The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018. This legislation aims to provide a single body of legislation regarding data privacy laws, enforcing the protection and rights of individuals.
Any organization dealing with the personal data of European data subjects is bound by the rules of GDPR, and is required to implement steps and technology solutions to ensure such data is properly handled and secured, including preventing data loss and reporting relevant data breaches to the appropriate authorities.
In this page:
What is GDPR compliance?
GDPR is legislation implemented across the European Union, with the goal to protect the personal data of EU data subjects. As such, it applies to any company doing business with an EU organization or individual. Organisations deemed to be non-compliant face sanctions which can include stiff fines, which, in a worst case scenario, can amount to 4% of the company’s annual revenue or €20 million — whichever is greater.
These regulations affect any company that processes or stores information about EU citizens within the EU states. Companies whose operations require them to manage the personal data of EU citizens must comply with the GDPR regardless of having a business presence within the EU or not.
GDPR’s main objectives are:
- Determine personal data privacy as a basic human right—a person should have the right to access, erase, correct or transfer their personal data.
- Enforce baseline requirements—this is to ensure that personal data is protected.
- Standardize the application of protection rules—applies universally across the EU and facilitates the legitimate flow of private data.
GDPR protects the following privacy data:
- Personal identity information—name, address, ID numbers
- Web data—location, IP address, cookie data.
- Health—including health summaries and diagnoses
- Biometric data—fingerprints, DNA, and gait or voice data
- Private communications
- Photos and videos
- Cultural, economic or social data
The GDPR came into place because of growing public concerns about privacy. Europe, in general, is more stringent about how companies use the personal data of its citizens. The first regulation applied there was the Data Protection Directive of 1995.
With the Internet becoming an online business hub, the directive was no longer sufficient to address the many ways in which data is stored, collected and transferred today. According to the RSA Data Privacy & Security Report, 80 percent of customers said that losing banking and financial data is a top concern for them while 76% of the respondents cited security information and identity information loss as a concern.
Learn more about GDPR compliance in this Channel 4 report: GDPR: Everything you need to know.
To start adhering to GDPR compliance legislation, let’s begin with an overview of the law’s requirements. These consist of a few key terms:
- Data Controller—the entity or individual that determines the purposes and means of processing personal data, for example, a company that collects personal data from employees or an internet service provider (ISP) requiring user payments.
- Data Processor—the entity or individual processing data for the data controller, such as a payroll company.
- Data Subject—the person whose data is processed by a data controller or a data processor, such as an employee of an organization.
- Personal Data—any identifying information about a specific individual, even indirectly.
Among the 99 articles of the legislation, some of the articles that regulate the processing and storage of personal data include:
- Article 5—fundamental principles about the processing of personal data.
- Article 6—lawful bases of personal data processing.
- Articles 12-22—the rights of the data subject, including access, data portability and the right to be forgotten.
- Article 25—the data controller must implement measures that ensure that personal data cannot be connected to a data subject and only the minimum necessary personal data required for a given purpose can be processed.
- Article 32—data controllers and processors need to implement measures that allow the encryption of personal data, maintain continuous confidentiality, integrity, and resilience of processing systems and services. This includes providing availability following the recovery of a security incident. They need to also conduct tests to evaluate the response of organizational and technical measures
- Article 33—mandatory notification of a personal data breach to the supervising authority within 72 hrs of becoming aware of a personal data breach.
- Article 35—data controllers must conduct a Data Protection Impact Assessment (DPIA) when a new process is proposed. This assessment needs to include a description of the processing operation, its purpose and the necessity of the personal data, and the risks and how to mitigate them.
Considerations for GDPR compliance
To reach GDPR compliance, there are several considerations to take.
Assess the personal data you hold
The first step to meeting GDPR compliance is assessing the personal data your organization manages. Your evaluation should include the following questions:
- If personal data is sensitive or not
- The origin, usage and storage of the data
- The way the data is transported and modified
- How the data is secured
- How is the data is erased
It’s important to consider is the journey the data makes through your organization. To secure data, you must conduct regular risk assessments and map the data, with input from across the organization, to include data shared by groups or verticals. Non-typical sources of personal data to be considered include, front desk sign-in sheets, biometric data and closed-circuit footage.
To be compliant, an organization needs to complete this risk assessment every time there is a change to the data, with annual reviews.
Assess the technology you use and address technological issues
Start by reviewing the technologies, including hardware, software, and networks used to obtain, manipulate, process and transport personal data so you can visualize your data’s journey.
There are several technological challenges you should address, such as:
- Enabling 2-factor or multi-factor authentication
- Enabling end-to-end encryption and strong password encryption
- Have a system for access controls, capturing and tracking user activities
- Conduct regular vulnerability scans and penetration testing of the network, web applications and services
To maintain compliance, the organization can complete this assessment every time there is a change to the organization’s technology, with annual reviews.
Document data-related business processes
Your organization needs documented business processes related to the manipulation of personal data. These processes need to be tested regularly to ensure they are optimized and in-line with GDPR compliance.
Some of these data-related business processes include:
- Incident response plan (IRP)
- Business continuity and disaster recovery (BCDR) plan
- Data privacy addendum (DPA)
It is especially important to test the incident response plan regularly to be prepared in the event of a data breach. This will position your organization to respond quickly and minimize data loss as much as possible, which is a critical business process when handling confidential and sensitive data. An organization must complete testing and documentation updates when a process change occurs to maintain compliance.
Appoint a data protection officer
The GDPR requires some organizations to appoint a data protection officer (DPO). There is an option to use a consultant DPO, as the GDPR allows DPOs to work for several organizations. Further information on whether an organisation requires a DPO is available here.
Create and maintain a data protection plan
Although most organizations have such a plan, they need to review and update it to ensure GDPR compliance. The protection includes mobile devices, as most employees install personal apps on smartphones and tablets, especially if the company has a bring your own device (BYOD) policy. Review and update the policy periodically.
Educate and train your employees
The GDPR requires employees to complete a privacy awareness training, which includes reviewing the regulation and understanding the impacts on their day-to-day job. Training should be consistent and periodic to create a lasting security mindset in your employees.
The General Data Protection Regulation has expanded the protection of personal data. However, there is still room for improvement, some of which will be addressed by the added transparency for use of big data with upcoming ePrivacy Regulation.
The information provided in this article is a high-level view to help you gain a better understanding of the GDPR and we recommend you take a look at the official resources used for this guide to learn more. Clarifications to the GDPR are ongoing, so please ensure you contact a qualified legal representative to get the most recent advice. The European Data Protection Board (EDPB) website contains up to date guidelines for individuals, controllers and processors.