Essential Guide to Security Frameworks & 14 ExamplesRead article
Become a security expert
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.Get a Secureframe demo
Email, workplace productivity apps, messaging, file-sharing services, social media, banking and healthcare apps — more and more people are entrusting their private and sensitive data to cloud services. At the same time, data breaches and security incidents are becoming more frequent and more sophisticated.
Many security compliance frameworks are focused on data protection, keeping data safe from hackers and breaches. But the General Data Protection Regulation (GDPR) is just as concerned about data privacy. Its objectives are to keep data safe while giving people more power over who can process their personal data and why.
The GDPR is landmark legislation with far-reaching impact. It‘s already inspired similar data privacy laws around the world, most notably the California Consumer Privacy Act (CCPA). With so much of a focus being placed on both data protection measures and data privacy, organizations all over the world must stay aware of these regulations so they can stay compliant and avoid significant fines.
This article covers the basics of GDPR requirements and compliance to help you understand the essentials of the law and how it applies to your business and customers.
The General Data Protection Regulation (commonly known as the GDPR) is a law passed by the European Union to establish data privacy and security laws. Although it was drafted and passed by the EU, it applies to any organization that targets or collects data from EU citizens or residents. GDPR is known for cracking down on violations by implementing steep fines, with penalties in the tens of millions of euros.
Although the GDPR was passed just a few years ago, its roots stretch back to the 1950s. The European Convention on Human Rights of 1950 states that everyone has a fundamental right to privacy.
As the internet became more prominent, the EU began to recognize the need for more modern protections. It passed the European Data Protection Directive in 1995, which established some baseline data privacy and information security standards. Each EU member state implemented its own law based on those guidelines.
Then in the late 2000s and early 2010s, the EU recognized the need for a more comprehensive solution and began considering ways to update the 1995 directive.
The GDPR was passed by European Parliament in 2016 and went into effect on May 25, 2018.
While the GDPR is EU law, it applies to any organization that processes the personal data of EU citizens or residents, or offers goods and/or services to EU citizens or residents.
Essential Guide to Security Frameworks & 14 ExamplesRead article
Because GDPR only applies to personal data, it’s important to understand exactly what information qualifies.
According to Article 4, “personal data” is defined as any information that can be used to identify a natural person, such as a name, location, online identifier, etc. That’s a broad definition, so we’ll share some examples.
What IS considered personal data:
What is NOT considered personal data:
The GDPR document itself is over 85 pages long and includes 99 articles and 173 recitals. The document defines a few key areas of focus in its regulations:
Personal data: Any information that relates to an individual who can be identified (either directly or indirectly). Examples: names, email addresses, location, ethnicity, gender, web cookies, political opinions or religious information, and even biometric data.
Data processing: Any automated or manual action performed on data. Examples: Collecting, storing, using, erasing, or structuring data.
Data subjects: The person whose data is being processed. Example: Customers, subscribers, site visitors.
Data controllers: The individual that decides how and why personal data will be processed. Example: Organization employees who manage or handle data.
Data processors: Any third party that processes personal data on behalf of a data controller. Examples: Cloud service providers, email service providers.
Under GDPR, organizations must satisfy certain requirements for processing personal data. Below, we summarize the key requirements for GDPR compliance.
Under Article 6, companies are allowed to process personal data under these circumstances. If you meet one of the below requirements, you have a lawful basis for data processing:
You’ll need to document this basis and notify the data subject.
Defining your legal basis is a critical step in the GDPR compliance process, since changing your legal basis is both difficult and discouraged by GDPR. If you need to change your legal justification for data processing, you’ll need a sufficient, well-documented reason and you’ll need to notify your data subjects. You also can’t usually change your legal basis from consent to a different basis.
To be GDPR compliant, you must explain how you process data in “a concise, transparent, intelligible, and easily accessible form.” Many organizations do this through a clearly-written privacy notice.
If your legal justification for processing personal data is that you have that data subject’s consent, then you must have obtained that consent in a way that is “clear, specific, informed, and unambiguous.”
Let’s dig into this a little deeper, since the GDPR provides a few conditions for what qualifies as consent.
To be GDPR compliant, organizations must implement “appropriate technical and organizational measures” to ensure customer data is handled securely. What does this mean exactly?
Article 25 of the GDPR states that organizations must also consider data protection when designing any new products or services. At every stage of development, companies need to think about what personal data they absolutely need to collect from customers or users and how they will keep that data safe.
Similar to other privacy legislation like HIPAA, GDPR includes a breach notification rule. In the event of a data breach, the GDPR requires that you notify affected data subjects within 72 hours. If you can’t deliver a notification within 72 hours, you’ll need to have adequate justification.
Breach notifications must:
Organizations are required to appoint a data protection officer (DPO) if:
Data protection officers are responsible for overseeing the organization’s data protection strategy and its implementation. This means they are in charge of ensuring employees are trained on GDPR requirements, completing regular compliance audits, and maintaining records.
Data protection officers also act as the main point of contact for both supervisory authorities and data subjects. If a data subject inquires about how their data is being processed or submits a request for erasure, the data protection officer must respond.
Data subjects have certain rights under the GDPR. These include:
The GDPR is well-known for its costly violation penalties. Amazon was famously fined $880+ million in 2021 for tracking user data without appropriate consent, and Google has paid several violation penalties amounting to upwards of $200 million.
There are two tiers of penalties, depending on the severity of the violation. Less severe violations can result in fines of up to 10 million euros, or 2% of the company’s global annual revenue from the previous financial year, whichever is higher.
The second tier of penalties are for violating the core principles of GDPR, including the right to consent, data subjects rights, and the principles of data processing. These violations can result in fines of up to 20 million euros, or 4% of the company’s global annual revenue from the previous financial year, whichever is higher. Plus, those affected by the breach have the right to seek compensation for damages.
Under the GDPR, data controllers must be able to demonstrate compliance. Believing you are compliant isn’t enough — if you can’t prove compliance, then you aren’t actually compliant.
So how do you prove it? There are a few ways:
Whether your organization needs to comply with legislation like GDPR, needs to get a SOC 2 report to satisfy customer demands, or just wants to build a more mature cybersecurity program, Secureframe can help.
Our platform makes it easier to achieve and maintain compliance with multiple frameworks by automatically collecting evidence, monitoring your tech stack for nonconformities, fetching vendor security data, and more. Learn more about our solution by requesting a demo today.