The Main GDPR Requirements in Plain English

The Main GDPR Requirements in Plain English

In an era where data breaches and privacy concerns are increasingly common, understanding and adhering to the General Data Protection Regulation (GDPR) is both a legal necessity and an important component of trust and integrity. 

The GDPR, a comprehensive data protection law, applies to every organization that processes the personal data of individuals within the European Union (EU). This article explains who needs to be GDPR compliant, provides a summary of crucial GDPR articles defining privacy requirements, and lists additional key elements of GDPR compliance.

Related content: This is part of an extensive series of guides about GDPR compliance.

Who Needs to be GDPR Compliant? 

Every organization that handles personal data of individuals within the EU must be GDPR compliant, regardless of whether they are based in the EU or not. This includes both data ‘controllers’ who determine the purposes and means of processing personal data and ‘processors’ who process data on behalf of the controller.

Even if an organization is not based in the EU, they still need to be GDPR compliant if they offer goods or services to, or monitor the behavior of, EU data subjects. This extends the reach of the GDPR globally and underscores the importance of understanding and complying with these requirements.

Summary of GDPR Articles Defining Privacy Requirements 

The GDPR defines a range of privacy requirements in Chapter 3 of the legislation. Here is a quick summary of the key requirements in each of the main articles.

Article 12: Transparency and Communication

This article mandates organizations to provide information about the processing of personal data in a concise, transparent, understandable, and easily accessible form:

  • It requires clear communication with data subjects about how their data is being processed, including providing information about their rights under the GDPR.
  • Organizations must facilitate the exercise of the data subject’s rights (e.g., access, rectification, deletion).
  • Information must be provided in writing or by other means, including electronically if requested.

Articles 13 & 14: When Collecting Personal Data

These articles require organizations to provide data subjects with specific information when personal data is collected from them (Article 13) or from other sources (Article 14):

  • Information such as the identity and contact details of the data controller, the purposes of processing, the legal basis for processing, and recipients of the data must be provided.
  • Organizations must inform data subjects about their rights, the data retention period, and the right to file a complaint with a supervisory authority.
  • If the data will be used for automated decision-making, including profiling, this must also be disclosed.

Article 15: Right of Access

This article gives data subjects the right to access their personal data and obtain a copy of it:

  • It allows data subjects to verify the lawfulness of processing.
  • The organization must provide additional information such as the purposes of processing, categories of personal data concerned, and recipients or categories of recipients.

Article 16: Accuracy

This article obliges organizations to ensure personal data they process is accurate and, where necessary, kept up to date. It requires organizations to take every reasonable step to erase or rectify inaccuracies in personal data without delay.

Article 17: Right to Erasure

Also known as the ‘right to be forgotten’, it allows data subjects to request the deletion of personal data concerning them without undue delay. Organizations must comply if the data is no longer necessary, consent is withdrawn, the subject objects to processing, or processing was unlawful.

Article 18: Right to Restrict Processing

Data subjects can request the restriction of processing of their personal data in certain circumstances, such as when the accuracy of the data is contested or the processing is unlawful. During the restriction, organizations can store the data but not process it further.

Article 20: Data Portability

This article gives data subjects the right to receive their personal data in a structured, commonly used, and machine-readable format. It also allows them to request the direct transfer of this data to another data controller.

Article 21: Right to Object

Data subjects have the right to object to the processing of their personal data at any time, particularly in the context of direct marketing, including profiling. Organizations must cease processing unless they demonstrate compelling legitimate grounds for the processing.

Additional GDPR Compliance Requirements 

Here are additional requirements defined by the GDPR:

Lawful Bases for Processing

Under GDPR, organizations must have a lawful basis for processing personal data. There are six lawful bases outlined in the regulation: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Each lawful basis has its own set of requirements and conditions that must be met. For instance, if an organization is relying on consent as their lawful basis for processing, they must ensure that this consent is freely given, specific, informed, and unambiguous.

Conditions for Consent

Consent is one of the most commonly used lawful bases for processing personal data under GDPR. However, obtaining valid consent under GDPR is not as straightforward as it might seem. The regulation sets out strict conditions for consent, requiring it to be freely given, specific, informed, and unambiguous. In addition, organizations must be able to demonstrate that they have obtained valid consent, and individuals must be able to withdraw their consent at any time.

Controller and Processor Obligations

GDPR distinguishes between data controllers and data processors, and assigns different obligations to each. In simple terms, a data controller is an organization that determines the purposes and means of processing personal data, while a data processor is an organization that processes personal data on behalf of a controller.

Data controllers have a number of obligations under GDPR, including ensuring that their data processing activities comply with the regulation, maintaining a record of their processing activities, and implementing appropriate security measures to protect personal data. Data processors, on the other hand, are required to only process personal data in accordance with the controller’s instructions, and must also implement appropriate security measures.

Data Protection Officer (DPO)

GDPR recommends, or in some cases requires, the appointment of a Data Protection Officer (DPO). The DPO’s role is crucial and involves advising on GDPR obligations, monitoring compliance, and acting as a contact point for data subjects and supervisory authorities. Not all organizations are obliged to appoint a DPO, but it is highly recommended for those processing large volumes of data or handling sensitive data.

The DPO carries the responsibility of ensuring that the organization complies with all the GDPR requirements. They also inform and advise on data protection laws and practices. The DPO is also tasked with managing internal data protection activities, advising on data protection impact assessments, and working with relevant authorities.

Cross-Border Data Transfer

The GDPR sets stringent rules for transferring personal data outside the European Economic Area (EEA). These rules ensure that the protection offered by the GDPR is not undermined when data is transferred internationally.

Under the GDPR, cross-border data transfers are only allowed under certain conditions. One such condition is the presence of an adequacy decision. This means that the European Commission has recognized the non-EEA country or international organization as providing an adequate level of data protection.

Supervisory Authorities

Each EU member state is required to establish an independent supervisory authority (SA) to hear and investigate complaints, sanction administrative offenses, and perform audits.

Supervisory authorities play a key role in enforcing the GDPR. They are bestowed with the power to impose hefty fines for non-compliance and also have the power to ban data processing activities if found to be violating the GDPR.

Furthermore, the GDPR mandates that organizations cooperate with the supervisory authorities. This includes consulting the SA before carrying out high-risk data processing and reporting data breaches within 72 hours.

Cooperation and Consistency

Organizations must ensure consistent application of the GDPR across all EU member states. This is achieved through the consistency mechanism, which is designed to ensure that the GDPR is applied uniformly.

The cooperation and consistency requirement also calls for organizations to cooperate with each other and the supervisory authorities in the protection of personal data. This is crucial in ensuring a harmonized approach to data protection across the EU.

Furthermore, in cases of cross-border data processing, the GDPR introduces the concept of a lead supervisory authority (LSA). This is the authority in the state where the data controller has its main establishment. The LSA is responsible for leading investigations and ensuring consistent application of the GDPR.

Remedies, Liability and Penalties

The GDPR provides data subjects with the right to legal remedies against data controllers and processors. This includes the right to lodge a complaint with a supervisory authority and to seek judicial remedies.

In terms of liability, both the data controller and processor can be held liable for damages caused by non-compliant processing. This extends to any non-compliance, not just data breaches.

The GDPR also introduces severe penalties for non-compliance. This can range from up to €20 million or 4% of the global annual turnover, whichever is higher. These penalties are designed to ensure that organizations take data protection seriously and comply with the GDPR requirements.

Related content: Read our guide to GDPR compliance checklist.

Adhering to GDPR Security Controls with Exabeam

Exabeam helps organizations meet both technological and operational requirements including:

  • External Threat Reduction: Exabeam works alongside existing security solutions, using machine learning and behavioral analytics to identify unusual activity that may be indicative of an adversary hacker’s attempt to find and access data.
  • Internal Threat Reduction: Exabeam works alongside identity and access management solutions to prevent security incidents resulting from the accidental or malicious abuse of allocated permissions. By flagging activity that falls outside the norm for a given user, Exabeam helps to detect potential incidents that could lead to data theft. Ideal log sources mapped to use cases and the MITRE ATT&CK framework show which tools in the security arsenal can combine to show the clearest picture of events.

Oversight and Timely Notification: In addition to acting as a central point of intelligence in the customer’s security ecosystem, Exabeam provides forensic information about the full extent of the incident, including accurate compliance reporting.