights over their data, including the right to erasure, the right to access, and the right to opt-out. Your staff must have processes in place to complete individuals’ requests within the regulated time frame (typically a month).

Confirm how requests are documented, how quickly your team is informed of a request, and how data subjects are being updated while waiting for their request to come full circle.

5. Review your data breach reporting process

Preparation extends to data breaches as well. A data breach is perhaps the worst occurrence for an organization, as it compromises user trust and compliance efforts, and can ultimately lead to sanctions, lawsuits, and a damaged reputation.

That’s why your data controllers and data processors must be on the same page regarding data breach protocols. Make sure both sides understand their roles in the reporting process and leave no stone unturned in pursuit of a 100% breach reporting success rate.

6. Appoint a GDPR compliance team

Strongly consider appointing a compliance team to span all GDPR matters. The first step might be to hire a DPO if you don’t already have one. Then, surround the DPO with top IT performers and GDPR data security experts. The team will be responsible for monitoring compliance measures, developing compliance strategies, and keeping department heads up to date with compliance-related initiatives.

The Role of Data Discovery

Companies face the immense challenge of obeying GDPR rules while still leveraging data legally to catalyze business growth. Such objectives are nearly impossible to accomplish without precise data discovery.

Data discovery provides solutions to vital questions, including:

• What sensitive data does my company possess?
• Where is the data stored?
• Why was the data collected?
• How is the data being used?

By incorporating data discovery tools, your company can quickly and proactively locate, track, and trace data, whether it’s stored in the cloud, on employee devices, or within network repositories.

You’ll greatly benefit from organized databases capable of finding information through metadata indexing, keyword searching, and classification.

The best current data discovery tools will also keep your company GDPR compliant. Compliance software has built-in intelligence that accounts for regulations and alerts processors when an input or output is off base. Ultimately, it provides automated efforts to help identify the source of data breaches in a timely fashion.

Other Common GDPR Compliance FAQs

How does the GDPR affect third-party and customer contracts?

The requirements for GDPR compliance extends to third-party processors that help manage your consumers’ data. This means that if your third-party processor is not in compliance, then you are not in compliance. Therefore, in order to ensure GDPR compliance throughout your organization, you may need to review any existing contracts you have with third-parties and customers, ensuring the processes in which data is managed and protected and how breaches are reported is clearly defined.

What is data protection by default?

To promote data minimization and purpose limitation, the GDPR requests companies exercise data protection by default, which means processing only the amount of data necessary to fulfill your intentions.

A company should calculate its data pool before the processing phase and communicate its limitations with users.

Related articles

• GDPR Compliance: 8 Steps Your Company Should Take Now
• What are the GDPR Guidelines? Everything You Need to Know
• What is PII for GDPR?
• GDPR Security Requirements: How Will They Impact Your Organization?
• What are GDPR Risk Assessments and Why are they Important?
• Who is Responsible for GDPR Compliance at Your Company?

Guarantee your GDPR data protection by contacting Ground Labs, a data solutions company entirely devoted to helping organizations fulfill compliance standards. Discovering, managing, and securing data is what we do.