GDPR Compliance: Understanding the General Data Protection Regulation
eSince its introduction, the General Data Protection Regulation (GDPR) has set a precedent for an undeterred approach to data privacy and protection. As a result, it has instilled fear among organizations of all sizes worldwide. Not complying with GDPR can lead to harsh fines or regulatory action.
Let’s take a closer look at everything your organization needs to know about GDPR.
What is GDPR?
Brought into effect on May 25, 2018, GDPR is a data privacy and security law drafted and passed by the European Union that mandates organizations protect personal data and uphold the privacy rights of anyone in the EU territory (citizens or residents officially referred to as data subjects). It includes seven principles of data protection that must be implemented and eight privacy rights that must be upheld.
It imposes obligations on any organization that collects or processes personal data of EU citizens or residents while offering goods or services to them. It replaced the 1995 Data Protection Directive as the primary law regulating how organizations protect EU citizens’ personal data.
The main privacy and data protection requirements of GDPR are:
- Consent of subjects for data processing
- Anonymization of the collected data to protect privacy
- Issuance of data breach notifications
- Safe management of data transfer across borders
- Appointment of a data protection officer (DPO) to oversee GDPR compliance, if needed
What is the main purpose of the GDPR?
The GDPR’s purpose is to implement a uniform data security law for all members of the EU to eliminate the need for every member state to draft its own data protection laws and ensure consistent laws across the EU.
GDPR contains 11 chapters and 91 articles. Some of the most critical ones are:
- Articles 17 and 18: Give data subjects more control over their personal data that is automatically processed. These articles provide data subjects the “right to portability” and the “right to erasure.”
- Articles 23 and 30: Require organizations to implement reasonable data protection measures to protect data and user privacy against loss or exposure.
- Articles 31 and 32: Mandate organizations to notify the supervising authorities of a data breach within 72 hours of identifying the breach with a set of required details and data subjects as quickly as possible if the breach poses a direct risk to their rights and freedoms.
- Articles 33 and 33a: Require organizations to perform data protection impact assessments to detect risks to personal data and conduct data protection compliance reviews to ensure the risks are addressed.
- Article 35: Directs certain organizations to appoint data protection officers (DPOs).
- Articles 36 and 37: List the roles and responsibilities of a DPO when it comes to ensuring GDPR compliance and reporting to supervisory authorities and data subjects.
- Article 45: Clearly states that even international organizations that collect or process EU citizens’ personal data are subject to the same requirements and penalties as EU-based organizations.
- Article 79: Describes the penalties for GDPR non-compliance.
What does GDPR compliance mean?
To be compliant with GDPR, organizations must implement technical and operational safeguards to protect the personal data they store and manage while maintaining evidence of compliance. Crucial tasks an organization must do include:
- Regularly conducting a thorough assessment to determine compliance with GDPR
- Undertaking remediation efforts to address compliance risks
- Obtaining the consent of subjects for data collection and processing
- Anonymizing the collected data to protect privacy
- Issuing data breach notifications as mandated
- Safely managing the transfer of data across borders
- Appointing a data protection officer (DPO), if needed
- Creating and maintaining documented evidence on all the above actions
Why is it important to be GDPR compliant?
Organizations required to comply with GDPR could face significant penalties should they fail to do so. These include:
- A warning or a temporary or definitive ban on processing personal data
- A fine of up to €20 million or 4% of their total global turnover (depending on several factors)
What data is protected by GDPR?
GDPR protects personal data, which it defines as any information related to an individual that can be used to identify the individual directly or indirectly. Some of the most common information is names, email addresses and ID numbers. GDPR also classifies location information, ethnicity, gender, biometric data, religious beliefs, web cookies and political opinions as personal data. Even pseudonymous data falls under the purview of GDPR if it can be used to identify an individual.
Who has to comply with GDPR?
An organization must comply if it has:
- A presence in an EU member country
- No presence in the EU, but it processes personal data of EU residents or citizens
- Over 250 employees
- Less than 250 employees, but its data processing is not just occasional, includes certain types of sensitive personal data, and affects the rights and freedoms of data subjects
The above-mentioned criteria bring virtually every organization, including not-for-profit organizations, under the compliance umbrella of GDPR.
Is the GDPR enforceable in the U.S.?
GDPR primarily views personal data as the property of an EU citizen or resident, irrespective of where they live, and an organization’s location. Therefore, it is enforceable for any organization that is either a controller or processor of the data of EU citizens or residents. For example, an American e-commerce business that sells goods to EU citizens and ships the items to Europe from the U.S. must comply with GDPR.
The reach of GDPR applies to any data controller or processor that:
- Monitors the behavior of data subjects within the EU
- Processes data generated from offering goods or services to data subjects in the EU
- Runs an establishment in the EU and processes data through that establishment
As a rule of thumb, any U.S. organization that holds connections to the EU through subsidiaries, vendors, employees, customers, service providers or even website visitors must comply with GDPR.
Who is responsible for compliance with GDPR?
GDPR holds three people or teams in an organization responsible for GDPR compliance:
- Data controller: The data controller is responsible for deciding how personal data is processed, determining the purpose behind the processing and making sure outside contractors comply.
- Data processor: This refers to internal groups or any outsourcing partners that maintain and process personal data. The GDPR holds processors liable for any breaches or non-compliance even if it was an organization’s processing partner that caused it.
- Data protection officer (DPO): Article 38 of GDPR states that the DPO must be involved in handling all issues related to the protection of personal data. It further mandates that the DPO must be shielded from any potential interference within an organization and must report directly to the highest level of management.
Is GDPR compliance mandatory?
Organizations across the EU tasked with implementing GDPR make it a point to take stringent action against organizations that do not respect GDPR requirements. Therefore, an organization is welcome to ignore GDPR at its own peril.
While GDPR fines have contributed immensely to organizations worldwide not being willing to risk non-compliance, an organization could face other forms of strict regulatory action that could immensely hamper business as usual and lead to loss of reputation.
Let’s now look at how organizations are penalized for non-compliance.
What are the penalties for non-compliance with GDPR?
While the penalties issued for non-compliance with GDPR could include warnings or bans, fines constitute the majority of penalties issued. GDPR fines are divided into two tiers based on the severity of infringements:
- Fines of up to €10 million or 2% of the organization’s worldwide annual revenue from the previous financial year, whichever amount is higher. These are issued for less severe infringements that often include violations of the articles governing controllers and processors (Articles 8, 11, 25-39, 42 and 43), certification bodies (Articles 42 and 43), and monitoring bodies (Article 41).
- Fines of up to €20 million or 4% of the organization’s worldwide annual revenue from the previous financial year, whichever amount is higher. These are levied for more serious infringements on principles of the right to privacy and the right to be forgotten.
How do you ensure GDPR compliance?
Following a set of best practices can help your organization achieve and maintain full compliance with GDPR and be able to prove it to a regulator if needed. Below are some of the most important steps you need to undertake:
- Conduct regular GDPR audits and risk assessments: The first step to GDPR compliance is to know the personal data your organization manages and test its security through in-depth audits and risk assessments. This gives you the insights you need to undertake remediation efforts to mitigate the risks. Most importantly, make sure you document every step of this process since a regulator will seek the documentation as evidence of your organization’s efforts.
- Promote cybersecurity awareness: GDPR mandates your organization implement “reasonable data protection measures” that include measures for tackling insider threats. You must implement a cybersecurity awareness strategy to empower every employee and stakeholder (including vendors) to contribute toward keeping personal data secure.
- Appoint a data protection officer (DPO): If your organization must appoint a DPO, you should do so right away. You can appoint someone from within the organization for the position as long as he/she can fulfill the DPO’s responsibilities as listed in GDPR.
- Devise and test an incident response plan: GDPR emphasizes data breach notification as much as the prevention of a data breach. Therefore, your organization must devise and regularly test an incident response strategy. It will allow your organization to act swiftly following a breach and minimize the damage caused— something that would be seen in a positive light by a regulator.
- Use automated compliance software: Automated compliance management tools can help you run automated assessments to test your organization’s compliance with GDPR and generate the necessary documentation automatically. Additionally, some of them can even suggest remediation measures, help you keep track of remediation and facilitate role-based stakeholder participation.
GDPR compliance with Compliance Manager GRC
Does your organization or your clients need help navigating the maze of GDPR compliance? Turn to Compliance Manager GRC — our purpose-built platform that can empower you to offer managed IT security and compliance with minimal effort. With Compliance Manager GRC, you’ll be able to:
- Automatically scan networks to detect the personal data stored or managed by your company or your clients and the risks targeting the data
- Create GDPR-approved reports and documentation such as auditor checklists, data protection impact assessment (DPIA) and GDPR evidence of compliance
- Easily customize assessments and reports with changes in both networks and regulatory requirements
- Protect your business or your clients from hefty fines by delivering everything needed to demonstrate continuous compliance
Schedule a personalized demo of Compliance Manager GRC andsee how it takes the complexity out of GDPR compliance.