GDPR Compliance Guide
The General Data Protection Regulation (EU) 2016/679 (GDPR) is a legal framework that sets guidelines for collecting and processing personal information from individuals in the European Union (EU). It is at the core of Europe’s digital privacy legislation.
More than four years in the making, the GDPR was conceived in January 2012 when the European Commission set out plans for implementing data protection reform across the EU with the objective of making Europe “fit for the digital age.” In April of 2015, an agreement was reached on what would be involved and how it would be enforced.
The European Parliament passed the GDPR in April 2016. After a two-year transition period, GDPR compliance became mandatory in May 2018.
The GDPR was extended to cover citizens in the European Economic Area (EEA). It was adopted by the EEA Joint Committee in July 2018 and entered into force in the EEA European Free Trade Association (EFTA) States in July 2018.
|EAA and GDPR Compliance|
Countries that belong to the EEA and are impacted by GDPR compliance include the EU countries (i.e., Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden) as well as Iceland, Liechtenstein, and Norway
GDPR compliance is mandatory for any organization that processes the personal data of individuals in the EU. It strengthened EU citizens’ rights in the digital age and streamlined compliance requirements for businesses by consolidating rules for companies, organizations, and public bodies. By having a single law, the GDPR also did away with the complexity of fragmentation in different national systems, which had caused significant administrative burdens.
GDPR compliance maintains the “protection of natural persons with regard to the processing of personal data and on the free movement of such data.” Under GDPR, EU citizens have the right to protection of their personal data as set forth in Article 8 of the EU Charter of Fundamental Rights, which stipulates that everyone in the EU has the right to:
- The protection of personal data concerning them
- Access to data that has been collected concerning them, and the right to have it rectified
|Personal Data Under GDPR|
According to Article 4 of the GDPR, personal data is any information that relates to an identified or identifiable living individual.
Different pieces of information collected together that can lead to the identification of a particular person are also considered personal data. In other words, personal data is any data linked to a living person’s identity.
Examples of personal data as related to GDPR compliance include:
- Advertising identifier on a phone
- Cookie ID
- Data held by a healthcare provider
- Email address
- Home address
- Identification card number
- Internet Protocol (IP) address
- Location data
- Name and surname
GDPR compliance requires organizations to protect the personal data and privacy of EU citizens for any of their transactions that occur within EU/EEA member states.
GDPR Compliance and the Eight Basic Rights of Data Subjects
1. The right to access
Individuals have the right to request access to personal data collected and ask how the organization uses their data. The organization must provide a copy of the personal data if requested—free of charge and in electronic format.
2. The right to be forgotten
If an individual has shared their personal data with an organization, they have the right to withdraw their consent for the organization to use it as well as the right to have their data deleted.
3. The right to data portability
Individuals have a right to have personal data that an organization (e.g., service provider) collects transferred to another organization in a commonly used, machine-readable format.
4. The right to be informed
If an organization collects personal data, it must inform individuals before data is gathered and have individuals opt-in to data collection—consent must be given explicitly rather than implied.
5. The right to have information corrected
Individuals can have their personal data updated if it is out of date, incomplete, or incorrect.
6. The right to restrict processing
Individuals can request not to have their data used for processing (i.e., their record can be stored, but not used).
7. The right to object
Individuals have the right to stop the processing of their data for direct marketing. This right must be made clear to individuals at the start of any communication, and any processing must stop as soon as the request is received.
8. The right to be notified
In the event of a data breach that compromises personal data, individuals have the right to be informed within 72 hours of the organization first having become aware of the incident.
GDPR Compliance and the Principles Relating to Processing of Personal Data
The GDPR defines principles for the lawful handling of personal information, which involves the organization, collection, storage, structuring, use, consultation, combination, communication, restriction, destruction, or erasure of personal data. Under the GDPR, Data Controllers are responsible for complying with these principles as well as being able to demonstrate their compliance. The GDPR principles related to the processing of personal data include the following:
- Lawfulness, fairness, and transparency
Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
- Purpose limitation
Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimization
Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purpose for which they are processed.
Personal data must be accurate and kept up to date – this will be familiar from the Data Protection Directive (DPD) that preceded GDPR. Inaccurate or outdated data should be deleted or amended, and data controllers are required to take “every reasonable step” to comply with this principle.
- Storage limitation
Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed.
- Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
The controller shall be responsible for and able to demonstrate compliance with the GDPR.
Enforcement of GDPR Compliance
The European Data Protection Board (EDPB), an independent European body, was established as part of the GDPR to ensure the consistent application of data protection rules throughout the EU. It is composed of the representatives of the national data protection authorities of the EU/EEA countries and the European Data Protection Supervisor. The EDPB’s responsibilities consist primarily of:
- Providing general guidance on key concepts of the GDPR
- Advising the European Commission on issues related to the protection of personal data and new proposed legislation in the European Union
- Adopting binding decisions in disputes between national supervisory authorities
GDPR Compliance Checklist
- Determine whether the GDPR applies to your organization, and, if so, if you are a processor, controller, or both:
- Do you sell goods or services in the EU?
- Do you sell goods or services to EU businesses, consumers, or both?
- Do you have employees in the EU?
- Do individuals from the EU visit your website?
- Do you monitor the behavior of individuals within the EU?
If any of the above apply to your business, you need to get GDPR compliant.
- Let users know you are using cookies or other tracking technologies
- Ensure that you inform users of your intentions at or before the start of data collection
- Explain what your cookies are doing and why
- Obtain your users’ valid consent to store a cookie on their device(s)
- Give users access to your service event if they do not consent to cookies
- Collect and process data only after obtaining valid consent
- Document and store consent that’s received from users
- Offer a simple opt-out, as simple as the opt-in
- After opt-out, ensure that no further data is collected or forwarded
- Evaluate your data collection requirements—collect only the minimum data needed for business purposes
- Know all of the data that you are collecting and whether any of it is sensitive information
- Map all of the personal data that your organization collects and processes
- Document what is done with all personal data
- Establish procedures for handling personal data
- Determine what data is essential—delete anything that is not essential
- Appoint a Data Protection Officer (DPO)
- Create a record of how GDPR compliance is implemented and being managed
- Verify the age of all users who consent to data processing
- Include a double opt-in for all new email list sign-ups
- Implement security measures to protect data according to GDPR compliance requirements
- Regularly assess internal and third-party risks
Non-Compliance with GDPR
If an organization fails to comply with GDPR, it can face steep fines that range from 10 million Euros (more than $11 million, as of March 2022) or 2% of annual global revenue. The maximum penalty for not adhering to GDPR compliance requirements is 20 million Euros or 4% of the company’s annual global revenue, whichever is greater.
Fines are based on the severity of the breach and on the extent to which the organization mishandled personal data or failed to adhere to GDPR compliance requirements. Mishandling of data can include, but is not limited to:
- Failure to report a data breach
- Failure to build in privacy by design
- Failure to ensure data protection is applied in the first stage of a project
- Failure to appoint a data protection officer or equivalent, if the organization is one of those required to do so by GDPR
Who Is Impacted by GDPR Requirements?
According to the GDPR, compliance requirements apply to organizations that:
- Process personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed
- Are established outside the EU and offer goods/services (paid or for free)
- Monitors the behavior of individuals in the EU
Since GDPR compliance requirements apply regardless of where an organization is based, any organization with a website that might attract European visitors must adhere to GDPR mandates, even if they do not specifically market goods or services to EU residents. In addition, GDPR compliance is required for more than data collected from customers; it also applies to the human resources records of employees.
Article 4 of the GDPR identifies and defines the two different types of data-handlers the GDPR compliance applies to—controllers and processors. The GDPR also requires the appointment of a Data Protection Officer (DPO).
The GDPR defines a controller as a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Controllers decide how personal data is processed and are required to ensure that all contracts with processors meet GDPR compliance requirements.
The GDPR defines a processor as any “person, public authority, agency or other body which processes personal data on behalf of the controller.” Processors execute the data processing rules set by a controller rather than making decisions about how personal data is handled. Even though processors are just following controller instructions, they are still expected to maintain GDPR compliance, because they are handling personal data.
Data Protection Officer (DPO)
To meet the terms of GDPR compliance, an organization must appoint a Data Protection Officer (DPO) if it carries out large-scale:
- Processing of special categories of data
- Monitoring of individuals, such as behavior tracking or is a public authority
If required to do so, failure to appoint a data protection officer is considered a GDPR compliance failure and results in a fine. In the case of public authorities, a single DPO can be appointed across a group of organizations. While it is not mandatory for organizations outside of those noted above to appoint a DPO, all organizations need to ensure they have the skills and staff necessary to maintain GDPR compliance if they are subject to it.
GDPR Compliance and Data Breaches
The GDPR requires all organizations to report to the relevant supervisory authority any data breaches that involve unauthorized access to or loss of personal data that is likely to result in:
- A risk to the rights and freedoms of individuals and can lead to discrimination
- Damage to reputation
- Financial loss
- Loss of confidentiality
- Any other economic or social disadvantage
In some cases, organizations must also directly inform individuals affected by the breach to meet GDPR compliance requirements.
|Personal Data Breach as Related to GDPR Compliance|
As related to GDPR compliance requirements, a data breach is any incident that results in the “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”
This includes thefts by cybercriminals and incidents resulting from employees inadvertently making personal data public. An unintentional insider data breach could result from a technical error on the organization’s website, sending an email to the wrong person, or losing a laptop or removable device that contains personal data.
A data breach must be reported to the relevant supervisory body within 72 hours of the organization first becoming aware of it. If the breach is serious enough to require notifying customers or the public, GDPR compliance directs that this be done via a breach notification without “undue delay.”
To meet GDPR compliance requirements, the notification may not be communicated only in a press release, social media, or a company website. It must be a one-to-one correspondence with those affected.
GDPR compliance requires that the data breach notification must include certain information about the breach, including:
- Categories of information compromised
- Number of individuals compromised
- Categories of personal data records concerned
GDPR compliance also requires that organizations include a description of the potential consequences of the data breach (e.g., theft of money or identity). In addition, it requires a description of the remediation measures being taken to deal with the data breach and address any negative impacts for the individuals whose personal data was compromised. The contact details for the Data Protection Officer or primary person handling the breach also must be provided.
Global Impact of GDPR Compliance
GDPR compliance is considered to be the toughest privacy and security regulation in the world. Whether or not it is the toughest, it very well could be the most influential. In its path came a rash of strict privacy and security laws. Shortly after the enactment of the GDPR in the EU, countries worldwide followed suit with similar legislation.
Within a couple of months of the passage of the GDPR, the governor of California signed the California Consumer Privacy Act (CCPA). In the United States, that was quickly followed by the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA). Similar legislation has also been passed across the rest of North America, Latin America, Asia, Africa, and Australia.
The stringent requirements that come with GDPR compliance are now global. Organizations of all sizes and geographies must take time to understand and implement not just GDPR compliance requirements, but those of countries around the world whose legislation was inspired by the GDPR.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 11th April, 2022