General Data Protection Regulation (GDPR)
The Ultimate Guide to

General Data Protection Regulation (GDPR)

What is GDPR?

The EU enacted the General Data Protection Regulation, or GDPR, to protect their citizens’ data and give them the right to know what data providers collect about them. It also lays out strict rules for reporting breaches and how to store and protect data.

Any business with customers who are citizens of a European Union country is subject to GDPR, and the GDPR is one of the harsher regulations in terms of punishment. It allows for a tiered approach based on the seriousness of the violation, with the maximum penalty being 4% of annual global turnover or €20 Million—whichever is greater.

The General Data Protection Regulation, or GDPR, is one of the strictest privacy laws in the world, requiring organizations inside and outside of Europe to secure the personal identifiable information (PII) of European Union (EU) citizens collected, processed, or stored by the organization. GDPR went into effect on May 25th, 2018, to safeguard EU citizens’ data and uphold the right to know exactly what data is collected by providers. GDPR also lays out strict rules for reporting breaches and how to store and protect data.

Definition of Personal Data Under GDPR

The GDPR defines Personal Data as

any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. 

GDPR Privacy Principles

GDPR’s data privacy principles originate from the Federal Trade Commission’s original five privacy principles created in 1998 that have stood the test of time. These core privacy principles include:

  • Notice and awareness
  • Choice and consent
  • Access and participation
  • Integrity and security
  • Enforcement and redress

GDPR Articles 5 through 11 discuss the core principles relating to data privacy–Articles 5,6,9, 10, and 11 focus on rules and guidelines for processing personal data, while Articles 7 and 8 address the regulations involving data collection and consent.

In summary, GDPR’s privacy principles ask organizations to make data subjects aware of what data is being collected and the purpose(s) of the data collection. Subjects must know that it’s their choice for their data to be collected, stored, and processed, and they must give their formal consent before data collection can legally begin. Subjects must also have complete visibility of and access to all their data with the right to update or remove it at any time. Organizations holding personal data must ensure the integrity and security of the data at all times, enforcing all rules and enacting all controls necessary to keep the data secure.

Fact Sheet

Learn How to Build a Strong Privacy Risk Management Program

Download Now

GDPR Obligations for Controllers and Data Processors

Data controllers are people, agencies, organizations or authorities who oversee the processing of personal data, determining the purpose for and means of processing this information. For example, if you’re an e-commerce company that sells goods online to EU citizens and you’d like to collect consumers’ physical and email addresses to notify them of shipments and send them promotional emails, you’re considered a data controller under GDPR.

Controllers are responsible for implementing appropriate technical and organizational measures proving data processing is performed in accordance with GDPR regulations and enforcing appropriate data protection policies when necessary. Controllers must adhere to a “by default” practice of only processing data essential for each specific purpose of the processing.

Data processors work by specific contracts to process data on behalf of controllers. Processors work under the strict orders of controllers, processing data only on the documented instructions of a controller.

Processors must assist controllers in meeting all compliance obligations, such as deleting or returning all data after completing processing services. In the same e-commerce example, the data processor is the email marketing software company that’s used by the e-commerce company to send promotional emails to EU customers. Because it is processing data that belongs to EU data subjects, even if the email tool company is incorporated in the U.S., it still needs to abide by GDPR.

What is the process for becoming GDPR Compliant?

Becoming GDPR compliant involves performing five high-level functions that organize foundational privacy activities and help manage data and the privacy risks around data processing. The five functions are:

1. Identify

These activities give an organization a solid foundation for identifying and managing privacy risks. They include activities such as understanding what data they’re processing and mapping out data flow through systems throughout the entire data lifecycle – from collection to disposal. They include conducting privacy risk assessments to assess how data processing could create problems for individuals (e.g., embarrassment, discrimination, or economic loss).

2. Govern

These activities include determining which privacy values your organization is focused on, knowing your privacy-related legal obligations, and helping your workforce know their roles and responsibilities so they can effectively manage privacy risks in the design and deployment of your products and services.

3. Control

These activities include thinking through your data processing practices and how the design of your products and services can introduce or mitigate your privacy risks and impact your ability to fulfill legal obligations. The Control Function also includes technical measures to disassociate data from individuals and devices.

4. Communicate

These activities are concerned with crafting policies for communicating internally and externally about your data processing activities. It also includes actions around making your privacy practices clear and transparent to customers through privacy notices on your websites and/or apps.

5. Protect

These are security measures designed to protect data, such as using security software, encrypting sensitive data, conducting regular backups of data, conducting pen tests, and more.

GDPR Compliance Checklist

Achieving and maintaining compliance with GDPR requires strategic organization and diligence. Working with a compliance checklist simplifies the process, ensuring you check the boxes and minimize your business’s exposure to regulatory penalties. Below is a checklist of categories and activities all organizations should perform to help achieve and maintain GDPR compliance.

Be lawful and transparent

Maintain a current list of all data processing activities and conduct regular data protection impact assessments. Your list should include the type of data processed, purpose of processing, who has access to the data, security controls in place, and plans for deletion of the data. Be able to provide a “lawful basis” for your processing and be sure to notify the subject of data collection and the legal justification behind it.

Be secure

Practice “protection by design and by default,” including the implementation of appropriate technology (encryption) and organizational measures (delete data after use) to ensure data safety at all times. Institute an internal data security policy and privacy and security training for employees, and a process to notify authorities and subjects in the event of a breach.

Delegate responsibility

Assign roles and responsibilities for GDPR compliance and appoint a Data Protection Officer to oversee GDPR compliance activities. Sign a data processing agreement contract with all third parties who process data on your behalf, and if you’re located outside the EU, be sure to delegate a representative within an EU state.

Uphold data privacy rights

Keep subject data current and make it easy for subjects to view, update, delete, transfer, or stop the processing of their data in a reasonable time frame. Read this to learn more about how to abide by data access requests under GDPR.

GDPR Breaches and Fines

Failing to comply with GDPR can result in significant monetary fines in addition to brand damage and reputational harm. GDPR views certain violations as more severe than others, so penalties are scalable based on the offense. Article 83 discusses fines, stating less severe violations (usually involving the articles governing controllers and processors or certification and monitoring bodies) can receive penalties of up to 10 million Euros or 2% of annual global revenue, whichever is greater. More severe violations (usually involving privacy rights or the right to be forgotten) can receive fines up to 20 million Euros or 4% of annual global revenue, whichever is greater.

Data protection regulators in each European country administer GDPR fines. How much you will pay will depend on ten criteria, including:

Gravity and nature

The overall picture of the infringement. What happened, how it happened, why it happened, the number of people affected, the damage they suffered, and how long it took to resolve.

Intention

Whether the infringement was intentional or the result of negligence.

Mitigation

Whether the firm took any actions to mitigate the damage suffered by people affected by the infringement.

Precautionary measures

The amount of technical and organizational preparation the firm had previously implemented to comply with the GDPR.

History

Any relevant previous infringements, including infringements under the Data Protection Directive (not just the GDPR), as well as compliance with past administrative corrective actions under the GDPR.

Cooperation

Whether the firm cooperated with the supervisory authority to discover and remedy the infringement.

Data category

What type of personal data the infringement affects.

Notification

Whether the firm or a designated third party proactively reported the infringement to the supervisory authority.

Certification

Whether the firm followed approved codes of conduct or was previously certified.

Aggravating/mitigating factors

Any other issues arising from circumstances of the case, including financial benefits gained or losses avoided as a result of the infringement.

Where do most companies struggle with compliance, and what are the most common GDPR violations?

Communicating openly about data processing with subjects, establishing a legal basis for processing, and implementing proper security measures seem to provide the most challenging GDPR hurdles for today’s companies. Common violations include non-compliance with general data processing principles (often resulting from a lack of communication with the subject), insufficient legal basis for data processing, and inadequate technological or organizational measures to ensure information security.

In 2020, Google received a fine of 50 million, and Telecom £27 million for failing to disclose how they processed a subject’s data in addition to lacking a legal basis for processing the data. Another global giant, H&M, was fined £35 million for lacking the legal grounds to process a customer’s personal data.

How does GDPR fit into your overall compliance program?

Your organization may need to abide by GDPR, country-specific privacy regulations, and state-specific regulations. There may be additional industry data protection regulations you have to follow if you serve the healthcare sector or handle financial data. How do you keep track of all these disparate yet somewhat similar regulations? The key is to develop an enterprise-wide approach to continuously managing privacy risks.

If you are operating in multiple geographic locations, taking a transactional (I.e. one regulation at a time) approach to privacy isn’t sustainable or cost-effective. You’ll likely end up duplicating efforts as different teams, different regions, or business units work in silos.

What you need is a “regulatory-agnostic approach” that allows you to efficiently comply with the regulations you’re subject to today while preserving the flexibility to adhere to future regulations without having to make big changes to your organizational processes.

A regulatory-agnostic approach begins with your organization identifying its core priorities for privacy and then selecting the controls and frameworks, focusing on addressing these prioritized principles.

The NIST Privacy Framework can provide an excellent foundation for building and mapping your controls to comply with specific regulatory requirements. Be sure to clearly define roles and responsibilities for framework implementation and create a centralized, single-source-of-truth evidence repository when taking a regulatory-agnostic approach to compliance management.

NIST Privacy Framework Core

10 General Tips and Strategies for Implementing GDPR

1. Raise awareness

GDPR compliance awareness must be ingrained in your company’s culture. Start by implementing an in-house training program to educate all employees on “privacy protection by design and default” and their specific roles and responsibilities in achieving GDPR compliance.

2. Assign roles

Compliance takes time, work, and a team effort, so spread the responsibility across your organization by assigning specific roles to every employee. Designate a Data Protection Officer, even if one isn’t required, because having a dedicated leader overseeing your GDPR compliance effort is critical to staying on track.

3. Identify your data

Create a comprehensive list of all data your organization stores and processes, where they are located, who has access, how it’s processed, and the legal basis for processing.

4. Regularly review data governing practices

Start by ensuring you have a clear and current in-house privacy policy outlining all rules, guidelines, and procedures in place to safeguard personal identifiable information (PII). Make sure your policy and governing practices stress accountability and transparency with all data processing activities, paying close attention to practices involving children’s data.

5. Practice security by design and default

Keeping subject PII safe is critical for GDPR compliance, so be sure to implement both technological and organizational measures to ensure the security of all your data. Encryption is an example of a control that all teams should employ. If data is encrypted and a breach occurs, the law only requires you to notify the Information Commission Office (ICO) rather than each owner of the data. Remember to conduct regular data protection impact assessments to monitor the effectiveness of your security controls and compliance management program.

6. Address breaches quickly and openly

Be sure to have a clearly defined process in place to rapidly detect, investigate, report, and remediate breaches. This process must include informing authorities and data subjects of the event as soon as possible.

7. Be data subject friendly

Set up internal policies and processes to prioritize the privacy rights of data subjects. Go above and beyond making sure subjects can view, access, change, transport, or delete their data and respond quickly to all data subject inquiries or requests. Keeping lines of communication open with subjects is critical for achieving the level of transparency required for privacy compliance.

8. Automate processes whenever possible

GDPR compliance involves managing lots of account information–often much more than manual practices can handle. Implement automated processes to handle subject information requests, email, and marketing tasks that require a faster response.

9. Monitor third-parties for adherence to contracts

Sign contracts with all third-party partners and vendors who may process subject PII on your business’s behalf, ensuring they are aware of and compliant with GDPR.

10. Utilize GDPR compliance tools

Achieving and maintaining GDPR compliance can tax your company’s resources, so consider the benefits of engaging GDPR compliance software tools to ease the burden. Software tools can help with data discovery, consent management, driving accountability for the ongoing performance of foundational privacy activities, and retaining evidence to back up compliance assertions your organization has made (to reduce your legal liability).

GDPR: Frequently Asked Questions

GDPR applies to any organization, regardless of its location, that processes the personal data of individuals residing in the European Union (EU) or European Economic Area (EEA). This includes businesses, non-profits, and governmental entities. The regulation covers all data processing activities, whether carried out by data controllers (organizations that determine the purposes and means of processing) or data processors (organizations that process data on behalf of a controller).

GDPR compliance is mandatory for all organizations that process the personal data of EU or EEA residents. Non-compliance can result in severe penalties, including fines of up to €20 million or 4% of the organization’s global turnover from the fiscal year, whichever is higher. Additionally, non-compliance can lead to reputational damage, loss of customer trust, and potential legal actions from affected individuals.

The GDPR is founded on seven key principles:

  1. Lawfulness, fairness, and transparency: Data processing must be lawful, fair, and transparent to the data subject.
  2. Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  3. Data minimization: Data collected should be adequate, relevant, and limited to what is necessary for the intended purposes.
  4. Accuracy: Data must be accurate and kept up to date. Inaccurate data should be corrected or deleted promptly.
  5. Storage limitation: Data should be kept in a form that allows identification of data subjects for no longer than necessary for the purposes for which the data is processed.
  6. Integrity and confidentiality: Data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.
  7. Accountability: Data controllers are responsible for and must be able to demonstrate compliance with the GDPR principles.

GDPR protects any information that relates to an identified or identifiable individual, known as “personal data.” This includes, but is not limited to:

  • Names and surnames
  • Email addresses
  • Identification numbers
  • Location data
  • Online identifiers (e.g., IP addresses)
  • Biometric data
  • Health information
  • Financial information
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Data concerning a person’s intimate life or sexual orientation

GDPR was adopted on April 14, 2016 and became enforceable on May 25, 2018. Organizations were given a two-year transition period to ensure compliance with the new regulations.

Under GDPR, organizations are required to appoint a Data Protection Officer (DPO) if they are a public authority, engage in large-scale systematic monitoring, or process large-scale special categories of data or data relating to criminal convictions and offenses. The DPO is responsible for overseeing the organization’s data protection strategy and its implementation to ensure compliance with GDPR requirements.

Learn more about what comes next after hiring a DPO

A privacy notice is a statement provided by an organization to inform individuals about how their personal data is being collected, used, stored, and protected. Under GDPR, the privacy notice must be concise, transparent, intelligible, and easily accessible. It should include details such as the identity and contact details of the data controller, the purposes for data processing, the legal basis for processing, data retention periods, individuals’ rights regarding their data, and information on data transfers to third countries or international organizations.

The right to erasure, also known as the “right to be forgotten,” allows individuals to request the deletion of their personal data when it is no longer necessary for the purposes for which it was collected or processed. Other circumstances where the right to erasure applies include when the data subject withdraws consent, objects to the processing, or if the data has been unlawfully processed. Organizations must comply with erasure requests unless there are overriding legitimate grounds for retaining the data, such as for legal obligations or the establishment, exercise, or defense of legal claims.

Under GDPR, organizations must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of data breaches. In the event of a data breach that poses a risk to the rights and freedoms of individuals, organizations are required to notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to individuals’ rights and freedoms, the affected individuals must also be informed without undue delay.

To ensure GDPR compliance, organizations should:

  1. Conduct a thorough data audit to understand what personal data is collected, how it is processed, and where it is stored.
  2. Develop and implement a data protection policy and ensure all staff are trained on GDPR requirements.
  3. Appoint a Data Protection Officer (if required) to oversee compliance efforts.
  4. Implement robust data security measures to protect personal data from breaches.
  5. Establish procedures for handling data subject rights requests, such as access, rectification, and erasure.
  6. Conduct regular data protection impact assessments (DPIAs) for high-risk processing activities.
  7. Review and update contracts with third-party data processors to ensure GDPR compliance.
  8. Maintain documentation of data processing activities and compliance efforts.
  9. Ensure a mechanism is in place for data breach detection, reporting, and response.
  10. Continuously monitor and review compliance efforts to adapt to changes in data processing activities and regulatory requirements.

A Data Protection Impact Assessment (DPIA) is a process designed to help organizations identify and mitigate the data protection risks of a project or processing activity. DPIAs are required for processing activities that are likely to result in a high risk to the rights and freedoms of individuals, such as large-scale processing of sensitive data or systematic monitoring of public areas. The DPIA should assess the necessity and proportionality of the processing, identify and evaluate potential risks, and outline measures to mitigate those risks.

GDPR  maps to the following frameworks: 

Hyperproof for GDPR Compliance

Hyperproof is a powerful compliance operations platform designed to help you abide by GDPR and a host of other privacy regulations in the most efficient way possible.

GDPR

Conduct privacy risk assessments and track risks in a central Risk Register

Understand GDPR requirements

Manage privacy and security controls on an ongoing basis and foster accountability

Reduce your liability; map your controls to GDPR and other regs to prove that due diligence was conducted before compliance assertions were made

Easily gather evidence of your control activities and automate workflows

Gauge progress within your privacy program and prioritize activities

Link risks to controls and monitor your privacy risks in real-time

Effectively communicate your organization’s compliance posture to stakeholders

Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get GDPR ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader