GDPR Compliance
A Complete Roadmap
GDPR Compliance
A Complete Roadmap
Introduction to GDPR Compliance
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros. With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).
Significance of GDPR Compliance
The GDPR establishes a stringent framework established by the European Commission to protect the data privacy and security of European Union (EU) citizens. This framework empowers individuals with increased control over their personal information and imposes constraints on how businesses can utilize and retain such data. Companies utilizing cloud-hosted services that handle personal data of EU citizens fall under the spectrum of GDPR regulations. Even enterprises located outside the EU must be compliant with GDPR rules if they serve EU clientele. Furthermore, GDPR governs the transfer of personal data beyond the EU's borders. Violation of the GDPR guidelines results in heavy penalties, ranging from €10 million to €20 million, or up to 4% of the annual global turnover of the cloud-hosted company. Embracing GDPR compliance positions cloud-hosted enterprises as reputable and proficient. Moreover, it minimizes the likelihood of data breaches by implementing robust systems and protocols for secure data handling.
Scope of GDPR
The European Union’s General Data Protection Regulation is peculiar in the fact that it applies to organizations that may have little to do with the EU. If you process the personal data of EU citizens or residents, or you offer goods or services to such people, then the GDPR applies to you even if you’re not in the EU. For example, you may be a US web development company based in Denver, Colorado, selling websites mainly to Colorado businesses. But if you track and analyze EU visitors to your company’s website, then you may be subject to the provisions of the GDPR.
Key Definitions under GDPR
The GDPR defines an array of legal terms at length. Below are some of the most important ones that we refer to in this article:
- Personal data: Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.
- Data processing: Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… so basically anything.
- Data subject: The person whose data is processed. These are your customers or site visitors.
- Data controller: The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.
- Data processor: A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. They could include cloud servers like Tresorit or email service providers like Proton Mail.
Key Regulatory Points of the GDPR
Data protection principles:
If you process data, you have to do so according to seven protection and accountability principles outlined in Article 5.1-2:
- Lawfulness, fairness and transparency: Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation: You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization: You should collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy: You must keep personal data accurate and up to date.
- Storage limitation: You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality: Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g., by using encryption).
- Accountability: The data controller is responsible for being able to demonstrate GDPR compliance with all these principles.
Accountability
The GDPR says data controllers must be able to demonstrate they are GDPR compliant. And this isn’t something you can do after the fact: If you think you are compliant with the GDPR but can’t show how, then you’re not GDPR compliant. Among the ways you can do this:
- Designate data protection responsibilities to your team.
- Maintain detailed documentation of the data you’re collecting, how it’s used, where it’s stored, which employee is responsible for it, etc.
- Train your staff and implement technical and organizational security measures.
- Have Data Processing Agreement contracts in place with third parties you contract to process data for you.
- Appoint a Data Protection Officer (though not all organizations need one — more on that in this article).
Data security
You’re required to handle data securely by implementing “appropriate technical and organizational measures.”
Technical measures mean anything from requiring your employees to use two-factor authentication on accounts where personal data are stored to contracting with cloud providers that use end-to-end encryption. Organizational measures are things like staff trainings, adding a data privacy policy to your employee handbook, or limiting access to personal data to only those employees in your organization who need it.
If you have a data breach, you have 72 hours to tell the data subjects or face penalties. (This notification requirement may be waived if you use technological safeguards, such as encryption, to render data useless to an attacker.)
Data protection by design and by default
From now on, everything you do in your organization must, “by design and by default,” consider data protection. Practically speaking, this means you must consider the data protection principles in the design of any new product or activity. The GDPR covers this principle in Article 25.
Suppose, for example, you’re launching a new app for your company. You have to think about what personal data the app could possibly collect from users, then consider ways to minimize the amount of data and how you will secure it with the latest technology.
When you’re allowed to process data
Article 6 lists the instances in which it’s legal to process personal data. Don’t even think about touching somebody’s personal data — don’t collect it, don’t store it, don’t sell it to advertisers — unless you can justify it with one of the following:
- The data subject gave you specific, unambiguous consent to process the data. (e.g., They’ve opted in to your marketing email list.)
- Processing is necessary to execute or to prepare to enter into a contract to which the data subject is a party. (e.g., You need to do a background check before leasing property to a prospective tenant.)
- You need to process it to comply with a legal obligation of yours. (e.g., You receive an order from the court in your jurisdiction.)
- You need to process the data to save somebody’s life. (e.g., Well, you’ll probably know when this one applies.)
- Processing is necessary to perform a task in the public interest or to carry out some official function. (e.g., You’re a private garbage collection company.)
- You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data. (It’s difficult to give an example here because there are a variety of factors you’ll need to consider for your case. The UK Information Commissioner’s Office provides helpful guidance here.)
Once you’ve determined the lawful basis for your data processing, you need to document this basis and notify the data subject (transparency!). And if you decide later to change your justification, you need to have a good reason, document this reason, and notify the data subject.
Consent
There are strict new rules about what constitutes consent from a data subject to process their information.
- Consent must be “freely given, specific, informed and unambiguous.”
- Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
- Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
- Children under 13 can only give consent with permission from their parent.
- You need to keep documentary evidence of consent.
Data Protection Officers
Contrary to popular belief, not every data controller or processor needs to appoint a Data Protection Officer (DPO). There are three conditions under which you are required to appoint a DPO:
- You are a public authority other than a court acting in a judicial capacity.
- Your core activities require you to monitor people systematically and regularly on a large scale. (e.g., You’re Google.)
- Your core activities are large-scale processing of special categories of data listed under Article 9 of the GDPR or data relating to criminal convictions and offenses mentioned in Article 10. (e.g., You’re a medical office.)
People’s privacy rights
You are a data controller and/or a data processor. But as a person who uses the Internet, you’re also a data subject. The GDPR recognizes a litany of new privacy rights for data subjects, which aim to give individuals more control over the data they loan to organizations. As an organization, it’s important to understand these rights to ensure you are GDPR compliant.
Below is a rundown of data subjects’ privacy rights:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
GDPR Compliance Checklist
Lawful basis and transparency
- Conduct an information audit to determine what information you process and who has access to it.
- Have a legal justification for your data processing activities.
- Provide clear information about your data processing and legal justification in your privacy policy.
Data Security
- Take data protection into account at all times, from the moment you begin developing a product to each time you process data.
- Encrypt, pseudonymize, or anonymize personal data wherever possible.
- Create an internal security policy for your team members and build awareness about data protection.
- Know when to conduct a data protection impact assessment and have a process in place to carry it out.
- Have a process in place to notify the authorities and your data subjects in the event of a data breach.
Accountability and governance
- Designate someone responsible for ensuring GDPR compliance across your organization.
- Sign a data processing agreement between your organization and any third parties that process personal data on your behalf.
- If your organization is outside the EU, appoint a representative within one of the EU member states.
- Appoint a Data Protection Officer (if necessary).
Privacy rights
- It's easy for your customers to request and receive all the information you have about them.
- It's easy for your customers to correct or update inaccurate or incomplete information.
- It's easy for your customers to request to have their personal data deleted.
- It's easy for your customers to ask you to stop processing their data.
- It's easy for your customers to receive a copy of their personal data in a format that can be easily transferred to another company.
- It's easy for your customers to object to you processing their data.
- If you make decisions about people based on automated processes, you have a procedure to protect their rights.
GDPR Violations Fines and Penalties
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR sets out two tiers of fines for violations:
- Tier 1: For less severe infringements fines of up to €10 million or 2% of the firm's worldwide annual revenue from the preceding financial year, whichever is higher.
- Tier 2: For more serious infringements fines of up to €20 million or 4% of the firm's worldwide annual revenue from the preceding financial year, whichever is higher.
Understanding GDPR Violations
In an increasingly interconnected digital world, the safeguarding of personal data has become a paramount concern. The General Data Protection Regulation (GDPR), introduced to bolster data privacy and security, has ushered in a new era of accountability for organizations handling user information. One of the most striking ways this accountability manifests is through substantial fines imposed upon those who breach GDPR standards. This article delves into the intricate web of GDPR fines, shedding light on the intricate details of prominent cases that underscore the gravity of non-compliance.
- Meta (formerly Facebook): The Irish Data Protection Commission (DPC) fined Meta €1.2 billion in July 2021 for a series of data protection violations, including failing to obtain adequate consent from users to process their data and failing to properly inform users about how their data was being used.
- Amazon: The Luxembourg National Commission for Data Protection (CNPD) fined Amazon €746 million in July 2021 for violating the GDPR's rules on data protection and transparency. The CNPD found that Amazon had not obtained adequate consent from users to process their data and had not provided them with clear and concise information about how their data was being used.
- Instagram: The French Data Protection Authority (CNIL) fined Instagram €405 million in January 2022 for violating the GDPR's rules on transparency and data minimization. The CNIL found that Instagram had not provided users with clear and concise information about how their data was being used and had collected more data than was necessary.
- Facebook: The Irish DPC fined Facebook €265 million in September 2020 for violating the GDPR's rules on transparency and data portability. The DPC found that Facebook had not provided users with clear and concise information about how their data was being used and had made it difficult for users to export their data.
- WhatsApp: The Irish DPC fined WhatsApp €225 million in September 2020 for violating the GDPR's rules on transparency and data portability. The DPC found that WhatsApp had not provided users with clear and concise information about how their data was being used and had made it difficult for users to export their data.
- Google LLC: The French CNIL fined Google LLC €90 million in January 2022 for violating the GDPR's rules on transparency and data minimization. The CNIL found that Google had not provided users with clear and concise information about how their data was being used and had collected more data than was necessary.