What is GDPR Compliance? Understanding the Essentials of GDPRRead article
Become a security expert
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.Get a Secureframe demo
The General Data Protection Regulation (GDPR) is widely considered the most significant data privacy laws in recent history, with major implications for how companies can handle European Union (EU) consumers’ personal data.
Knowing whether you need to be compliant with GDPR’s privacy regulations is fairly straightforward. If you serve EU customers, it most likely applies to you. But knowing exactly what you need to do to be compliant is another story.
If you’re looking for guidance on how to comply with GDPR, we’ve got you covered. This article breaks down key concepts and explains what’s required under GDPR.
The General Data Protection Regulation (commonly known as GDPR) is a law passed by the European Union to establish data privacy and security. While it is EU legislation, GDPR applies to any organization that collects and processes personal data from EU citizens or residents.
GDPR is known for punishing data privacy violations with steep fines, with some penalties in the hundreds of millions of euros.
The GDPR legal document is over 85 pages long and includes 99 articles and 173 recitals. It defines several key points of focus for data privacy:
Personal data: Any information that relates to an individual who can be identified, either directly or indirectly. Examples include names, email addresses, location data, ethnicity, gender, IP addresses, political or religious affiliation, and biometric data.
Data processing: Any automated or manual action performed on personal data. Examples are collecting, storing, using, transferring, or erasing data.
Data subjects: The individual whose data is being processed, such as customers, subscribers, users, and site visitors.
Data controllers: The individual, organization, or entity that decides how and why personal data will be processed. Employees who manage or handle data are one example.
Data processors: Any third party that processes personal data on behalf of a data controller, like cloud service providers and email service providers.
To be compliant with GDPR, organizations must follow certain requirements for the processing of personal data. Below, we summarize some key requirements for GDPR compliance.
Under Article 6 of GDPR, organizations must have a valid legal basis for collecting and processing personal data. These include:
If you meet one of the above requirements, you have a lawful basis for data processing. You’ll need to document this basis and notify data subjects.
If you need to change your legal justification you’ll need a sufficient, well-documented reason and you’ll need to notify your data subjects.
What is GDPR Compliance? Understanding the Essentials of GDPRRead article
You must explain how you process data in “a concise, transparent, intelligible, and easily accessible form.” Many organizations do this through a clearly-written privacy notice.
If your legal justification for processing personal data is that you have that data subject’s consent, then you must have obtained that consent in a way that is “clear, specific, informed, and unambiguous.”
GDPR provides a few conditions that must be met for consent to be valid.
Data subjects have certain rights under the GDPR. These include:
Organizations must implement “appropriate technical and organizational measures” to ensure customer data is handled securely.
GDPR doesn’t specify exactly which security measures companies need to take. However, it does require that the organization assess the inherent risks in processing EU personal data, and implement appropriate levels of security measures that mitigate such risks by taking into account the confidentiality, integrity, and availability of processing systems and processes.
Each organization must establish a set of security controls that are most appropriate for its unique systems and processes. This can include measures like enabling multi-factor authentication, using end-to-end data encryption, implementing firewalls, establishing user access controls, and completing periodic security awareness training for staff.
Similar to HIPAA’s breach notification rule, GDPR requires that you notify affected data subjects within 72 hours of a data breach. If you can’t deliver a notification within 72 hours, you’ll need to have adequate justification for the delay.
Under GDPR, breach notifications must:
Organizations are required to appoint a data protection officer (DPO) if:
Data protection officers are responsible for overseeing the organization’s data protection strategy. This typically involves making sure employees are trained on GDPR requirements, completing regular compliance audits, and maintaining documentation and records of compliance.
Data protection officers also act as the main point of contact for both supervisory authorities and data subjects. If a data subject inquires about how their data is being processed or submits a request for erasure, the data protection officer must respond within one calendar month.
Article 25 of the GDPR states that organizations must consider data privacy and protection when designing any new products or services. At every stage of development, companies need to think about what personal data they absolutely need to collect from customers or users and how they will keep that data safe.
Whenever a data subject consents to data collection or processing, they are taking on a certain level of risk. Their data might be stolen or leaked and used for fraudulent purposes. A Data Protection Impact Assessment (DPIA) explains how your organization identifies and minimizes those risks.
DPIAs help improve organizational awareness around data protection risks so that you can fully design with privacy in mind. And they can help you clearly communicate with customers and users the exact steps you’re taking to secure their personal data.
GDPR includes strict conditions for transferring personal data outside of the EU or European Economic Area (EEA). In cases where personal data is transferred outside of the EU or EEA, GDPR requires the relevant organizations (i.e., data importer and data exporter organizations) to adopt appropriate data protection safeguards that include technical and organizational measures.
Data transfers are allowed in the following cases:
Because GDPR legislation is fairly complex, training is required to help employees handle personal data securely. While the law doesn’t specify exact training requirements, the GDPR training you choose should cover what the law is and where it applies, the core principles of data protection, data subject rights, responsibilities of data controllers and data processors, and how to respond to a cybersecurity incident or data breach.
Training should be completed regularly — at least on an annual basis — for both new and existing employees involved in handling personal data.
GDPR defines a clear difference between a data controller and a data processor, and not all organizations involved in data processing have the same responsibilities. Compliance requirements differ depending on which type of organization you are (or both).
It’s important to speak to your legal team or outside council to know where your organization falls. Claiming ignorance isn’t an option — you’re responsible for ensuring you comply with GDPR and can prove that compliance to supervisory authorities.
Let’s clarify with an example. A US-based SaaS company sells software to EU-based companies and collects personal data from those companies, including names and emails, as part of its login process. The EU company is the presumptive data controller and the US company is the presumptive data processor.
Data controllers have greater responsibilities for GDPR compliance, but data processors are still required to ensure that any data that’s processed is done so in accordance with GDPR.
Note that it is possible to be both a data controller and a data processor. To know for sure, it’s important to speak to your legal team or outside counsel.
Secureframe makes it easy to get and stay compliant with data privacy laws including GDPR and the California Consumer Privacy Act (CCPA). With our security and compliance automation platform, you’ll stay current with the latest GDPR requirements, get notified of any gaps in your compliance, and get hands-on guidance from experienced security experts. You’ll always know if you’re GDPR compliant.
To learn more, schedule a demo with one of our product experts.