What is GDPR Compliance?
At its core, GDPR Compliance means an organization that falls within the scope of the General Data Protection Regulation (GDPR) meets the requirements for properly handling personal data as defined in the law.
The GDPR outlines certain obligations organizations must follow which limit how personal data can be used. It also defines eight data subject rights that guarantee specific entitlements for individual’s personal data. Ultimately giving individuals more autonomy over their personal information and how it is used.
Overview of the GDPR
The GDPR is the strongest global privacy law in effect today. Created by the European Union (EU) to regulate how organizations collect, handle, and protect personal data of EU residents. The GDPR took effect on May 25, 2018, and is a binding regulation written directly into Member States’ laws. It is designed to strengthen privacy rights by giving data subjects control of how their personal data is obtained, used, and shared.
The GDPR set out with three main goals in mind:
- Establish and protect the fundamental privacy rights of individuals.
- Unify privacy laws across the EU by replacing the 28 individual EU member state laws and the previous 1995 Data Protection Directive.
- Adapt privacy laws that reflect the change the technology landscape has made on personal data over the last 25 years.
Let’s define some of the basic terminology of the GDPR before we dig into the details.
Data Subject is any person formally residing in the EU who has their data collected, held, or processed by a controller or processor.
Data Controller refers to the entity responsible for determining the purpose and lawful basis for processing personal data.
Data Processor, who collaborates with the Data Controller, refers to the individual responsible for processing personal data on behalf of the controller.
Processing involves any automated or manual operation or set of operations performed on personal data or sets of personal data, including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, and so on.
Personal data refers to any information related to a natural person (‘data subject’) that can directly or indirectly identify that person as it relates to their private, professional, or public life, including a name, email address, photos, or even bank statements.
Obtaining the consent of the data subject refers to any “freely given, specific, informed and unambiguous indication” that the data subject agrees to the processing of personal data related to them. Data subjects can provide consent with either a statement or explicit affirmative action.
Does the GDPR Apply to Your Organization?
To decide whether you are covered under the GDPR, you need to consider both the ‘material scope’ (i.e., whether your processing activity is regulated by the GDPR) and the ‘territorial scope’ (i.e., whether you are in a jurisdiction where the GDPR applies).
The Material Scope
The GDPR applies to the processing of personal data carried out wholly or partly by automated means. It also applies to the processing that does not use automated means but forms part of a filing system or is intended to form part of a filing system. This covers most activities that organizations do with data, including collecting, recording, storing, accessing or viewing, using, analyzing, combining, disclosing or deleting personal data.
The Territorial Scope
The GDPR applies to the processing of personal data by a controller, or a processor established in the EU, regardless of whether the processing takes place in the EU.
It also has an extraterritorial application for a controller or a processor, which is not established in the EU, if the controller or the processor offers goods or services to data subjects in the EU or monitors data subjects’ behavior taking place in the EU. For example, the GDPR applies to a US online shopping website which attracts and offers goods to customers in the EU. The offering of goods and services could be complimentary, free of charge. This could cover foreign government agencies or non-profit organizations. For example, the GDPR applies to a travel information page run by a US State government that collects personal information such as IP addresses while the site visitors from EU access the free travel information.
GDPR Data Subject Rights
The GDPR outlines eight fundamental data subject rights, plus the right to withdraw consent. Let’s take a closer look at these rights:
- Right to be informed (GDPR Articles 12 to 14)
Data subjects have the right to be informed about the collection and use of their personal data.
- Right to access (GDPR Article 15)
Data subjects have the right to view and request copies of their personal data.
- Right to rectification (GDPR Article 16)
Data subjects have the right to request inaccurate or outdated personal information be updated or corrected.
- Right to be forgotten / Right to erasure (GDPR Article 17)
Data subjects have the right to request their personal data be deleted. Note that this is not an absolute right and may be subject to exemptions based on certain laws.
- Right for data portability (GDPR Article 20)
Data subjects have the right to ask for their data to be transferred to another controller or provided to them. The data must be provided in a machine-readable electronic format.
- Right to restrict Processing (Article 18)
Data subjects have the right to request the restriction or suppression of their personal data.
- Right to withdraw consent (GDPR Article 7)
Data subjects have the right to withdraw previously given consent to process their personal data.
- Right to object (GDPR Article 21)
Data subjects have the right to object to the processing of their personal data.
- Right to object to automated processing (GDPR Article 22)
Data subjects have the right to object to decisions being made with their data solely based on automated decision making or profiling.
Steps to GDPR Compliance
Now that we understand the basics, let’s jump into the steps your organization can take to meet GDPR compliance. GDPR compliance can look a bit different depending on your organization, but there are specific steps any organization can take now to create a GDPR compliant privacy program:
- Create an Actionable Plan with a Readiness Assessment
- Generate a Processing Register for Article 30
- Operationalize Data Protection Impact Assessment (DPIA) and Privacy by Design (PbD)
- Build a Framework for Consent Management
- Meet EU Privacy Cookie Compliance Requirements
- Build a Data Subject Rights Request Portal
- Review and Remediate Processor Risks
- Prepare an Incident Reporting & Breach Management Workflow
- Review Cross Border Data Transfer Mechanisms
- Train Your Staff for GDPR Compliance
- Appoint a Data Protection Officer (DPO)
Let’s take a deeper look at each step.
Step 1: Create an Actionable Plan with a Readiness Assessment
The GDPR sets out seven key principles which should be at the core of your approach for personal data processing:
- Lawfulness, fairness, and transparency – There should be a lawful basis for each processing activity. The data processing is not in a way that is unexpected, and the data subject is informed of the processing.
- Purpose limitation – Be clear about your purposes for processing and record and specify them in the privacy notice to individuals. Limit the processing to those identified purposes.
- Data minimization – Only process personal data to the extent necessary.
- Accuracy – Ensure the personal data that you processed is accurate and up to date. Correct or erase inaccurate personal data as soon as possible.
- Storage limitation – Only keep personal data if you need it.
- Integrity and confidentiality (security) – Have appropriate security measures in place to protect the personal data from unauthorized or unlawful processing and accidental loss, destruction, or damage.
- Accountability – Take responsibility for what you do with personal data and have appropriate measures and records in place to demonstrate your compliance with the data processing principles.
The GDPR requires implementation of appropriate technical and organizational measures to implement the data protection principles effectively and safeguard data subject rights. This is called ‘data protection by design and by default’. This means you have to integrate data protection into your processing activities and business practices from the design stage across the entire data processing lifecycle.
- Article 5: Principles Relating to Processing of Personal Data
- Article 24: Responsibility of the Controller
Step 2: Generate a Processing Register for Article 30
The GDPR requires organizations to keep records of their processing activities and ensure such records are always up to date. Data mapping describes the operational process to generate a central inventory of the organization’s data flows and keeping it up to date.
Although the GDPR does not specifically mention data mapping, it does require both controllers and processors (B2B and B2C) to maintain an inventory of processing activities. GDPR Article 30 is extremely specific in its requirements, so even if an organization has previously performed data mapping, it will need to be updated or redone to meet the GDPR requirements.
- Article 6: Lawfulness of Processing
- Article 30: Records of Processing Activities (Primary)
- Article 32: Security of Processing
- Data Mapping Automation
- The Ultimate Data Mapping & GDPR Article 30 eBook
- Data Mapping & Article 30: How to Scale in Practice Webinar
Step 3: Operationalize Data Protection Impact Assessment (DPIA) and Privacy by Design
The GDPR requires controllers to conduct a Data Protection Impact Assessment (DPIA) where processing operations are likely to result in a high risk to individuals. Many details within the GDPR make this more involved than a standard questionnaire; for example, requiring a Data Protection Officer (DPO) involvement in specific workflows, tracking mitigation activities, documenting risk in terms of harm to the individual, data subject consultations, etc.
In addition, organizations in practice implement a lightweight screening questionnaire to analyze risk and then determine if a full DPIA is needed. These workflow and documentation requirements, as well as the user experience and integration expectations of the business users, require purpose-built tools to operationalize the GDPR.
Operationalized properly, the DPIA can be an effective approach to meeting the Data Protection by Design and Default requirement.
- Article 25: Data Protection by Design and by Default
- Article 35: Data Protection Impact Assessments
- Article 36: Prior Consultation
Step 4: Build a Framework for Consent Management
The GDPR sets a higher standard for organizations processing data based on consent. For example, consent needs to be: specific, clear and in plain language, not buried in legal notices, not grouped with multiple notices, easy to withdraw, etc. In addition, organizations need to be able to demonstrate consent was received in granular ways.
- Article 7: Conditions for Consent
Step 5: Meet EU Privacy Cookie Compliance Requirements
Under the ePrivacy Directive, organizations must tell people if they are using cookies, and explain what the cookies do and why. User’s consent must be obtained in a process that allows the organization to demonstrate that the consent was actively and clearly given. The users also need to be informed about the different functions of the cookies used on the website, as well as the identity of organizations that deploy the cookies and use the data collected through them. There is an exception for cookies that are essential to provide an online service at the individual’s request, for example, to remember what’s in their online basket, or to ensure security in online banking. The same rules apply if other types of technologies are used to store or gain access to information on someone’s device (for example SDKs for mobile apps).
The ePrivacy Directive requirements apply no matter whether the cookies are processing anonymous or personal data. Even where the cookie data is anonymous, the user consent for collecting them needs to meet the GDPR standards. If the cookie data is not anonymous, the organization will also need to comply with additional GDPR rules for personal data protection, such as conducting a DPIA and recording such processing activity in their records of processing.
The GDPR has influenced the drafting of ePrivacy Regulation that will replace the current ePrivacy Directive and align even closer with the GDPR. Organizations will be facing increased penalties and more focused regulatory action under the Draft ePrivacy Regulation.
- Article 7: Conditions for Consent
- Article 21: Right to Object
- ePrivacy Directive / Draft ePrivacy Regulation
Step 6: Build a Data Subject Rights (DSAR) Request Portal
The GDPR gives data subjects specific rights, such as: data portability, access, erasure or “right to be forgotten”, rectification, and more. Additionally, there are specific record keeping requirements around the time to respond, the ability to request an extension, the requirement to validate the identity, securely transmitting the response to the individual, to name a few. Having an automated portal that can help intake and triage these requests is a vital step in managing, tracking, and reporting on your DSAR requests.
- Article 7: Conditions for Consent
- Article 12: Transparent Information, Communication and Modalities for the Exercise of the Rights of the Data Subject
- Article 13: Information to be Provided Where Personal Data are Collected from the Data Subject
- Article 14: Information to be Provided where Personal Data have not been Obtained from the Data Subject
- Article 15: Right of Access by the Data Subject
- Article 16: Right to Rectification
- Article 17: Right to Erasure (“Right to be Forgotten”)
- Article 18: Right to Restriction of Processing
- Article 19: Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing
- Article 20: Right to Data Portability
- Article 21: Right to Object
Step 7: Review and Remediate Processor Risks
The GDPR holds the controller responsible for actions or breaches by the processor. It is critical to analyze processor data transfers and contractual obligations with the same level of diligence as internal processing activities to have a defensible posture in the unfortunate event that a processor has a breach. In addition, it allows organizations to quickly understand what data was impacted in that breach.
- Article 28 (1)-(3): Processor
- Article 24 (1): Responsibility of the Controller
- Article 29: Processing Under the Authority of the Controller or Processor
- Article 46 (1): Transfers Subject to Appropriate Safeguards
Step 8: Prepare an Incident Reporting & Breach Management Workflow
The GDPR includes strict 72-hour notification requirements to the supervisory authority and, when a data breach is likely to cause a high risk to the rights and freedoms of natural persons, an additional notification to the data subjects. It’s critical for organizations to have a systematic process in place to meet these requirements.
- Article 33: Notification of a Personal Data Breach to the Supervisory Authority
- Article 34: Communication of Personal Data Breach to the Data Subject
Step 9: Review Cross Border Data Transfer Mechanisms
The GDPR requires the same level of protection for personal data transferred outside of the EEA. This requires organizations to review and ensure that they have appropriate mechanisms in place for cross border data transfer.
The first thing to consider when transferring personal data to a third country is if there is an ‘adequacy decision’. An adequacy decision means that the European Commission has decided that a third country or an international organization ensures an adequate level of data protection. However, this decision is subject to review by the Commission and can be reverted (e.g., EU-US Privacy Shield). There is also current uncertainty resulting from the UK Brexit and whether the Commission will grant the UK an adequacy decision.
To learn more about the UK Adequacy decision check out our UK Adequacy FAQ blog.
In the absence of an adequacy decision, the GDPR allows a transfer if the controller or processor has provided ‘appropriate safeguards.’ The most commonly used safeguard is the ‘Standard Contractual Clauses’ (SCCs), which set obligations on the data exporter and the data importer and provide rights for the data subjects.
Data transfer is still possible if there is no adequacy decision or appropriate safeguards. In this scenario, organizations can rely on a derogation, such as explicit consent from the data subject or the transfer is necessary for the performance of a contract. However, this is not recommended, since without appropriate safeguards, there are more risks of a data breach.
To learn more about the Schrems II Ruling, check out DataGuidance’s Definitive Guide to Understanding Schrems II.
- Article 44: General Principle for Transfers
- Article 45: Transfers on the Basis of an Adequacy Decision
- Article 46: Transfers Subject to Appropriate Safeguards
- Article 47: Binding Corporate Rules
- Article 49: Derogations for Specific Situation
Step 10: Train Your Staff for GDPR Compliance
The GDPR requires a data protection officer to monitor an organization’s compliance with the GDPR, which includes raising awareness and training staff. Organizations should provide their staff with initial and refresher trainings. There should also be a mechanism in place to keep records of the trainings for showing compliance.
- Article 39: Tasks of the Data Protection Officer
- Article 47: Binding Corporate Rules
Step 11: Appoint a Data Protection Officer (DPO)
The GDPR requires an organization to appoint a data protection officer (DPO) if it is a public authority or body, or if the organization’s core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or the core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
The DPO assists the organization to monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the data protection authorities.
- Article 37: Designation of the Data Protection Officer
- Article 38: Position of the Data Protection Officer
- Article 39: Tasks of the Data Protection Officer