What is GDPR Compliance? Understanding the Essentials of GDPR

Email, workplace productivity apps, messaging, file-sharing services, social media, banking and healthcare apps — more and more people are entrusting their private and sensitive data to cloud services. At the same time, data breaches and security incidents are becoming more frequent and more sophisticated. 

Many security compliance frameworks are focused on data protection, keeping data safe from hackers and breaches. But the General Data Protection Regulation (GDPR) is just as concerned about data privacy. Its objectives are to keep data safe while giving people more power over who can process their personal data and why. 

The GDPR is landmark legislation with far-reaching impact. It‘s already inspired similar data privacy laws around the world, most notably the California Consumer Privacy Act (CCPA). With so much of a focus being placed on both data protection measures and data privacy, organizations all over the world must stay aware of these regulations so they can stay compliant and avoid significant fines.

This article covers the basics of GDPR requirements and compliance to help you understand the essentials of the law and how it applies to your business and customers.

The General Data Protection Regulation (commonly known as the GDPR) is a law passed by the European Union to establish data privacy and security laws. Although it was drafted and passed by the EU, it applies to any organization that targets or collects data from EU citizens or residents. GDPR is known for cracking down on violations by implementing steep fines, with penalties in the tens of millions of euros. 

What is the purpose of GDPR?

Although the GDPR was passed just a few years ago, its roots stretch back to the 1950s. The European Convention on Human Rights of 1950 states that everyone has a fundamental right to privacy. 

As the internet became more prominent, the EU began to recognize the need for more modern protections. It passed the European Data Protection Directive in 1995, which established some baseline data privacy and information security standards. Each EU member state implemented its own law based on those guidelines.

Then in the late 2000s and early 2010s, the EU recognized the need for a more comprehensive solution and began considering ways to update the 1995 directive. 

The GDPR was passed by European Parliament in 2016 and went into effect on May 25, 2018. 

While the GDPR is EU law, it applies to any organization that processes the personal data of EU citizens or residents, or offers goods and/or services to EU citizens or residents. 

What’s considered personal data under GDPR?

Because GDPR only applies to personal data, it’s important to understand exactly what information qualifies. 

According to Article 4, “personal data” is defined as any information that can be used to identify a natural person, such as a name, location, online identifier, etc. That’s a broad definition, so we’ll share some examples. 

What IS considered personal data: 

• Names
• Dates of birth 
• Physical addresses
• Phone numbers
• Email addresses
• IP addresses and cookie identifiers
• Radio frequency identification (RFID) tags
• Identification numbers, such as driver's license or passport numbers
• Location data, such as GPS
• Video/audio recordings and photographs
• Bank account numbers
• Card payment data 
• Criminal records
• Medical records and insurance data
• Religious or political affiliations
• Ethnic data
• Genetic and biometric data
• Union memberships
• Current or previous employer data

What is NOT considered personal data: 

• Data related to the deceased 
• Inaccurate data that can’t be identified to an individual
• Information about legal entities

GDPR requirements: How to comply with the law

The GDPR document itself is over 85 pages long and includes 99 articles and 173 recitals. The document defines a few key areas of focus in its regulations: 

Personal data: Any information that relates to an individual who can be identified (either directly or indirectly). Examples: names, email addresses, location, ethnicity, gender, web cookies, political opinions or religious information, and even biometric data. 

Data processing: Any automated or manual action performed on data. Examples: Collecting, storing, using, erasing, or structuring data. 

Data subjects: The person whose data is being processed. Example: Customers, subscribers, site visitors. 

Data controllers: The individual that decides how and why personal data will be processed. Example: Organization employees who manage or handle data. 

Data processors: Any third party that processes personal data on behalf of a data controller. Examples: Cloud service providers, email service providers. 

Under GDPR, organizations must satisfy certain requirements for processing personal data. Below, we summarize the key requirements for GDPR compliance.

Establish a legal basis for data processing

Under Article 6, companies are allowed to process personal data under these circumstances. If you meet one of the below requirements, you have a lawful basis for data processing:  

• A data subject gave clear, unambiguous consent to process their data. Consent must be freely given, fully informed, and specific.
  
  When you request consent, that request must be clearly distinguishable and presented in clear language. In other words, you can’t bury it in a lengthy Terms of Service or use misleading language.
  
  Data subjects are free to rescind their consent whenever they want, and children under 13 can only give consent with a parent’s express permission. You also need to document consent as evidence.
• Data processing is necessary to fulfill contractual obligations.  
• You need to comply with a legal obligation.
• Processing the data will save somebody’s life.
• Processing data that is of public interest.
• You have a legitimate interest for processing the data. Note that the data subject’s fundamental right to privacy overrides your interests. 

You’ll need to document this basis and notify the data subject. 

Defining your legal basis is a critical step in the GDPR compliance process, since changing your legal basis is both difficult and discouraged by GDPR. If you need to change your legal justification for data processing, you’ll need a sufficient, well-documented reason and you’ll need to notify your data subjects. You also can’t usually change your legal basis from consent to a different basis.

Obtain explicit consent from data subjects

To be GDPR compliant, you must explain how you process data in “a concise, transparent, intelligible, and easily accessible form.” Many organizations do this through a clearly-written privacy notice. 

If your legal justification for processing personal data is that you have that data subject’s consent, then you must have obtained that consent in a way that is “clear, specific, informed, and unambiguous.” 

Let’s dig into this a little deeper, since the GDPR provides a few conditions for what qualifies as consent. 

• Consent must be freely given, specific, and unambiguous. This means the data subject can’t be coerced into giving consent.
  
  You also can’t lump a bunch of consent requests together and only have one “I agree“ checkbox that consents to all of them — you have to explain each use case for data processing and give data subjects the opportunity to consent (or not) to each one.
  
  Lastly, consent should be clear and unambiguous. For example, you can’t present a page with pre-checked consent boxes or consider inaction to be consent.
• Data subjects must be informed about who and what they’re consenting to. They should know who you are, how you will process their data, for what purpose, and that they have the right to revoke consent at any time. 
• The data controller must be able to prove that the data subject has consented. 
• If the data subject gives consent in a written document that contains other information, the request for consent must be separate from the other information and presented in clear language. 
• Data subjects can revoke consent at any time, and you have to make it easy for them to do so. You also have to inform data subjects of their right to revoke. 

Implement technical and organizational safeguards

To be GDPR compliant, organizations must implement “appropriate technical and organizational measures” to ensure customer data is handled securely. What does this mean exactly? 

While the GDPR doesn’t specify measures companies need to take, flexible requirements allow each organization to establish a set of security controls that best suit its unique needs. This can include things like enabling multi-factor authentication, using end-to-end data encryption and firewalls, creating a data privacy policy, establishing access controls, and conducting annual security awareness training. 

Article 25 of the GDPR states that organizations must also consider data protection when designing any new products or services. At every stage of development, companies need to think about what personal data they absolutely need to collect from customers or users and how they will keep that data safe. 

Send breach notifications

Similar to other privacy legislation like HIPAA, GDPR includes a breach notification rule. In the event of a data breach, the GDPR requires that you notify affected data subjects within 72 hours. If you can’t deliver a notification within 72 hours, you’ll need to have adequate justification. 

Breach notifications must: 

• Describe the nature of the data breach, including the number of people and data records affected
• Explain the likely consequences of the personal data breach
• Share the steps taken by the controller to address the breach
• List the name and contact details of the data protection officer where data subjects can request more information

Appoint a data protection officer (if applicable)

Organizations are required to appoint a data protection officer (DPO) if: 

• It acts as a public authority (other than a court acting in a judicial capacity)
• Its core activities require it to monitor people on a large scale
• Its core activities involve processing special categories of data, or data relating to criminal convictions and offenses

Data protection officers are responsible for overseeing the organization’s data protection strategy and its implementation. This means they are in charge of ensuring employees are trained on GDPR requirements, completing regular compliance audits, and maintaining records.

Data protection officers also act as the main point of contact for both supervisory authorities and data subjects. If a data subject inquires about how their data is being processed or submits a request for erasure, the data protection officer must respond. 

Honor data subject rights

Data subjects have certain rights under the GDPR. These include:

• The right to be informed: Organizations must clearly explain how they process personal data and for what purpose. They must also make it easy for people to opt-out and/or request their data be erased and respond to those requests in a timely manner. When collecting data from a data subject, they must also explain how and why, even if data is being transferred to a third party. 
• The right of access: Anyone whose personal data is collected has the right to know what that data includes, where and how it’s being collected, why it’s being processed, and how long it will be retained. 
• The right of rectification: Data subjects have the right to correct any inaccurate or incomplete personal data that’s being processed. 
• The right to erasure: Data subjects can request that you delete any of their personal information you are processing (with a few exceptions), and you have to make it easy for them to make erasure requests. 
• The right to restrict processing: In addition to requesting you erase their information, data subjects can request that you change how you process it if they have reason to believe the data is inaccurate, being used illegally, or no longer needed for the stated purpose. 
• The right to data portability: GDPR requires that you store personal data in a way that can be easily shared with others in the event a data subject requests it. 
• The right to object: Data subjects can object to your processing their personal data. You must honor that objection unless you can prove that you have a legitimate basis for processing it. 

GDPR violations and fines: Penalties for non-compliance

The GDPR is well-known for its costly violation penalties. Amazon was famously fined $880+ million in 2021 for tracking user data without appropriate consent, and Google has paid several violation penalties amounting to upwards of $200 million. 

There are two tiers of penalties, depending on the severity of the violation. Less severe violations can result in fines of up to 10 million euros, or 2% of the company’s global annual revenue from the previous financial year, whichever is higher. 

The second tier of penalties are for violating the core principles of GDPR, including the right to consent, data subjects rights, and the principles of data processing. These violations can result in fines of up to 20 million euros, or 4% of the company’s global annual revenue from the previous financial year, whichever is higher. Plus, those affected by the breach have the right to seek compensation for damages. 

Proving GDPR compliance

Under the GDPR, data controllers must be able to demonstrate compliance. Believing you are compliant isn’t enough — if you can’t prove compliance, then you aren’t actually compliant.

So how do you prove it? There are a few ways: 

• Have a designated data protection officer on your team who is responsible for documenting how you’re processing data and staying compliant. This should include the type of data you’re collecting, how you’re collecting and storing it, and how you’re using it. 
• Train your staff on data security awareness and best practices and keep records, such as training completion certificates. 
• Implement a data processing agreement with any third parties that do data collection or processing for you. 

Simplify security compliance with Secureframe

Whether your organization needs to comply with legislation like GDPR, needs to get a SOC 2 report to satisfy customer demands, or just wants to build a more mature cybersecurity program, Secureframe can help.

Our platform makes it easier to achieve and maintain compliance with multiple frameworks by automatically collecting evidence, monitoring your tech stack for nonconformities, fetching vendor security data, and more. Learn more about our solution by requesting a demo today.