What is the GDPR
The General Data Protection Regulation (GDPR) is a comprehensive privacy regulation intended to strengthen data protection for people in European Union (EU) countries. The GDPR expands consumer rights surrounding the use of their data, places the responsibility of compliance on Controllers and Processors, spells out specific breach notification requirements, and sets large fines for non-compliance.
The GDPR applies to any organization that handles data of EU subjects, including entities outside the EU. The goal of the GDPR is to provide more power and control to the people regarding how organizations collect and use their personal data. The regulation includes:
Privacy Principles
The following Privacy Principles serve as the foundation of the GDPR.
Lawfulness, Fairness, and Transparency: The principle states that personal data shall be processed lawfully, fairly, and transparently in relation to the subject. Organizations must clearly disclose the intended use of data in a manner that allows the subject to understand how their data is being collected and processed.
Purpose Limitation: The Purpose limitation requires organizations to only use data for the original intent the subject consented to. Selling or using data for undisclosed reasons is a violation.
Data Minimization: This requires organizations to collect, process, and retain only the amount of data necessary to fulfill the purpose it was originally collected.
Accuracy: Organizations are required to ensure the data they collect is accurate and kept up to date. Inaccurate data should be corrected as soon as possible.
Storage Limitation: Organizations must disclose to the subject how long they will retain their data. The data must be destroyed after it has been used for its intended purpose.
Integrity and Confidentiality (Security): Organizations are responsible for the personal information they possess, including information that has been transferred to a third party. Actions must be taken to protect the integrity of the data, including only giving access to those who need it.
Accountability: It is the organization’s responsibility to be able to demonstrate that it is protecting consumer privacy and maintaining compliance with GDRP regulations.
Data subject rights
The GDPR gives people the following rights regarding their personal data:
The Right to Access: Upon request, an organization must provide the subject with information on the existence, use, and disclosure of their personal information and shall be given access to that information. Information that must be disclosed upon request includes:
- The purposes of the processing
- The categories of personal data held
- To whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations
- How long the data will be stored
- The subject’s right to request from the controller rectification, or erasure of personal data, or restriction of processing of personal data, or to object to such processing
- The right to lodge a complaint with a supervisory authority
- The source of any data not collected from the subject
- The existence of any automated decision-making, including profiling and any meaningful logic and consequences of such processing
The Right to be Forgotten: People have the right to request their data be deleted without delay when one or more of the following circumstances applies:
- The personal data is no longer necessary in relation to its original purposes
- The data subject withdraws the consent on which the processing is based
- Unlawful processing has occurred
- The personal data must be erased for compliance with a legal regulation the controller is subject
- The data was collected as a result of online services offered to a child
The Right to Have Data Transferred: The GDPR provides people with the following rights regarding the transfer of their personal data:
- The right to receive the data they have provided in a commonly used format
- The right to transmit this data to another controller
- The right to have this data transmitted directly from one controller to the other
The Right to Rectify: Data subjects have the right to fix any inaccuracies in the personal data held about them. An individual shall be able to challenge the accuracy and completeness of the information provided following an access request and have it amended as appropriate.
The Right to Restrict Processing: People have the right to restrict specific processing of their data when one of the following applies:
- The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data
- The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
- The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims
The Right to Object: People have the right to object to the processing of their personal data. If the objection is made, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
People also have the right to object to the processing of their personal data for direct marketing purposes, including profiling that is related to direct marketing.
Controllers must also notify the data subject of the right to object no later than the first communication and this communication must be made clearly and separately from any other information.
The Right to Object to Automated Decision Making: People have the right to opt out of decisions based solely on automated processing including profiling, which produces legal effects concerning them or similarly significantly affects them.
Lawful Basis of Processing
This element of the GDPR requires that organizations have a lawful basis for processing personal data. Organizations should determine their lawful basis before processing data and document it. At least one of the following must apply to have a lawful basis for processing data:
- Consent: Clear consent was given by the individual for you to process their personal data for a specific purpose.
- Contract: Data processing is necessary due to a contract you have with the individual, or they have requested specific steps be taken before entering into a contract.
- Legal obligation: Data processing is necessary to comply with legal requirements.
- Vital interests: When data processing could protect someone’s life.
- Public task: The data processing is in the public interest and the task or function has a clear basis in law.
- Legitimate interests: Data processing is necessary for the organization’s or a third party’s legitimate interests unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The Concept of Privacy and Protection by Design and Default
The GDPR emphasizes the principles of privacy and protection by design and default. Privacy by design is the concept of incorporating data protection and privacy measures into the design and development of products, systems, and processes at all stages.
Data protection by default requires that organizations only process the data that is necessary to achieve a specific purpose. Organizations need to identify what data is needed to fulfill the purpose, provide the appropriate information to the data subjects, and only process the data needed for the purpose.
Specific Breach Notification Requirements
The GDPR requires organizations to report a breach to the supervisory authority within 72 hours. If the notification is not made within 72 hours, the organization must provide a reason for the delay. The breach notification report must include the following information:
- A description of the nature of the data breach including the number of people impacted, the categories of data, and the amount of personal data records involved
- Contact information for a point of contact where more information can be obtained
- The anticipated consequences of the data breach
- A description of the response of the organization to mitigate the impact of the breach
Information Security Requirements
The GDRP requires organizations to have processes and procedures in place to protect the security of the personal information they hold. The GDPR’s security requirements are rather open-ended, giving organizations the ability to customize a plan that matches their operations. The general security requirements of the GDPR include:
- The pseudonymization and encryption of personal data
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
Achieving GDPR Compliance
To achieve GDPR compliance organizations need to have the appropriate privacy controls implemented to honor consumer rights, address proper disclosure requirements, and maintain records of processing. A risk assessment is typically the first step toward compliance. The assessment will provide organizations with a roadmap by helping them understand their GDPR obligations, risk exposure, and if their current controls satisfy GDPR requirements.
To reach GDPR compliance organizations need to:
- Determine if the GDPR applies to your business
- Update privacy policies, notices, and disclosures
- Provide consumers a way to submit privacy rights requests
- Keep policies and procedures updated and accurate
- Document process flows for each type of consumer request
- Honor consumer privacy rights
The Risks of Non-compliance
Failing to be GDPR compliant exposes your organization to significant risk. Fines for non-compliance can reach up to 4% of total global revenue or up to €20 million, whichever is higher. Several companies, including Marriot, Google, British Airways, and H&M have been issued fines of more than €10 million for GDPR violations. The potential loss of revenue caused by the damage to an organization’s public image and loss of consumer trust can be devastating.
How we can Help
CompliancePoint provides a full suite of services that help organizations manage and respond effectively to privacy requirements. We help organizations proactively identify their gaps, build out frameworks to meet compliance requirements, and can manage their security program on an ongoing basis to maintain compliance.
What is the GDPR
The General Data Protection Regulation (GDPR) is a comprehensive privacy regulation intended to strengthen data protection for people in European Union (EU) countries. The GDPR expands consumer rights surrounding the use of their data, places the responsibility of compliance on Controllers and Processors, spells out specific breach notification requirements, and sets large fines for non-compliance.
The GDPR applies to any organization that handles data of EU subjects, including entities outside the EU. The goal of the GDPR is to provide more power and control to the people regarding how organizations collect and use their personal data. The regulation includes:
Privacy Principles
The following Privacy Principles serve as the foundation of the GDPR.
Lawfulness, Fairness, and Transparency: The principle states that personal data shall be processed lawfully, fairly, and transparently in relation to the subject. Organizations must clearly disclose the intended use of data in a manner that allows the subject to understand how their data is being collected and processed.
Purpose Limitation: The Purpose limitation requires organizations to only use data for the original intent the subject consented to. Selling or using data for undisclosed reasons is a violation.
Data Minimization: This requires organizations to collect, process, and retain only the amount of data necessary to fulfill the purpose it was originally collected.
Accuracy: Organizations are required to ensure the data they collect is accurate and kept up to date. Inaccurate data should be corrected as soon as possible.
Storage Limitation: Organizations must disclose to the subject how long they will retain their data. The data must be destroyed after it has been used for its intended purpose.
Integrity and Confidentiality (Security): Organizations are responsible for the personal information they possess, including information that has been transferred to a third party. Actions must be taken to protect the integrity of the data, including only giving access to those who need it.
Accountability: It is the organization’s responsibility to be able to demonstrate that it is protecting consumer privacy and maintaining compliance with GDRP regulations.
Data subject rights
The GDPR gives people the following rights regarding their personal data:
The Right to Access: Upon request, an organization must provide the subject with information on the existence, use, and disclosure of their personal information and shall be given access to that information. Information that must be disclosed upon request includes:
- The purposes of the processing
- The categories of personal data held
- To whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations
- How long the data will be stored
- The subject’s right to request from the controller rectification, or erasure of personal data, or restriction of processing of personal data, or to object to such processing
- The right to lodge a complaint with a supervisory authority
- The source of any data not collected from the subject
- The existence of any automated decision-making, including profiling and any meaningful logic and consequences of such processing
The Right to be Forgotten: People have the right to request their data be deleted without delay when one or more of the following circumstances applies:
- The personal data is no longer necessary in relation to its original purposes
- The data subject withdraws the consent on which the processing is based
- Unlawful processing has occurred
- The personal data must be erased for compliance with a legal regulation the controller is subject
- The data was collected as a result of online services offered to a child
The Right to Have Data Transferred: The GDPR provides people with the following rights regarding the transfer of their personal data:
- The right to receive the data they have provided in a commonly used format
- The right to transmit this data to another controller
- The right to have this data transmitted directly from one controller to the other
The Right to Rectify: Data subjects have the right to fix any inaccuracies in the personal data held about them. An individual shall be able to challenge the accuracy and completeness of the information provided following an access request and have it amended as appropriate.
The Right to Restrict Processing: People have the right to restrict specific processing of their data when one of the following applies:
- The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data
- The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
- The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims
The Right to Object: People have the right to object to the processing of their personal data. If the objection is made, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
People also have the right to object to the processing of their personal data for direct marketing purposes, including profiling that is related to direct marketing.
Controllers must also notify the data subject of the right to object no later than the first communication and this communication must be made clearly and separately from any other information.
The Right to Object to Automated Decision Making: People have the right to opt out of decisions based solely on automated processing including profiling, which produces legal effects concerning them or similarly significantly affects them.
Lawful Basis of Processing
This element of the GDPR requires that organizations have a lawful basis for processing personal data. Organizations should determine their lawful basis before processing data and document it. At least one of the following must apply to have a lawful basis for processing data:
- Consent: Clear consent was given by the individual for you to process their personal data for a specific purpose.
- Contract: Data processing is necessary due to a contract you have with the individual, or they have requested specific steps be taken before entering into a contract.
- Legal obligation: Data processing is necessary to comply with legal requirements.
- Vital interests: When data processing could protect someone’s life.
- Public task: The data processing is in the public interest and the task or function has a clear basis in law.
- Legitimate interests: Data processing is necessary for the organization’s or a third party’s legitimate interests unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The Concept of Privacy and Protection by Design and Default
The GDPR emphasizes the principles of privacy and protection by design and default. Privacy by design is the concept of incorporating data protection and privacy measures into the design and development of products, systems, and processes at all stages.
Data protection by default requires that organizations only process the data that is necessary to achieve a specific purpose. Organizations need to identify what data is needed to fulfill the purpose, provide the appropriate information to the data subjects, and only process the data needed for the purpose.
Specific Breach Notification Requirements
The GDPR requires organizations to report a breach to the supervisory authority within 72 hours. If the notification is not made within 72 hours, the organization must provide a reason for the delay. The breach notification report must include the following information:
- A description of the nature of the data breach including the number of people impacted, the categories of data, and the amount of personal data records involved
- Contact information for a point of contact where more information can be obtained
- The anticipated consequences of the data breach
- A description of the response of the organization to mitigate the impact of the breach
Information Security Requirements
The GDRP requires organizations to have processes and procedures in place to protect the security of the personal information they hold. The GDPR’s security requirements are rather open-ended, giving organizations the ability to customize a plan that matches their operations. The general security requirements of the GDPR include:
- The pseudonymization and encryption of personal data
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
Achieving GDPR Compliance
To achieve GDPR compliance organizations need to have the appropriate privacy controls implemented to honor consumer rights, address proper disclosure requirements, and maintain records of processing. A risk assessment is typically the first step toward compliance. The assessment will provide organizations with a roadmap by helping them understand their GDPR obligations, risk exposure, and if their current controls satisfy GDPR requirements.
To reach GDPR compliance organizations need to:
- Determine if the GDPR applies to your business
- Update privacy policies, notices, and disclosures
- Provide consumers a way to submit privacy rights requests
- Keep policies and procedures updated and accurate
- Document process flows for each type of consumer request
- Honor consumer privacy rights
The Risks of Non-compliance
Failing to be GDPR compliant exposes your organization to significant risk. Fines for non-compliance can reach up to 4% of total global revenue or up to €20 million, whichever is higher. Several companies, including Marriot, Google, British Airways, and H&M have been issued fines of more than €10 million for GDPR violations. The potential loss of revenue caused by the damage to an organization’s public image and loss of consumer trust can be devastating.
How we can Help
CompliancePoint provides a full suite of services that help organizations manage and respond effectively to privacy requirements. We help organizations proactively identify their gaps, build out frameworks to meet compliance requirements, and can manage their security program on an ongoing basis to maintain compliance.
"SMBs are not immune to the risk of GDPR. The risk of fines and regulatory action are the same for businesses large and small."
-- Greg Sparrow, CompliancePoint Senior Vice President & General Manager
Frequently Asked Questions
The 7 Privacy Principles of the GDPR are:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
The GDPR applies to US companies that handle data of EU citizens.
The GDPR is an EU regulation to protect the data and privacy of EU citizens. The CCPA is a California law to protect the data and privacy of California residents.