At its core, GDPR Compliance means an organization that falls within the scope of the General Data Protection Regulation (GDPR) meets the requirements for properly handling personal data as defined in the law.
The GDPR outlines certain obligations organizations must follow which limit how personal data can be used. It also defines eight data subject rights that guarantee specific entitlements for individual’s personal data. Ultimately giving individuals more autonomy over their personal information and how it is used.
Download the Ultimate Guide to GDPR Compliance
The GDPR is the strongest global privacy law in effect today. Created by the European Union (EU) to regulate how organizations collect, handle, and protect personal data of EU residents. The GDPR took effect on May 25, 2018, and is a binding regulation written directly into Member States’ laws. It is designed to strengthen privacy rights by giving data subjects control of how their personal data is obtained, used, and shared.
The GDPR set out with three main goals in mind:
Let’s define some of the basic terminology of the GDPR before we dig into the details.
Data Subject is any person formally residing in the EU who has their data collected, held, or processed by a controller or processor.
Data Processor, who collaborates with the Data Controller, refers to the individual responsible for processing personal data on behalf of the controller.
Processing involves any automated or manual operation or set of operations performed on personal data or sets of personal data, including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, and so on.
Personal data refers to any information related to a natural person (‘data subject’) that can directly or indirectly identify that person as it relates to their private, professional, or public life, including a name, email address, photos, or even bank statements.
Obtaining the consent of the data subject refers to any “freely given, specific, informed and unambiguous indication” that the data subject agrees to the processing of personal data related to them. Data subjects can provide consent with either a statement or explicit affirmative action.
To decide whether you are covered under the GDPR, you need to consider both the ‘material scope’ (i.e., whether your processing activity is regulated by the GDPR) and the ‘territorial scope’ (i.e., whether you are in a jurisdiction where the GDPR applies).
US organizations may fall within the scope of the GDPR. To determine whether or not your organization must comply, the same analysis must be applied by looking at the material and territorial scope of the law outlined below. In short, if your organization processes (i.e., collects, records, structures, stores, alters, uses, discloses, erases, etc.) personal information of someone residing in the EU for the exchange of goods or services or for the purposes of monitoring the behavior of EU-citizens, then you likely fall within the scope of the GDPR.
The GDPR applies to the processing of personal data carried out wholly or partly by automated means. It also applies to the processing that does not use automated means but forms part of a filing system or is intended to form part of a filing system. This covers most activities that organizations do with data, including collecting, recording, storing, accessing or viewing, using, analyzing, combining, disclosing or deleting personal data.
The Territorial Scope: Does the GDPR apply outside the EU?
The GDPR applies to the processing of personal data by a controller, or a processor established in the EU, regardless of whether the processing takes place in the EU.
It also has an extraterritorial application for a controller or a processor, which is not established in the EU, if the controller or the processor offers goods or services to data subjects in the EU or monitors data subjects’ behavior taking place in the EU. For example, the GDPR applies to a US online shopping website which attracts and offers goods to customers in the EU. The offering of goods and services could be complimentary, free of charge. This could cover foreign government agencies or non-profit organizations. For example, the GDPR applies to a travel information page run by a US State government that collects personal information such as IP addresses while the site visitors from EU access the free travel information.
The GDPR outlines eight fundamental data subject rights, plus the right to withdraw consent. Let’s take a closer look at these rights:
- Right to be informed (GDPR Articles 12 to 14)
Data subjects have the right to be informed about the collection and use of their personal data.
Right to access (GDPR Article 15)
Data subjects have the right to view and request copies of their personal data.
- Right to rectification (GDPR Article 16)
Data subjects have the right to request inaccurate or outdated personal information be updated or corrected.
- Right to be forgotten / Right to erasure (GDPR Article 17)
Data subjects have the right to request their personal data be deleted. Note that this is not an absolute right and may be subject to exemptions based on certain laws.
- Right for data portability (GDPR Article 20)
Data subjects have the right to ask for their data to be transferred to another controller or provided to them. The data must be provided in a machine-readable electronic format.
- Right to restrict Processing (Article 18)
Data subjects have the right to request the restriction or suppression of their personal data.
- Right to withdraw consent (GDPR Article 7)
Data subjects have the right to withdraw previously given consent to process their personal data.
- Right to object (GDPR Article 21)
Data subjects have the right to object to the processing of their personal data.
- Right to object to automated processing (GDPR Article 22)
Data subjects have the right to object to decisions being made with their data solely based on automated decision making or profiling.
Now that we understand the basics, let’s jump into the steps your organization can take to meet GDPR compliance. GDPR compliance can look a bit different depending on your organization, but there are specific steps any organization can take now to create a GDPR compliant privacy program:
Let’s take a deeper look at each step.
Download the Ultimate Guide to GDPR Compliance
Step 1: Create an Actionable Plan Using the 7 Principles of the GDPR
The GDPR sets out seven key principles which should be at the core of your approach for personal data processing:
The GDPR requires implementation of appropriate technical and organizational measures to implement the data protection principles effectively and safeguard data subject rights. This is called ‘data protection by design and by default’. This means you have to integrate data protection into your processing activities and business practices from the design stage across the entire data processing lifecycle.
The GDPR requires organizations to keep records of their processing activities and ensure such records are always up to date. Data mapping describes the operational process to generate a central inventory of the organization’s data flows and keeping it up to date.
Although the GDPR does not specifically mention data mapping, it does require both controllers and processors (B2B and B2C) to maintain an inventory of processing activities. GDPR Article 30 is extremely specific in its requirements, so even if an organization has previously performed data mapping, it will need to be updated or redone to meet the GDPR requirements.
Step 3: Operationalize Data Protection Impact Assessment (DPIA) and Privacy by Design
The GDPR requires controllers to conduct a Data Protection Impact Assessment (DPIA) where processing operations are likely to result in a high risk to individuals. Many details within the GDPR make this more involved than a standard questionnaire; for example, requiring a Data Protection Officer (DPO) involvement in specific workflows, tracking mitigation activities, documenting risk in terms of harm to the individual, data subject consultations, etc.
In addition, organizations in practice implement a lightweight screening questionnaire to analyze risk and then determine if a full DPIA is needed. These workflow and documentation requirements, as well as the user experience and integration expectations of the business users, require purpose-built tools to operationalize the GDPR.
Operationalized properly, the DPIA can be an effective approach to meeting the Data Protection by Design and Default requirement.
The GDPR sets a higher standard for organizations processing data based on consent. For example, consent needs to be: specific, clear and in plain language, not buried in legal notices, not grouped with multiple notices, easy to withdraw, etc. In addition, organizations need to be able to demonstrate consent was received in granular ways.
Under the ePrivacy Directive, organizations must tell people if they are using cookies, and explain what the cookies do and why. User’s consent must be obtained in a process that allows the organization to demonstrate that the consent was actively and clearly given. The users also need to be informed about the different functions of the cookies used on the website, as well as the identity of organizations that deploy the cookies and use the data collected through them. There is an exception for cookies that are essential to provide an online service at the individual’s request, for example, to remember what’s in their online basket, or to ensure security in online banking. The same rules apply if other types of technologies are used to store or gain access to information on someone’s device (for example SDKs for mobile apps).
The ePrivacy Directive requirements apply no matter whether the cookies are processing anonymous or personal data. Even where the cookie data is anonymous, the user consent for collecting them needs to meet the GDPR standards. If the cookie data is not anonymous, the organization will also need to comply with additional GDPR rules for personal data protection, such as conducting a DPIA and recording such processing activity in their records of processing.
The GDPR has influenced the drafting of ePrivacy Regulation that will replace the current ePrivacy Directive and align even closer with the GDPR. Organizations will be facing increased penalties and more focused regulatory action under the Draft ePrivacy Regulation.
The GDPR gives data subjects specific rights, such as: data portability, access, erasure or “right to be forgotten”, rectification, and more. Additionally, there are specific record keeping requirements around the time to respond, the ability to request an extension, the requirement to validate the identity, securely transmitting the response to the individual, to name a few. Having an automated portal that can help intake and triage these requests is a vital step in managing, tracking, and reporting on your DSAR requests.
The GDPR holds the controller responsible for actions or breaches by the processor. It is critical to analyze processor data transfers and contractual obligations with the same level of diligence as internal processing activities to have a defensible posture in the unfortunate event that a processor has a breach. In addition, it allows organizations to quickly understand what data was impacted in that breach.
The GDPR includes strict 72-hour notification requirements to the supervisory authority and, when a data breach is likely to cause a high risk to the rights and freedoms of natural persons, an additional notification to the data subjects. It’s critical for organizations to have a systematic process in place to meet these requirements.
The GDPR requires the same level of protection for personal data transferred outside of the EEA. This requires organizations to review and ensure that they have appropriate mechanisms in place for cross border data transfer.
The first thing to consider when transferring personal data to a third country is if there is an ‘adequacy decision’. An adequacy decision means that the European Commission has decided that a third country or an international organization ensures an adequate level of data protection. However, this decision is subject to review by the Commission and can be reverted (e.g., EU-US Privacy Shield). Another example is the European Commission granting the UK two adequacy decisions following Brexit.
To learn more about the UK Adequacy decision check out our UK Adequacy FAQ blog.
In the absence of an adequacy decision, the GDPR allows a transfer if the controller or processor has provided ‘appropriate safeguards.’ The most commonly used safeguard is the ‘Standard Contractual Clauses’ (SCCs), which set obligations on the data exporter and the data importer and provide rights for the data subjects.
Data transfer is still possible if there is no adequacy decision or appropriate safeguards. In this scenario, organizations can rely on a derogation, such as explicit consent from the data subject or the transfer is necessary for the performance of a contract. However, this is not recommended, since without appropriate safeguards, there are more risks of a data breach.
To learn more about the Schrems II Ruling, check out DataGuidance’s Definitive Guide to Understanding Schrems II.
The GDPR requires a data protection officer to monitor an organization’s compliance with the GDPR, which includes raising awareness and training staff. Organizations should provide their staff with initial and refresher trainings. There should also be a mechanism in place to keep records of the trainings for showing compliance.
The GDPR requires an organization to appoint a data protection officer (DPO) if it is a public authority or body, or if the organization’s core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or the core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offenses.
The DPO is responsible for ensuring GDPR compliance. They assists the organization to monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the data protection authorities.
OneTrust offers a suite of products and solutions to operationalize your privacy, security, and governance programs, giving you the tools you need to build a holistic GDPR compliance program.
OneTrust DataGuidance™ Research
The entire OneTrust platform is powered by DataGuidance Regulatory Research. The regulatory research portal is powered by 40 in-house researchers and 800 legal contributors across 300 jurisdictions. Keeping you up to date with the latest on GDPR compliance, enforcement, and news. Learn more.
OneTrust Maturity & Benchmarking
Assess the maturity of your GDPR privacy, security, and data governance programs and benchmark against similar organizations. Learn where your gaps are and leverage insights to improve your compliance efforts. Learn more.
OneTrust Awareness Training
Build a “privacy-first” culture through industry, role, and GDPR specific awareness training courses delivered through OneTrust’s built-in LMS or imported into your existing LMS. Learn more.
OneTrust Assessment Automation
OneTrust Data Mapping
Maintain an evergreen map of data flows, cross-border transfers, complete records of processing, and leverage pre-defined Article 30 templates. Automatically generate a searchable inventory and visual data maps based on the underlying data inventory. Learn more.
OneTrust Data Discovery & Classification
Automatically find IT systems, discover and classify the data within, map personal data to identities, and keep your data map and compliance reporting evergreen. Learn more.
OneTrust Vendor Risk Management
Manage the full vendor lifecycle, assess your vendor’s privacy and security practices, link vendors to your record of processing, and collaborate with vendors to assess the impact of cross border data transfers. Learn more.
OneTrust Incident Management
Operationalize your incident response plan, manage the incident lifecycle, and get automated breach notification guidance across hundreds of breach notification laws. Learn more.
Privacy Rights (DSAR)
Manage the full privacy rights (DSAR) request workflow from intake to fulfilment with pre-built workflows and guidance for GDPR and other privacy regulations with privacy rights requirements. Learn more.
OneTrust Cookie Consent
Scan your websites to identify cookies and trackers and generate geo-specific cookie banners, preference centers, and cookie policies. Within the cookie banner, provide visitors a preference center to put them in control of opting-in and out of tracking. Learn more.
OneTrust Universal Consent Management
Collect, centralize, and sync user consent data across channels, platforms, and systems. Demonstrate consent individually to regulators as well as provide data subjects a list of all the things they have consented to for them to accept or withdraw their consent. Learn more.
Let OneTrust help your organization build a GDPR compliance program that puts trust at the forefront. to learn more about how OneTrust can help your Privacy, Security, and Governance initiatives, today.