The Ultimate Guide to
General Data Protection Regulation (GDPR)
What is GDPR?
The EU enacted the General Data Protection Regulation, or GDPR, to protect their citizens’ data and give them the right to know what data providers collect about them. It also lays out strict rules for reporting breaches and how to store and protect data.
Any business with customers who are citizens of a European Union country is subject to GDPR, and the GDPR is one of the harsher regulations in terms of punishment. It allows for a tiered approach based on the seriousness of the violation, with the maximum penalty being 4% of annual global turnover or €20 Million—whichever is greater.
The General Data Protection Regulation, or GDPR, is one of the strictest privacy laws in the world, requiring organizations inside and outside of Europe to secure the personal identifiable information (PII) of European Union (EU) citizens collected, processed, or stored by the organization. GDPR went into effect on May 25th, 2018, to safeguard EU citizens’ data and uphold the right to know exactly what data is collected by providers. GDPR also lays out strict rules for reporting breaches and how to store and protect data.
Definition of Personal Data Under GDPR
The GDPR defines Personal Data as
“any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
GDPR Privacy Principles
GDPR’s data privacy principles originate from the Federal Trade Commission’s original five privacy principles created in 1998 that have stood the test of time. These core privacy principles include:
GDPR Articles 5 through 11 discuss the core principles relating to data privacy–Articles 5,6,9, 10, and 11 focus on rules and guidelines for processing personal data, while Articles 7 and 8 address the regulations involving data collection and consent.
In summary, GDPR’s privacy principles ask organizations to make data subjects aware of what data is being collected and the purpose(s) of the data collection. Subjects must know that it’s their choice for their data to be collected, stored, and processed, and they must give their formal consent before data collection can legally begin. Subjects must also have complete visibility of and access to all their data with the right to update or remove it at any time. Organizations holding personal data must ensure the integrity and security of the data at all times, enforcing all rules and enacting all controls necessary to keep the data secure.
GDPR Obligations for Controllers and Data Processors
Data controllers are people, agencies, organizations or authorities who oversee the processing of personal data, determining the purpose for and means of processing this information. For example, if you’re an e-commerce company that sells goods online to EU citizens and you’d like to collect consumers’ physical and email addresses to notify them of shipments and send them promotional emails, you’re considered a data controller under GDPR.
Controllers are responsible for implementing appropriate technical and organizational measures proving data processing is performed in accordance with GDPR regulations and enforcing appropriate data protection policies when necessary. Controllers must adhere to a “by default” practice of only processing data essential for each specific purpose of the processing.
Data processors work by specific contracts to process data on behalf of controllers. Processors work under the strict orders of controllers, processing data only on the documented instructions of a controller.
Processors must assist controllers in meeting all compliance obligations, such as deleting or returning all data after completing processing services. In the same e-commerce example, the data processor is the email marketing software company that’s used by the e-commerce company to send promotional emails to EU customers. Because it is processing data that belongs to EU data subjects, even if the email tool company is incorporated in the U.S., it still needs to abide by GDPR.
What is the process for becoming GDPR Compliant?
Becoming GDPR compliant involves performing five high-level functions that organize foundational privacy activities and help manage data and the privacy risks around data processing. The five functions are:
These activities give an organization a solid foundation for identifying and managing privacy risks. They include activities such as understanding what data they’re processing and mapping out data flow through systems throughout the entire data lifecycle – from collection to disposal. They include conducting privacy risk assessments to assess how data processing could create problems for individuals (e.g., embarrassment, discrimination, or economic loss).
These activities include determining which privacy values your organization is focused on, knowing your privacy-related legal obligations, and helping your workforce know their roles and responsibilities so they can effectively manage privacy risks in the design and deployment of your products and services.
These activities include thinking through your data processing practices and how the design of your products and services can introduce or mitigate your privacy risks and impact your ability to fulfill legal obligations. The Control Function also includes technical measures to disassociate data from individuals and devices.
These activities are concerned with crafting policies for communicating internally and externally about your data processing activities. It also includes actions around making your privacy practices clear and transparent to customers through privacy notices on your websites and/or apps.
These are security measures designed to protect data, such as using security software, encrypting sensitive data, conducting regular backups of data, conducting pen tests, and more.
GDPR Compliance Checklist
Achieving and maintaining compliance with GDPR requires strategic organization and diligence. Working with a compliance checklist simplifies the process, ensuring you check the boxes and minimize your business’s exposure to regulatory penalties. Below is a checklist of categories and activities all organizations should perform to help achieve and maintain GDPR compliance.
Be lawful and transparent
Maintain a current list of all data processing activities and conduct regular data protection impact assessments. Your list should include the type of data processed, purpose of processing, who has access to the data, security controls in place, and plans for deletion of the data. Be able to provide a “lawful basis” for your processing and be sure to notify the subject of data collection and the legal justification behind it.
Practice “protection by design and by default,” including the implementation of appropriate technology (encryption) and organizational measures (delete data after use) to ensure data safety at all times. Institute an internal data security policy and privacy and security training for employees, and a process to notify authorities and subjects in the event of a breach.
Assign roles and responsibilities for GDPR compliance and appoint a Data Protection Officer to oversee GDPR compliance activities. Sign a data processing agreement contract with all third parties who process data on your behalf, and if you’re located outside the EU, be sure to delegate a representative within an EU state.
Uphold data privacy rights
Keep subject data current and make it easy for subjects to view, update, delete, transfer, or stop the processing of their data in a reasonable time frame. Read this to learn more about how to abide by data access requests under GDPR.
GDPR Breaches and Fines
Failing to comply with GDPR can result in significant monetary fines in addition to brand damage and reputational harm. GDPR views certain violations as more severe than others, so penalties are scalable based on the offense. Article 83 discusses fines, stating less severe violations (usually involving the articles governing controllers and processors or certification and monitoring bodies) can receive penalties of up to 10 million Euros or 2% of annual global revenue, whichever is greater. More severe violations (usually involving privacy rights or the right to be forgotten) can receive fines up to 20 million Euros or 4% of annual global revenue, whichever is greater.
Data protection regulators in each European country administer GDPR fines. How much you will pay will depend on ten criteria, including:
Gravity and nature
The overall picture of the infringement. What happened, how it happened, why it happened, the number of people affected, the damage they suffered, and how long it took to resolve.
Whether the infringement was intentional or the result of negligence.
Whether the firm took any actions to mitigate the damage suffered by people affected by the infringement.
The amount of technical and organizational preparation the firm had previously implemented to comply with the GDPR.
Any relevant previous infringements, including infringements under the Data Protection Directive (not just the GDPR), as well as compliance with past administrative corrective actions under the GDPR.
Whether the firm cooperated with the supervisory authority to discover and remedy the infringement.
What type of personal data the infringement affects.
Whether the firm or a designated third party proactively reported the infringement to the supervisory authority.
Whether the firm followed approved codes of conduct or was previously certified.
Any other issues arising from circumstances of the case, including financial benefits gained or losses avoided as a result of the infringement.
Where do most companies struggle with compliance, and what are the most common GDPR violations?
Communicating openly about data processing with subjects, establishing a legal basis for processing, and implementing proper security measures seem to provide the most challenging GDPR hurdles for today’s companies. Common violations include non-compliance with general data processing principles (often resulting from a lack of communication with the subject), insufficient legal basis for data processing, and inadequate technological or organizational measures to ensure information security.
In 2020, Google received a fine of 50 million, and Telecom £27 million for failing to disclose how they processed a subject’s data in addition to lacking a legal basis for processing the data. Another global giant, H&M, was fined £35 million for lacking the legal grounds to process a customer’s personal data.
How does GDPR fit into your overall compliance program?
Your organization may need to abide by GDPR, country-specific privacy regulations, and state-specific regulations. There may be additional industry data protection regulations you have to follow if you serve the healthcare sector or handle financial data. How do you keep track of all these disparate yet somewhat similar regulations? The key is to develop an enterprise-wide approach to continuously managing privacy risks.
If you are operating in multiple geographic locations, taking a transactional (I.e. one regulation at a time) approach to privacy isn’t sustainable or cost-effective. You’ll likely end up duplicating efforts as different teams, different regions, or business units work in silos.
A regulatory-agnostic approach begins with your organization identifying its core priorities for privacy and then selecting the controls and frameworks, focusing on addressing these prioritized principles.
The NIST Privacy Framework can provide an excellent foundation for building and mapping your controls to comply with specific regulatory requirements. Be sure to clearly define roles and responsibilities for framework implementation and create a centralized, single-source-of-truth evidence repository when taking a regulatory-agnostic approach to compliance management.
10 General Tips and Strategies for Implementing GDPR
1. Raise awareness
GDPR compliance awareness must be ingrained in your company’s culture. Start by implementing an in-house training program to educate all employees on “privacy protection by design and default” and their specific roles and responsibilities in achieving GDPR compliance.
2. Assign roles
Compliance takes time, work, and a team effort, so spread the responsibility across your organization by assigning specific roles to every employee. Designate a Data Protection Officer, even if one isn’t required, because having a dedicated leader overseeing your GDPR compliance effort is critical to staying on track.
3. Identify your data
Create a comprehensive list of all data your organization stores and processes, where they are located, who has access, how it’s processed, and the legal basis for processing.
4. Regularly review data governing practices
5. Practice security by design and default
Keeping subject PII safe is critical for GDPR compliance, so be sure to implement both technological and organizational measures to ensure the security of all your data. Encryption is an example of a control that all teams should employ. If data is encrypted and a breach occurs, the law only requires you to notify the Information Commission Office (ICO) rather than each owner of the data. Remember to conduct regular data protection impact assessments to monitor the effectiveness of your security controls and compliance management program.
6. Address breaches quickly and openly
Be sure to have a clearly defined process in place to rapidly detect, investigate, report, and remediate breaches. This process must include informing authorities and data subjects of the event as soon as possible.
Set up internal policies and processes to prioritize the privacy rights of data subjects. Go above and beyond making sure subjects can view, access, change, transport, or delete their data and respond quickly to all data subject inquiries or requests. Keeping lines of communication open with subjects is critical for achieving the level of transparency required for privacy compliance.
8. Automate processes whenever possible
GDPR compliance involves managing lots of account information–often much more than manual practices can handle. Implement automated processes to handle subject information requests, email, and marketing tasks that require a faster response.
9. Monitor third-parties for adherence to contracts
Sign contracts with all third-party partners and vendors who may process subject PII on your business’s behalf, ensuring they are aware of and compliant with GDPR.
10. Utilize GDPR compliance tools
Achieving and maintaining GDPR compliance can tax your company’s resources, so consider the benefits of engaging GDPR compliance software tools to ease the burden. Software tools can help with data discovery, consent management, driving accountability for the ongoing performance of foundational privacy activities, and retaining evidence to back up compliance assertions your organization has made (to reduce your legal liability).
Hyperproof for GDPR Compliance
Hyperproof is a powerful compliance operations platform designed to help you abide by GDPR and a host of other privacy regulations in the most efficient way possible.
Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get GDPR ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.