General Data Protection Regulation (GDPR)
The Ultimate Guide to

General Data Protection Regulation (GDPR)

What is GDPR?

The EU enacted the General Data Protection Regulation, or GDPR, to protect their citizens’ data and give them the right to know what data providers collect about them. It also lays out strict rules for reporting breaches and how to store and protect data.

Any business with customers who are citizens of a European Union country is subject to GDPR, and the GDPR is one of the harsher regulations in terms of punishment. It allows for a tiered approach based on the seriousness of the violation, with the maximum penalty being fines up to €20 million or 4% of their worldwide annual revenue for the prior financial year — whichever is greater.

The General Data Protection Regulation, or GDPR, is one of the strictest privacy laws in the world, requiring organizations inside and outside of Europe to secure the personal data of European Union (EU) citizens collected, processed, or stored by the organization. GDPR went into effect on May 25th, 2018, to safeguard EU citizens’ data and uphold the right to know exactly what data is collected by providers. GDPR also lays out strict rules for reporting breaches and how to store and protect data.

Definition of Personal Data Under GDPR

The GDPR defines Personal Data as

any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. 

GDPR Privacy Principles

GDPR’s data privacy principles originate from the EU’s 1995 Data Protection Directive and were implemented on May 25, 2018, as technology advanced and data breaches became more common. The GDPR establishes seven key data privacy principles:

  • Lawfulness
  • Fairness and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

Article 5 establishes the fundamental principles relating to the processing of personal data, while other articles in this section address specific aspects of lawful processing and consent requirements.

GDPR’s principles require that personal data be processed lawfully, fairly, and transparently, with data subjects informed about processing activities. Organizations must ensure data is collected for specified, explici,t and legitimate purposes, is adequate and relevant to those purposes, and is kept secure through appropriate technical and organizational measures.

Fact Sheet

Learn How to Build a Strong Privacy Risk Management Program

Download Now

GDPR Obligations for Controllers and Data Processors

Data controllers are people, agencies, organizations or authorities who oversee the processing of personal data, determining the purpose for and means of processing this information. For example, if you’re an e-commerce company that sells goods online to EU citizens and you’d like to collect consumers’ physical and email addresses to notify them of shipments and send them promotional emails, you’re considered a data controller under GDPR.

Controllers are responsible for implementing appropriate technical and organizational measures to ensure that data processing is performed in accordance with GDPR regulations and enforcing appropriate data protection policies when necessary. Controllers must implement data protection by default measures, ensuring that only personal data necessary for each specific purpose of the processing is processed.

Data processors work by specific contracts to process data on behalf of controllers. Processors work under the strict orders of controllers, processing data only on the documented instructions of a controller.

Processors must assist controllers in meeting all compliance obligations, such as deleting or returning all personal data to the controller after the end of the provision of services relating to processing, and deleting existing copies unless Union or Member State law requires storage. In the same e-commerce example, the data processor is the email marketing software company that’s used by the e-commerce company to send promotional emails to EU customers. Because it is processing data that belongs to EU data subjects, even if the email tool company is incorporated in the U.S., it still needs to abide by GDPR.

What is the process for becoming GDPR Compliant?

Becoming GDPR compliant involves establishing executive leadership and forming cross-functional task forces that include all departments handling personal data, while conducting comprehensive risk assessments and creating detailed documentation of their data processing activities. Organizations must then implement appropriate technical and organizational measures to mitigate identified risks, establish incident response procedures capable of meeting the 72-hour breach notification requirement, and maintain ongoing monitoring processes to ensure continuous compliance. Compliance can boost consumer confidence and create competitive advantages.

Leadership and team formation

Establish executive urgency and leadership from top management to prioritize cyber preparedness and compliance with global data hygiene standards. Next, form a cross-functional task force that includes marketing, finance, sales, operations, and any group that collects, analyzes, or uses customers’ personal information. It’s important to recognize that IT alone cannot meet GDPR requirements and involve all relevant stakeholders in the compliance process.

Risk assessment and data inventory

Conduct periodic risk assessments to understand what data you store and process on EU citizens and identify associated risks. Complete a full IT infrastructure inventory to get a comprehensive picture of your entire IT environment, then uncover all shadow IT applications that might be collecting and storing personal information. Finally, identify all applications, including smaller point solutions, that represent the greatest compliance risk.

Documentation and record keeping

Take inventory of risky applications to identify where personal data is being processed, who is processing it, and how it is being processed. Document compliance progress to demonstrate accountability, as required by GDPR’s accountability principle. Then, maintain comprehensive documentation showing how your organization has become compliant.

Organizational structure and roles

Hire or appoint a Data Protection Officer (DPO) if required for your organization. Consider using a virtual DPO who works as a consultant for multiple organizations if a full-time position is not necessary. Ensure the DPO has appropriate authority and resources to fulfill their responsibilities.

Implementation and risk mitigation

Create and maintain a data protection plan, reviewing and updating existing plans to ensure GDPR alignment. Implement identified risk mitigation measures, which typically involves revising existing security measures. Address risks from employees accessing personal information through mobile devices and personal apps. Determine appropriate security levels to protect data based on risk assessments, and finally, review plans periodically to ensure continued effectiveness.

Incident response preparation

Test incident response plans to ensure adequate breach reporting capabilities, and then prepare systems and processes to report breaches within the required 72-hour timeframe. Develop response procedures to minimize damage when incidents occur and train staff on proper incident response protocols.

Ongoing compliance monitoring

Set up ongoing assessment processes to monitor compliance status and establish continuous improvement procedures to maintain GDPR compliance over time. Consider adding mandatory GDPR policy observances to employee contracts and implement incentive systems or penalties to encourage compliance behavior. Regularly review and update compliance measures as business operations change over time.

GDPR Compliance Checklist

Achieving and maintaining compliance with GDPR requires strategic organization and diligence. Working with a compliance checklist simplifies the process, ensuring you check the boxes and minimize your business’s exposure to regulatory penalties. Below is a checklist of categories and activities all organizations should perform to help achieve and maintain GDPR compliance.

Be lawful and transparent

Maintain a current list of all data processing activities and conduct protection impact assessments when processing is likely to result in a high risk to the rights and freedoms of individuals. Your list should include the type of data processed, the purpose of processing, who has access to the data, security controls in place, and plans for deletion of the data. Be able to provide a “lawful basis” for your processing, and be sure to notify the subject of data collection and the legal justification behind it.

Be secure

Practice “data protection by design and by default,” including the implementation of appropriate technology (encryption) and organizational measures (delete data after use) to ensure data safety at all times. Institute an internal data security policy and privacy and security training for employees, and a process to notify authorities and subjects in the event of a breach.

Delegate responsibility

Assign roles and responsibilities for GDPR compliance and appoint a Data Protection Officer if required under Article 37, such as when you are a public authority, when your core activities involve large-scale systematic monitoring of individuals, or when your core activities involve large-scale processing of special categories of personal data. Sign a data processing agreement contract with all third parties who process data on your behalf, and if you’re located outside the EU, be sure to delegate a representative within an EU state.

Uphold data privacy rights

Keep subject data current and make it easy for subjects to view, update, delete, transfer, or stop the processing of their data without undue delay and within one month of receipt of the request, as required by Article 12. Read this to learn more about how to abide by data access requests under GDPR.

GDPR breaches and fines

Failing to comply with GDPR can result in significant monetary fines in addition to brand damage and reputational harm. GDPR views certain violations as more severe than others, so penalties are scalable based on the offense. Article 83 discusses fines, stating that less severe violations (usually involving the articles governing controllers and processors or certification and monitoring bodies) can receive penalties of up to 10 million Euros or 2% of annual global revenue, whichever is greater. More severe violations (involving basic principles for processing, conditions for consent, and data subjects’ rights, including the right to be forgotten) can receive fines up to 20 million Euros or 4% of annual global revenue, whichever is greater.

Data protection regulators in each European country administer GDPR fines. How much you will pay will depend on ten criteria, including:

Gravity and nature

The overall picture of the infringement. What happened, how it happened, why it happened, the number of people affected, the damage they suffered, and how long it took to resolve.

Intention

Whether the infringement was intentional or the result of negligence.

Mitigation

Whether the firm took any actions to mitigate the damage suffered by people affected by the infringement.

Precautionary measures

The amount of technical and organizational preparation the firm had previously implemented to comply with the GDPR.

History

Any relevant previous infringements, including infringements under the Data Protection Directive (not just the GDPR), as well as compliance with past administrative corrective actions under the GDPR.

Cooperation

Whether the firm cooperated with the supervisory authority to discover and remedy the infringement.

Data category

What type of personal data the infringement affects.

Notification

Whether the firm or a designated third party proactively reported the infringement to the supervisory authority.

Certification

Whether the firm followed approved codes of conduct or was previously certified.

Aggravating/mitigating factors

Any other issues arising from circumstances of the case, including financial benefits gained or losses avoided as a result of the infringement.

Where do most companies struggle with compliance, and what are the most common GDPR violations?

Communicating openly about data processing with subjects, establishing a legal basis for processing, and implementing proper security measures seem to provide the most challenging GDPR hurdles for today’s companies. Common violations include non-compliance with general data processing principles (often resulting from a lack of communication with the subject), insufficient legal basis for data processing, and inadequate technological or organizational measures to ensure information security.

In 2020, Google received a fine of 50 million, and Telecom £27 million for failing to disclose how they processed a subject’s data in addition to lacking a legal basis for processing the data. Another global giant, H&M, was fined £35 million for lacking the legal grounds to process a customer’s personal data.

How does GDPR fit into your overall compliance program?

Your organization may need to abide by GDPR, country-specific privacy regulations, and state-specific regulations. There may be additional industry data protection regulations you have to follow if you serve the healthcare sector or handle financial data. How do you keep track of all these disparate yet somewhat similar regulations? The key is to develop an enterprise-wide approach to continuously managing privacy risks.

If you are operating in multiple geographic locations, taking a transactional (I.e. one regulation at a time) approach to privacy isn’t sustainable or cost-effective. You’ll likely end up duplicating efforts as different teams, different regions, or business units work in silos.

What you need is a “regulatory-agnostic approach” that allows you to efficiently comply with the regulations you’re subject to today while preserving the flexibility to adhere to future regulations without having to make big changes to your organizational processes.

A regulatory-agnostic approach begins with your organization identifying its core priorities for privacy and then selecting the controls and frameworks, focusing on addressing these prioritized principles.

The NIST Privacy Framework can provide an excellent foundation for building and mapping your controls to comply with specific regulatory requirements. Be sure to clearly define roles and responsibilities for framework implementation and create a centralized, single-source-of-truth evidence repository when taking a regulatory-agnostic approach to compliance management.

NIST Privacy Framework Core

10 General Tips and Strategies for Implementing GDPR

1. Raise awareness

GDPR compliance awareness must be ingrained in your company’s culture. Start by implementing an in-house training program to educate all employees on “privacy protection by design and default” and their specific roles and responsibilities in achieving GDPR compliance.

2. Assign roles

Compliance takes time, work, and a team effort, so spread the responsibility across your organization by assigning specific roles to every employee. Designate a Data Protection Officer, even if one isn’t required, because having a dedicated leader overseeing your GDPR compliance effort is critical to staying on track.

3. Identify your data

Create a comprehensive list of all data your organization stores and processes, where they are located, who has access, how it’s processed, and the legal basis for processing.

4. Regularly review data governing practices

Start by ensuring you have a clear and current in-house privacy policy outlining all rules, guidelines, and procedures in place to safeguard personal identifiable information (PII). Make sure your policy and governing practices stress accountability and transparency with all data processing activities, paying close attention to practices involving children’s data.

5. Practice security by design and default

Keeping subject PII safe is critical for GDPR compliance, so be sure to implement both technological and organizational measures to ensure the security of all your data. Encryption is an example of a control that all teams should employ. If data is encrypted and a breach occurs, the law only requires you to notify the Information Commission Office (ICO) rather than each owner of the data. Remember to conduct regular data protection impact assessments to monitor the effectiveness of your security controls and compliance management program.

6. Address breaches quickly and openly

Be sure to have a clearly defined process in place to rapidly detect, investigate, report, and remediate breaches. This process must include informing authorities and data subjects of the event as soon as possible.

7. Be data subject friendly

Set up internal policies and processes to prioritize the privacy rights of data subjects. Go above and beyond making sure subjects can view, access, change, transport, or delete their data and respond quickly to all data subject inquiries or requests. Keeping lines of communication open with subjects is critical for achieving the level of transparency required for privacy compliance.

8. Automate processes whenever possible

GDPR compliance involves managing lots of account information–often much more than manual practices can handle. Implement automated processes to handle subject information requests, email, and marketing tasks that require a faster response.

9. Monitor third-parties for adherence to contracts

Sign contracts with all third-party partners and vendors who may process subject PII on your business’s behalf, ensuring they are aware of and compliant with GDPR.

10. Utilize GDPR compliance tools

Achieving and maintaining GDPR compliance can tax your company’s resources, so consider the benefits of engaging GDPR compliance software tools to ease the burden. Software tools can help with data discovery, consent management, driving accountability for the ongoing performance of foundational privacy activities, and retaining evidence to back up compliance assertions your organization has made (to reduce your legal liability).

GDPR: Frequently Asked Questions

GDPR applies to any organization, regardless of its location, that processes the personal data of individuals residing in the European Union (EU) or European Economic Area (EEA). This includes businesses, non-profits, and governmental entities. The regulation covers all data processing activities, whether carried out by data controllers (organizations that determine the purposes and means of processing) or data processors (organizations that process data on behalf of a controller).

GDPR compliance is mandatory for all organizations that process the personal data of EU or EEA residents, subject to certain exceptions provided in the regulation. Non-compliance can result in severe penalties, including fines of up to €20 million or 4% of the organization’s global turnover for the fiscal year, whichever is higher. Additionally, non-compliance can lead to reputational damage, loss of customer trust, and potential legal actions from affected individuals.

The GDPR is founded on seven key principles:

  1. Lawfulness, fairness, and transparency: Data processing must be lawful, fair, and transparent to the data subject.
  2. Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  3. Data minimization: Data collected should be adequate, relevant, and limited to what is necessary for the intended purposes.
  4. Accuracy: Data must be accurate and kept up to date. Inaccurate data should be corrected or deleted promptly.
  5. Storage limitation: Data should be kept in a form that allows identification of data subjects for no longer than necessary for the purposes for which the data is processed.
  6. Integrity and confidentiality: Data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.
  7. Accountability: Data controllers are responsible for and must be able to demonstrate compliance with the GDPR principles.

GDPR protects any information that relates to an identified or identifiable individual, known as “personal data.” This includes, but is not limited to:

  • Names and surnames
  • Email addresses
  • Identification numbers
  • Location data
  • Online identifiers (e.g., IP addresses)
  • Biometric data
  • Health information
  • Financial information
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Data concerning a person’s sex life or sexual orientation

GDPR was adopted on April 27, 2016, and became enforceable on May 25, 2018. Organizations were given a two-year transition period to ensure compliance with the new regulations.

Under GDPR, organizations are required to appoint a Data Protection Officer (DPO) if they are a public authority, engage in large-scale systematic monitoring, or process large-scale special categories of data or data relating to criminal convictions and offenses. The DPO is responsible for overseeing the organization’s data protection strategy and its implementation to ensure compliance with GDPR requirements.

Learn more about what comes next after hiring a DPO

A privacy notice is a statement provided by an organization to inform individuals about how their personal data is being collected, used, stored, and protected. Under GDPR, the privacy notice must be concise, transparent, intelligible, and easily accessible. It should include details such as the identity and contact details of the data controller, the purposes for data processing, the legal basis for processing, data retention periods, individuals’ rights regarding their data, and information on data transfers to third countries or international organizations.

The right to erasure, also known as the “right to be forgotten,” allows individuals to request the deletion of their personal data when it is no longer necessary for the purposes for which it was collected or processed. Other circumstances where the right to erasure applies include when the data subject withdraws consent, objects to the processing, or if the data has been unlawfully processed. Organizations must comply with erasure requests unless there are overriding legitimate grounds for retaining the data, such as for legal obligations or the establishment, exercise, or defense of legal claims.

Under GDPR, organizations must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of data breaches. In the event of a data breach that likely involves risks to the rights and freedoms of individuals, organizations are required to notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to individuals’ rights and freedoms, the affected individuals must also be informed without undue delay.

To ensure GDPR compliance, organizations should:

  1. Conduct a thorough data audit to understand what personal data is collected, how it is processed, and where it is stored.
  2. Develop and implement a data protection policy and ensure all staff are trained on GDPR requirements.
  3. Appoint a Data Protection Officer (if required) to oversee compliance efforts.
  4. Implement robust data security measures to protect personal data from breaches.
  5. Establish procedures for handling data subject rights requests, such as access, rectification, and erasure.
  6. Conduct regular data protection impact assessments (DPIAs) for high-risk processing activities.
  7. Review and update contracts with third-party data processors to ensure GDPR compliance.
  8. Maintain documentation of data processing activities and compliance efforts.
  9. Ensure a mechanism is in place for data breach detection, reporting, and response.
  10. Continuously monitor and review compliance efforts to adapt to changes in data processing activities and regulatory requirements.

A Data Protection Impact Assessment (DPIA) is a process designed to help organizations identify and mitigate the data protection risks of a project or processing activity. DPIAs are required for processing activities that are likely to result in a high risk to the rights and freedoms of individuals, such as large-scale processing of sensitive data or systematic monitoring of public areas. The DPIA should assess the necessity and proportionality of the processing, identify and evaluate potential risks, and outline measures to mitigate those risks.

GDPR  maps to the following frameworks: 

Hyperproof for GDPR Compliance

Hyperproof is a powerful compliance operations platform designed to help you abide by GDPR and a host of other privacy regulations in the most efficient way possible.

GDPR

Conduct privacy risk assessments and track risks in a central Risk Register

Understand GDPR requirements

Manage privacy and security controls on an ongoing basis and foster accountability

Reduce your liability; map your controls to GDPR and other regs to prove that due diligence was conducted before compliance assertions were made

Easily gather evidence of your control activities and automate workflows

Gauge progress within your privacy program and prioritize activities

Link risks to controls and monitor your privacy risks in real-time

Effectively communicate your organization’s compliance posture to stakeholders

Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get GDPR ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader