GDPR compliance is a top concern for businesses around the world since the General Data Protection Regulation (GDPR) was enacted in May of 2018. GDPR is an act that requires businesses to protect the personal data and privacy of European Union (E.U.) citizens for transactions occurring within their member states. The GDPR applies to any organization operating within the E.U. as well as those working outside its borders providing goods or services into the E.U. market.
In this blog post, we will explain what GDPR compliance is, how it works and what are its requirements, and who has to comply with GDPR. We will also discuss the fines for non-compliance with GDPR.
What is GDPR compliance?
GDPR compliance is a set of regulations that businesses must follow to protect the personal data and privacy of individuals within the European Union (E.U.). GDPR compliance went into effect on May 25, 2018, and applies to any organization operating within the E.U., as well as those working outside its borders providing goods or services into the E.U. market. For example, GDPR compliance would apply to a U.S.-based company that sells products to customers in the E.U.
GDPR compliance requires businesses to take steps to protect the personal data of individuals within the E.U., and sets forth strict penalties for businesses that fail to comply with GDPR.
How does GDPR compliance work?
GDPR compliance works by requiring businesses to take steps to protect the personal data and privacy of individuals within the E.U. GDPR compliance requires businesses to comply with many requirements for ensuring data privacy and security, including the following:
- Obtain explicit consent from individuals before collecting, using, or sharing their personal data.
- Keep records of the consent they have received from individuals.
- Provide individuals with clear and concise information about their rights under GDPR.
- Allow individuals to withdraw their consent at any time.
- Delete the personal data of individuals who have withdrawn their consent.
- Keep personal data secure and protect it from unauthorized access, use, or disclosure.
What are the GDPR compliance requirements?
Here are 11 key requirements for GDPR compliance:
1. Limitation of purpose, data, and storage
Article 5 of the GDPR indicates that organizations can only collect personal data for a specific purpose and that they are required to document that purpose, thus ensuring that the information is deleted when no longer needed.
2. Lawful, fair, and transparent processing
Article 5 of the GDPR also indicates that organizations must have documented a lawful reason for processing personal data and that data subjects are aware of how their information is processed and used.
Consent for using an individual’s data must be given with clear, unequivocal action, meaning that individuals need a mechanism requiring their deliberate action to opt-in, such as ticking a box.
4. Data subject rights
The GDPR protects the following eight basic rights for individuals:
- The right of access: Individuals can submit a data subject access request (DSAR) requiring organizations to provide a copy of any personal data they’re holding about them as individuals.
- The right to rectification: Individuals can request that inaccurate or incomplete personal data be updated.
- The right to be informed: Organizations must tell individuals what data, how, and for how long it will be used, kept, or shared with any third party.
- The right to object: When organizations process personal data using legitimate interest, individuals can object to that data being processed.
- The right to data portability: Individuals are allowed to obtain and reuse their personal data (initially provided to organizations by legal consent) for their own purposes across different services.
- The right to erasure: Individuals can request that their data be erased in certain situations, namely when it is no longer necessary, was initially unlawfully processed, or no longer meets the lawful requirement for which it was collected.
- The right to restrict processing: As an alternative to the right to erasure, the right to restrict processing applies when individuals no longer use the product or service for which their data was initially collected, requiring organizations to limit the way they are using this data.
- All the rights for automated decision-making, namely profiling: The GDPR includes provisions for decisions made with no human involvement – including profiling – allowing individuals to challenge and request a review of the processing of their data if they believe the rules were not followed.
5. Data protection impact assessment
Article 35 brings the concept of data protection impact assessments, or DPIAs, which must be carried out when an organization plans to use new technologies that could have a high risk for the protection of rights and freedoms of individuals.
6. Privacy by design
GDPR makes this concept mandatory, stating that data organizations must take into account privacy and data protection concerns when designing new products or services, and not retroactively.
7. Personal data breaches
Article 4 defines a personal data breach as an event leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
8. Data transfers
If you move data to a third country, you must use one of the protections outlined in Article 46. Organizations limiting their transfer of personal data within the E.U. are not required to take any additional steps for protecting their data.
9. Awareness and training
Staff awareness training is mandatory for GDPR compliance, meaning that every employee handling personal data or responsible for overseeing data protection practices must be trained on their responsibilities and the threats that such responsibilities involve.
10. Data protection officer
Article 39 outlines the requirements for a data protection officer (DPO), an independent data protection expert, to be appointed for advising an organization on how to achieve compliance with GDPR requirements.
11. Security of processing
Article 32 requires organizations to “implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of data processing.” Penetration testing for network security is one way to accomplish this.
Who has to comply with GDPR?
All companies that process the data of individuals in the E.U., regardless of whether they are based inside or outside the E.U. This includes companies that offer goods or services to individuals in the E.U., even if they are not based there.
What are the fines for non-compliance with GDPR?
The GDPR imposes fines of up to €20 million, or up to four percent of a company’s global annual revenue, whichever is greater, for non-compliance with GDPR. These fines can be imposed for a variety of offenses, including failing to have adequate data security measures in place, failing to notify individuals of a data breach, or transferring data to a third country without adequate protections in place. GDPR also gives individuals the right to file a complaint with the supervisory authority if they believe their rights have been violated.
The General Data Protection Regulation (GDPR) is one of the most important pieces of data privacy legislation to be passed in recent years. It is also one of the toughest privacy and security laws in the world, imposing obligations on any organization collecting data for individuals in the E.U. With so many organizations now entrusting their data with cloud services, where security breaches are a daily risk, ensuring your compliance with GDPR could prove overwhelming. That’s where GDPR compliance services could come in handy. We can help your organization streamline the compliance process and meet data handling requirements with little overhead.
Moreover, there are solid benefits for your GDPR compliance, namely building consumer trust, enhancing your data security and reputation, and developing a competitive edge. These benefits are either included or complemented among the 5 Benefits of PCI-DSS Compliance or the 4 Benefits of SOC Compliance.
Contact us if you need help with your GDPR compliance.