What is the General Data Protection Regulation?
The General Data Protection Regulation, or GDPR, is the biggest and most comprehensive data privacy regulation, raising the bar for data privacy protection everywhere. This regulation, which is interpreted and upheld by the Information Commissioner's Office (ICO), transformed how businesses in every industry can collect and utilize personal data, giving consumers the ability to dictate how their own personal data is used by businesses. For the first time, private individuals have a voice in who collects their data, when it is collected, how it can be used, and can even demand that businesses relinquish all the data they have collected.
Under the GDPR, companies cannot collect and use personal data from their customers and prospects without plainly worded disclosures. The GDPR has high penalties for privacy violations and data breaches. Organizations have to prove that they are following GDPR compliance standards and proactively seeking to protect consumer data. In short, companies must be transparent about what data they collect, why they are collecting it, and how they are protecting it.
Sounds like a lot, right? But this isn’t merely a challenge for European companies to overcome. While this is nominally a European law, the regulation applies to any organization that offers goods or services to European data subjects. Whether or not these companies are physically located in the EU or not, they are on the hook for compliance with the regulation.
But before we can discuss GDPR compliance, we need to define personal data, the type of information the GDPR was designed to protect.
What Kind of Data Does the GDPR Apply To?
At the center of the GDPR is personal data. The definition of personal data varies slightly between different privacy legislations, however in this context we’ll look at how the GDPR defines it. This information can include:
- Basic Information such as name, address, email, or phone number
- Web data such including location, IP address, cookies, and RFID tags
- Health and Genetic information
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual Orientation
- Or any information that relates to an identifiable individual.
As you can see, personal data is definitely broadly defined - and that is intentional.
What Does the GDPR Expect You To Do?
The GDPR is founded on eight principles that are laid out in article 5 and are intended to guide organizations in how they can handle personal data. Rather than serving as hard and fast rules, these are guidelines that are intended to work as a framework to explain the purpose of the regulation.
Lawfulness, Fairness and Transparency
The intended use of data needs to be disclosed in a clear and efficient way that allows the data subject to understand exactly how their information is being collected and processed. This creates transparency in data sharing so that no one involved is unaware or upset by how their data was processed.
Purpose Limitation
The Purpose Limitation principle asserts that data cannot be stored and repurposed for other means than the reason that was initially disclosed to the data subject. This connects back to the first principle in that the purpose of the data usage needs to be clearly disclosed, and then abided by. This prevents businesses from profiting off of data through its sale or utilization for undisclosed means down the road.
Data Minimization
Data Minimization means the use of data must be limited to its essential needs. In short, the company or individual should identify the minimum amount of personal data needed to fulfill their purpose and use no more than that amount. Data retention, processing, and distribution needs to be limited and strongly considered before it is collected in any form from the data subject.
Accuracy
The information you are collecting on customers needs to be correct. This ensures that the data that you are utilizing is clearly tied to the subject as well as ensures professionalism when interacting with the data subject with regard to their data.
Storage Limitation
This is a crucial part of GDPR compliance. You must clearly explain to your customer how long you will be storing their data as well as ensuring it is properly destroyed after it has been utilized for its intended purpose.
Integrity and Confidentiality
Similarly to the principle of least privilege, data should be processed on a need to know basis. Only individuals who require access to the information in order to fulfill their job functions should be given access to the information. Confidentiality means keeping the customers' privacy as the forefront priority of your business practices and using data in a way that is discrete and respectful of the customer's information and privacy.
Accountability
Lastly, this goes without saying but as the ICO website states, “The data controller must be responsible for, and able to demonstrate compliance”. Anyone who is handling data needs to be properly trained and fully aware of exactly what GDPR compliance means. Ultimately it is the job of the controller’s themselves to ensure that GDPR compliance is maintained and that customer privacy is held with the utmost importance.
GDPR Breaches and Fines
When the European Union (EU) put GDPR in effect, it introduced some of the harshest penalties for a breach of any data protection law in the world. The highest tier of GDPR fines and penalties can be up to €20 million or 4% of the company’s previous worldwide annual revenue, whichever one is greater. As an example of this, in 2021, Amazon received a fine of $888 million for a GDPR violation.
These strict penalties give the GDPR a great amount of leverage in requiring compliance with the regulations, ensuring consent is received from all data subjects, and reducing the likelihood of personal data violations.
Let’s be clear here, the EU isn’t playing when it comes to data protection. If you don’t follow their regulation, you are putting yourself at a high risk for expensive fines, and potential loss of clients and brand trust.
How to Comply with the GDPR
Now that we’ve addressed the definition of personal data, the principles guiding the GDPR, and the seriousness of fines for violations, let’s dive into a practical guide for how to help your organization become GDPR compliant. Here are the key steps:
Establish a Data Protection Officer
The Data Protection Officer is responsible for ensuring that their organization is compliant with GDPR and serving as the link between the employees and the members of the public who may find their information used and processed by the organization. Finally, the DPO is responsible for conducting data protection impact assessments. In larger organizations, there may even need to be multiple people that are dedicated to maintaining that company’s compliance with GDPR, CPRA, and other data privacy laws.
For more information, read this article about the responsibilities of a data protection officer.
Understand Opt-Out vs Opt-In Consent
One of the things that you must do is give people the choice to decide for themselves whether they can trust you with their personal data. GDPR has rules regarding both opt-in and opt-out consent forms. In order to understand when you should use opt-in versus opt-out measures, you need to understand the difference between the two.
Opt-In means that a user has to take a clear affirmative action to offer their consent. Opt-Out means a user has to take a clear action to withdraw their assumed consent. The GDPR requires that consent for most activities be set to “Opt-In” by default, meaning that the user would need to take steps to manually opt-in to having their information processed rather than it being a "pre-ticked" box on a website.
For a more in-depth look at consent and the opt-in, opt-out policies within GDPR, here is a great resource directly from the Information Commissioner's Office: ISO GDPR Consent Guidance.
Inform Your Users On What You’ll Do With Their Data
You must provide clear and precise information about the cookies (including strictly necessary ones) and their purpose for users immediately when they visit a website. This way users can make an informed decision on if they should opt-in or opt-out of the use of cookies.
Designate a Compliance Representative
If you do not have a physical presence in the EU but regularly process customer data of EU residents, the regulation requires that you hire a EU-based GDPR representative. This role must serve as the contact point for all issues related to a company’s processing of personal data according to the GDPR. The representative must also act as the point of contact for GDPR supervisory authorities. Please note that this cannot be the same person as your DPO.
Conduct Ongoing Risk Assessments and Correction of Privacy Shortcomings
For information security as a whole, risk assessments are crucial in determining the vulnerabilities through which cyber criminals and employees might compromise sensitive information. A GDPR Risk Assessment is the process of identifying, analyzing, and evaluating threats and vulnerabilities to the sensitive data of the European data subjects within your handling and processing.
The best practices for information security risk assessments are outlined in ISO 27001. But to keep this simple, the GDPR wants you to undertake a GAP Analysis, which is a method of assessing the differences in performance between a business' information systems or software applications to determine whether compliance requirements are being met and, if not, what steps need to be taken to begin meeting those standards. By recognizing and mitigating those identified gaps, you can then claim that your company is GDPR compliant.
Once you’ve identified the risks and how to correct them, you must put those measures into place. For most companies, that means revising existing risk mitigation measures.
Process and Fulfill Data Subject Access Requests
One of the most important new rights that the GDPR gave EU residents was the right to access their personal data to see what organizations know about them and how they use that data. How do people access that information? They submit a Data Subject Access Request, commonly called DSARs.
A DSAR is a request from someone an organization may have collected data on, and the organization must comply with the request and respond with a copy of any information they have on them. Beyond simply asking for their information, they can also request:
- Confirmation that their personal data is being processed
- Details on your lawful basis for processing the data
- How long you will store their data
- The names of any third party you share their data with
This admittedly places a burden on organizations, because customer data is likely split among various platforms. Data Mapping can help you keep track of how data flows between different systems and departments, as well as serve as a checklist to ensure that you have gathered all of their data.
Prepare To Execute Data Processing Agreements
The GDPR requires data controllers to take active measures to ensure the security of the personal data they collect. If these organizations decide to outsource certain data processing activities, they must be able to demonstrate that these third parties are taking the appropriate steps to act in accordance with the GDPR. At its simplest, a Data Processing Agreement is a legal contract between a data controller and a data processor that will receive access to, transmit, or store personal data. It regulates and determines the particulars of data processing as well as details the relationship between the two entities.
Compliance With GDPR Does Not Need To Be Complex
Complying with data privacy laws like the GDPR has a reputation for being intimidating and stressful. While it can certainly feel that way, you must keep in mind that the regulation is intended to protect consumers. You may be one of those people. The law is ambitious and vast because it is intentionally designed to safeguard our personal data and give us some degree of control over how our data is used. At a time when so much data on us is stored online, we are incredibly vulnerable to theft, exploitation, and we’ve seen that many organizations have not taken action to protect this data. This is exactly why the GDPR is incredibly important.
That being said, complying with the GDPR is challenging for all organizations, especially as we have come to rely on nearly unlimited access to this data to run and grow our businesses. Compliance requires upfront and recurring costs, the adoption of new in-office policies and procedures, annual training, and even the hiring of new employees or heaping new responsibilities onto existing employees.
Enter Accountable. Our mission is to take the guesswork out of compliance, so we offer a complete administrative solution to GDPR so that you can achieve and maintain your compliance program efficiently and effectively. Plus you can do all this for a fraction of what it would cost to hire a legal professional, while still providing the peace of mind that comes with working with a third party expert. Now that is great and all, but you’re here because you want to know how you can get compliant.
Don’t wait. Get started on your journey to compliance, today!