Who needs to comply with GDPR?

In 2015, the European Union passed the General Data Protection Regulation (GDPR), reshaping how organizations around the world can collect and process personal data. The goal of GDPR is clear: help consumers understand and control what kind of data companies collect, who it’s shared with, and what it’s used for.

The how of GDPR compliance is a little murkier. The law requires organizations to take steps to safeguard personal data and keep users informed of their data privacy rights but doesn’t specify what all of those safeguards should be. While this flexibility is meant to allow organizations to tailor their approach to their unique systems, processes, and customers, it can make it difficult for companies to ensure they’re complying with the law.

To help clarify what’s required to comply with GDPR, we’ve created an interactive checklist you can use to verify you’ve put the proper safeguards in place.

Who needs to comply with the GDPR?

The first question to ask is: do GDPR regulations apply to your organization?

GDPR is a data privacy law that gives EU citizens and residents greater insights into and control over the personal data organizations collect and how it’s processed.

While the GDPR is EU legislation, it has far-reaching implications. GDPR applies to any organization that collects and processes personal data from EU citizens or residents — even companies outside of the EU. Any organization with a global presence should strive to be GDPR compliant.

An overview of GDPR requirements

The actual GDPR document is fairly lengthy — 88 pages of legal text that includes 99 articles and 173 recitals. If you’re interested in diving deeper into what’s necessary to become GDPR compliant, check out our article that explains GDPR requirements in detail. Here, we’ll summarize the essentials before jumping into the compliance checklist.

1. Establish a legal basis for data processing

Whether your organization is a data processor or a data controller, it must have a valid legal basis for collecting and processing personal data. Under GDPR, these legal bases include:  

• A data subject freely gave clear, unambiguous consent for personal data processing.
• Data processing is necessary to fulfill contractual or legal obligations.
• Processing the data will save somebody’s life.
• Processing the data is in the public interest.
• The organization has a “legitimate interest” — in other words, whenever an organization uses personal data in a way that the data subject would already expect. For example, a financial institution that analyzes personal data to detect and prevent fraudulent transactions.  

Organizations are required to document their lawful basis and notify data subjects.

2. Obtain explicit consent from data subjects

Organizations that use a data subject’s consent as its legal basis must be able to prove that it obtained that consent fairly. Data subjects have to be fully informed about how you process their data, and they have to freely and unambiguously agree to the processing of personal data.

In other words, you are required to explain to data subjects how you process their data and their data privacy rights under GDPR in clear, simple terms. Many organizations do this through a privacy notice that’s publicly posted on their website.

You can’t coerce or trick users into giving consent, and you can’t leave out details that keep them from exercising their rights under GDPR, such as their right to opt-out of data processing or request their personal data be erased.

3. Respect data subject rights

Data subjects have certain rights under the GDPR that organizations are required to uphold. These include:

• The right to be informed: Data subjects must be informed of how you process personal data and for what purpose. This requirement applies even if data is being transferred to a third party. 
• The right of access: Data subjects have the right to know what personal data you’ve collected about them, where and how it’s being collected, why it’s being processed, and how long it will be kept. 
• The right of rectification: Data subjects have the right to correct any inaccurate or incomplete personal data. 
• The right to erasure: Data subjects can request deletion of their personal information. 
• The right to restrict processing: In certain situations, data subjects can request that you change how you process their personal information. 
• The right to data portability: If a data subject requests their personal data, you must provide it to them free of charge and in an easily accessible format.
• The right to object: Data subjects can object to the processing of their personal data. You must honor that objection unless you can prove that you have a legal basis for processing it. 

4. Implement technical and organizational safeguards

Organizations must establish “appropriate technical and organizational measures” to ensure any customer data that’s processed is properly secured.

The GDPR doesn’t specify an exact list of security measures, allowing organizations some flexibility in building an information security posture that suits their unique needs. Examples of data security controls are multi-factor authentication, data encryption, firewalls, user access controls, and security awareness training.

5. Send breach notifications

In the event of a data breach, GDPR requires organizations to notify affected data subjects within 72 hours (or have adequate justification for a delay).

Breach notifications must explain how many people and data records were affected, the likely consequences, and what the data controller has done to mitigate the effects of the breach. Notifications also need to include the name and contact information of the organization’s data protection officer.

6. Appoint a data protection officer (if applicable)

Data protection officers (DPOs) oversee the organization’s overall data protection strategy. They’re responsible for ensuring employees are trained on GDPR requirements, completing regular compliance audits, and maintaining documentation to prove compliance.

Data protection officers also act as the main point of contact for both supervisory authorities and data subjects. If a data subject requests their personal data be erased, the data protection officer is required to respond to that request within one calendar month. 

7. Design with privacy in mind

Organizations must take data privacy and protection into consideration when designing any new products or services. At every stage of development, companies need to limit personal data collection to what’s absolutely necessary to deliver the product or service, and detail the specific steps they’ll take to keep that data safe. 

8. Conduct a data protection impact assessment

Whenever a data subject consents to data collection or processing, they are taking on a certain level of risk. Their data might be stolen or leaked in a personal data breach and used for fraudulent purposes. A Data Protection Impact Assessment (DPIA) explains how your organization identifies and minimizes those risks. 

9. Restrict personal data transfers

GDPR includes strict conditions for transferring personal data outside of the EU. When data transfers are allowed, GDPR requires both the data importer and data exporter to take appropriate steps to protect the personal data being transferred.  

10. Complete regular data privacy training

Because GDPR legislation is fairly complex, regular data privacy training is required to help employees handle different categories of personal data securely. GDPR training should explain what the law is and where it applies, data subject rights, the responsibilities of both data controllers and data processors, and how to respond to a cybersecurity incident.

GDPR checklist: Assess your organization’s approach to data privacy

To help you gauge your organization’s level of GDPR compliance, we’ve created this interactive checklist. Check out the steps below to verify you’re fully compliant, or identify and remedy any gaps. 

*This checklist is intended as guidance only and is not a substitute for legal advice. Always consult with a lawyer to ensure your organization is fully compliant with GDPR. 

Get 100% confidence in your GDPR compliance with Secureframe

We make the GDPR compliance process simple and straightforward. Get a library of policies vetted by GDPR experts, proprietary GDPR training for employees, and access to in-house compliance experts that will keep you up-to-date on the latest GDPR regulations. You’ll get assurance of full GDPR compliance so you can focus on serving your customers and growing your business.

Learn more about our GDPR compliance offering, or schedule a demo to see our compliance automation platform in action.