GDPR compliance

What is GDPR compliance?

The General Data Protection Regulation (GDPR) is a set of mandates that define how organizations within and outside the European Union (EU) must collect, store, process, and transfer the personal data of EU residents.

Introduced in 2016 and enforced on May 25, 2018, the GDPR replaced the Data Protection Directive 95/46/EC. With its strong emphasis on data privacy, security, and the fundamental rights of individuals, the GDPR quickly gained recognition as one of the world’s toughest data protection laws, setting the standard for laws to come.

For organizations subject to the GDPR, noncompliance can result in hefty penalties along with a negative impact on brand reputation—making it crucial to determine whether your organization falls under its scope.

Who does the GDPR apply to?

The GDPR applies to data controllers and data processors that handle the personal data of residents of the European Economic Area (EEA) which includes EU countries, Iceland, Liechtenstein, and Norway.

• Data controllers: Any organization that determines the purposes and means of processing personal data of EEA residents is considered a controller and must comply with the GDPR, regardless of where they are based.

  Examples:

  • An e-commerce company in India collecting customer names, addresses, and payment information in Germany to fulfill orders.
  • A mobile app developer in the United States tracking the location and usage behavior of users in Norway for analytics or targeted advertising.

• Data processors: Organizations that process personal data on behalf of a controller are also subject to the GDPR. Processors must only act on the controller’s documented instructions and implement appropriate security measures.

  Examples:

  • A cloud storage provider in Switzerland hosting customer data for a German company.
  • A payroll service company in the United Kingdom handling employee data for a company in Iceland.

UK GDPR vs. EU GDPR

Following Brexit, the UK's withdrawal from the EU in 2020, the UK introduced it's own data protection framework known as the UK GDPR. While the UK GDPR closely mirrors the EU GDPR (commonly referred to as the GDPR), there are several key differences between the two. Here are a few examples:

GDPR principles

As outlined in Article 5, the GDPR lays out these seven principles:

1. Lawfulness, fairness, and transparency: You must have a lawful basis for collecting personal data and ensure individuals clearly understand who is collecting their data and how it will be used.
2. Purpose limitation: Your organization must clearly define the purpose for which personal data is collected and ensure it's not used for unrelated purposes.
3. Data minimization: You should gather only the data necessary to accomplish your stated purpose —nothing more.
4. Accuracy: You must ensure personal data is accurate and kept up to date, and promptly delete or correct data that is inaccurate.
5. Storage limitation: You should retain data only for the length of time necessary to meet its intended purpose and securely delete it when it’s no longer needed.
6. Integrity and confidentiality: You must protect personal data using appropriate technical and organizational measures to maintain its integrity and confidentiality.
7. Accountability: As a controller, you are responsible for demonstrating compliance with all the above principles through proper documentation and safeguards.

GDPR rights

The GDPR extends these eight fundamental rights to data subjects:

1. Right to be informed (Article 12 –14): Data subjects have the right to understand the purpose for which you collect their data and how it will be used.
2. Right to access (Article 15): Data subjects have the right to view and receive a copy of their data in an intelligible format and without charge.
3. Right to rectification (Article 16): Data subjects have the right to request you to update their information if they deem it inaccurate or incomplete.
4. Right to erasure (Article 17): Data subjects have the right to ask you to delete their information under certain circumstances, such as when processing is unlawful or no longer necessary.
5. Right to restrict processing (Article 18): Data subjects have the right to limit you from processing their data while still allowing you to store it.
6. Right to data portability (Article 20): You must enable data subjects to receive their personal data in a commonly used, structured, and machine-readable format and allow it to be transferred to another controller.
7. Right to object (Article 21): Data subjects have the right to object to the processing of their personal data for specific purposes, such as direct marketing or when processing is based on legitimate interests.
8. Rights related to automated decision-making and profiling (Article 22): Data subjects have the right not to be subject to decisions made solely through automated processing, including profiling, that have legal or similarly significant effects on them.

GDPR fines

The GDPR specifies the repercussions of noncompliance in Articles 83(4) and 83(5). Any violation committed would fall under one of two tiers based on severity. Here's a set of violations that are classified under each and their potential impact on your organization:

• Article 83(4) Lower-tier violation: Violations under this article could set you back by up to €10 million or 2% of the previous fiscal year's turnover, whichever is higher. A few violations under this category include:
  • Failing to meet the obligations of the controller and processor under Articles 8, 11, 25–39, 42, and 43.
  • Failing to comply with the obligations of a certification body under Articles 42 and 43.
  • Failing to meet the obligations of a monitoring body under Article 41(4).
• Article 83(5) Upper-tier violation: Violations under this article are more severe and the penalties could cost you up to €20 million or 4% of the previous fiscal year's turnover, whichever is greater. A few violations under this category include:
  • Failing to comply with the basic principles for data processing, including conditions for consent as set out in Articles 5, 6, 7, and 9.
  • Violating data subjects’ rights under Articles 12–22.
  • Improper transfers of personal data to recipients in a third country or international organization, as per Articles 44–49.
  • Failing to meet any obligations under Member State law adopted pursuant to Chapter IX.
  • Failing to comply with a supervisory authority’s order or processing restriction—including temporary or permanent suspension of data flows under Article 58(2)—or failure to grant access as required under Article 58(1).

These hefty penalties reiterate why your organization must comply with the GDPR. This is where DataSecurity Plus comes in. The next section gives you a brief overview on how we help meet GDPR requirements.