GDPR Compliance Guide

The General Data Protection Regulation (GDPR) is a set of rules crafted to safeguard personal information of EU residents. This article explains who the GDPR applies to and the steps you can take to get compliant.

What is the GDPR?

The General Data Protection Regulation, commonly known as GDPR, sets strict guidelines for how organizations collect, store, and manage personal data of EU residents.

Effective since May 25, 2018, the GDPR was developed in response to the increasing need to protect individuals' personal data in a rapidly evolving digital world, where data breaches and privacy violations have become all too common.

For companies, this means they need to review their processes and infrastructure, examining what data is collected, where it is collected, and how it is used. For consumers, this regulation is beneficial, as it gives power back to the people since the EU sees privacy as a human right.

There is also a benefit for companies, as this is the only regulation across the entire EU, rather than varying regulations per country.

Who Does the GDPR Apply to?

The GDPR applies to any organization, regardless of its location, if it processes the personal data of individuals in the EU. So, it concerns your company if you handle any data from EU citizens. No matter if you're based in California or the EU, this will apply to you.

This includes businesses, non-profits, government bodies, and any other entities that handle personal data within the EU.

The regulation covers all types of data processing activities, whether the organization is handling data about employees, customers, suppliers, or other individuals.

When Does the GDPR Not Apply?

The GDPR doesn't apply to your organization if you are not processing or monitoring the personal data of individuals in the EU, don't conduct business operations within the EU, and don't offer services or goods to EU residents.

What Does the GDPR Require?

Here's an overview of the key requirements under the GDPR.

1. Data Processing Agreement (DPA)

To ensure GDPR compliance, data controllers (the entity determining the purpose and means of processing personal data) must establish formal agreements with any third-party entities that process personal data on their behalf. These contracts, known as Data Processing Agreements (DPAs), are crucial for delineating the responsibilities related to data protection and privacy.

2. Lawful Basis for Processing

According to Article 5, organizations must have a legitimate reason (lawful basis) for processing personal data. This can be based on consent, compliance with a legal obligation, or legitimate interests pursued by the data controller or a third party.

Consent must be freely given, specific, informed, and unambiguous. It requires a clear affirmative action (opt-in), and individuals have the right to withdraw their consent at any time. Pre-ticked boxes and implied consent are not acceptable under GDPR.

3. Transparency and Information

Organizations must provide clear information about how they process personal data. This includes detailing the purposes of data processing, data retention periods, and who the data may be shared with. This information is typically provided in a Privacy Policy.

Article 30 stipulates the requirement to maintain records, either in written or electronic form, of processing activities for organizations with 250 or more employees. For entities with fewer than 250 employees, the obligation to keep records still stands if the processing poses a risk to the rights of data subjects and is not an isolated occurrence.

4. Cybersecurity

According to Article 32, organizations must establish technical and organizational measures to safeguard personal data. These measures are essential to protect data from unlawful processing and to prevent accidental loss or damage. Key strategies include pseudonymization, encryption, and conducting regular security assessments.

5. Accountability

This involves:

  • Keeping detailed records of processing activities
  • Conducting Data Protection Impact Assessments (DPIAs) when required
  • Appointing a Data Protection Officer (DPO) under specific conditions

6. Data Protection by Design and by Default

Organizations must integrate data protection into their processing activities and business practices.

7. Data Breach Notification

Organizations are required to inform the relevant Supervisory Authority within 72 hours upon discovering a personal data breach that poses a risk to individuals' rights and freedoms. If the breach is likely to result in a high risk, affected individuals must also be informed without undue delay.

8. International Data Transfers

Transferring personal data outside the EU is restricted unless adequate safeguards are in place. This can include binding corporate rules, standard contractual clauses, or other approved mechanisms to ensure data protection compliance.

How to Comply with the GDPR

Here is a step-by-step guide to help organizations ensure they meet GDPR requirements.

Step 1: Determine Whether Your Organization Fall Under GDPR

Assess whether your organization processes personal data of EU residents and if so, identify the lawful basis for processing this data (e.g., consent, contract necessity, legal obligation, etc.). Here are some examples that would require GDPR compliance for your organization:

  • You gather or handle data belonging to EU residents
  • You provide software which collects personal data during registration and is accessible within the EU
  • You conduct business operations involving shipments to the EU, referencing the EU on your website, or accepting payment in EU currency

Step 2: Determine Whether You Are a Data Processor or a Data Controller

In the realm of data protection and privacy, two critical roles stand out: Data Controllers and Data Processors.

Data Controllers: The Decision-Makers

Any entity that determines the purposes and means of processing personal data is considered a data controller under the GDPR. Controllers are primarily responsible for ensuring compliance with GDPR principles.

Key Responsibilities:

  • The data controller sets the objectives ("why") and the manner ("how") for processing personal data. They make key decisions about the data collection methods, storage, security, and usage
  • Data controllers must ensure that their data processing activities comply with applicable data protection laws. They are responsible for the lawful collection and use of data and must implement measures to protect this data
  • Data controllers are accountable for upholding the rights of individuals, such as providing access to their data, ensuring its accuracy, and deleting it upon request
  • Controllers must demonstrate compliance with data protection principles and may need to conduct Data Protection Impact Assessments (DPIAs) to evaluate and mitigate privacy risks

Examples:

  • A hospital decides to collect and store patient medical records to provide treatment
  • A marketing company chooses to gather and analyze consumer behavior data to tailor advertisements

Data Processors: The Executors

Entities that process data on behalf of controllers are classified as data processors. This can include cloud service providers, data analytics firms, and other third-party service providers. Processors must follow the instructions of the controller and comply with GDPR requirements for data security and processing.

Key Responsibilities:

  • Data processors perform tasks such as storing, recording, or transmitting data as instructed
  • Processors must implement appropriate technical measures to ensure data security during processing. They must also notify the data controller of any data breaches without undue delay
  • Data processors need to keep records of processing activities and cooperate with data controllers and supervisory authorities during audits

Examples:

  • A payroll company processes employee salary information on behalf of a corporation
  • An email marketing service sends promotional emails to customers based on the list provided by a retail company

Step 3: Determine What Data You Need to Protect

What is considered personal data under the GDPR? It's any information that can be used to identify a user, including emails, photos, bank details, and even IP addresses. Special categories of data, such as health information, racial or ethnic origin, political opinions, and biometric data, are subject to even stricter protections under the GDPR.

Identify what personal data you collect, how it is used, stored, and shared. Where is this personal information stored and who has access to this information?

Step 4: Understand GDPR Principles

Data controllers must comply with GDPR principles. Familiarize yourself with key principles of GDPR, including:

  • Lawfulness, fairness, transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

Step 5: Conduct a Data Audit

This audit should cover all data sources, processing activities, and data sharing arrangements. Maintain detailed records of your data processing activities as required by Article 30 of the GDPR.

Step 6: Establish Legal Grounds for Data Processing

Ensure that consent is given voluntarily, with clear and precise information, and without any ambiguity. Review and update consent mechanisms to meet GDPR standards. Where consent is not appropriate, ensure other lawful bases (e.g., legitimate interest, contract necessity) are properly documented and justified.

You need to obtain explicit consent from users in clear, simple language, and provide them with an easy opt-out option. Avoid using complicated language or deceptive practices. It's essential to ensure that users have a straightforward way to stop tracking.

Step 7: Implement Data Subject Rights

Provide mechanisms for individuals to request access to their personal data and obtain information about how it is processed. Implement processes to correct or delete personal data upon request. Allow individuals to receive their data in a commonly used, machine-readable format and transfer it to another controller.

Step 8: Enhance Data Security

Implement appropriate security measures such as encryption, pseudonymization, regular security assessments, and access controls to protect personal data. Develop a data breach response plan that includes notifying the supervisory authority within 72 hours and informing affected individuals when necessary.

Secure your website by installing an SSL certificate (HTTPS) to encrypt all data sharing between the site and server. Ensure admin accounts are protected with strong passwords.

Step 9: Ensure Transparency and Communication

Update your Privacy Policy. Provide concise information about how you process personal data, including purposes, retention periods, and rights of individuals. Ensure this information is easily accessible to data subjects.

Step 10: Appoint a Data Protection Officer (DPO)

Under the GDPR, organizations are required to appoint a Data Protection Officer (DPO) if they meet any of the following criteria:

  • Being a public authority
  • Conducting core activities involving large-scale, systematic monitoring of data subjects
  • Requiring the appointment of a DPO according to EU member state law

The DPO should oversee data protection strategies and ensure compliance. Also, the DPO should operate independently and report directly to the highest level of management.

Step 11: Protect International Data Transfers

Ensure that personal data transferred outside the EU is protected through mechanisms such as standard contractual clauses, binding corporate rules, or adequacy decisions. Regularly review and assess the adequacy of data protection measures in the destination country.

Step 12: Maintain Accountability and Documentation

Document all data processing activities, including data protection impact assessments (DPIAs), consent records, and data breach incidents. Continuously monitor and update data protection policies and practices to remain compliant with GDPR.

Penalties for Not Complying With the GDPR

The General Data Protection Regulation (GDPR) imposes stringent penalties on organizations that fail to comply with its requirements.

The GDPR establishes a tiered approach to fines, which can be substantial depending on the severity of the violation.

Tier 1 Fines: Organizations can face penalties of up to €10 million or 2% of their global annual turnover from the previous financial year, whichever amount is higher. Applied to violations such as:

  • Not maintaining records of processing activities
  • Failing to notify the supervisory authority and data subjects about a data breach
  • Not conducting Data Protection Impact Assessments (DPIAs) when required
  • Not appointing a Data Protection Officer (DPO) when one is required

Tier 2 Fines: Can reach up to €20 million or 4% of the company's global annual revenue from the previous financial year, whichever amount is higher. Applied to more severe violations such as:

  • Breaching the basic principles of data processing, including conditions for obtaining valid consent
  • Failing to comply with data subjects' rights, such as the right to access, rectification, or erasure
  • Transferring personal data internationally without proper safeguards
  • Ignoring orders from supervisory authorities

Supervisory authorities (like national data protection authorities) have several corrective powers they can use, including warnings, reprimands, orders, and temporary or definitive limitations.

Summary

The GDPR is a regulation that specifies how companies should use and protect EU consumer data. The regulation aims to give EU individuals more control over their personal information and imposes significant penalties for non-compliance.