The General Data Protection Regulation (GDPR) is a law passed to control the way organizations process and use personal data collected from consumers online. The European Union (EU) approved it in April 2016, and the requirements dictating GPDR compliance went into effect on May 25, 2018. The GDPR compliance requirements represent a harmonization of data privacy laws across the EU.
The near-ubiquitous use of cloud services and the pervasive threats of data breaches are a driving force behind GDPR compliance requirements. Digital services have eroded borders that once gave more control over where data resides.
GDPR compliance requirements reflect the EU’s highly protective stance on data privacy and security for its citizens.
Although the law was drafted and passed in the EU, the GDPR extends to any organization that collects and processes data related to EU citizens, regardless of location.
Seven Principles of Data Protection inform GDPR compliance requirements for protecting the privacy of individuals whose data is collected, used, consulted, or otherwise processed:
- Accountability
- Accuracy
- Data minimization
- Integrity and confidentiality
- Lawfulness, fairness, and transparency
- Purpose limitation
- Storage limitation
What is required for GDPR compliance?
GDPR compliance is considered one of the most difficult to achieve and maintain; the law is widely regarded as the most stringent security and privacy directive in the world, with the full text containing 99 individual articles. Following are the main GDPR compliance requirements to provide a sense of the scope and scale of the law.
Accountability requirements
Organizations that process personal data are required to have data controllers who can demonstrate GDPR compliance.
Accuracy requirements
GDPR compliance requires organizations to take reasonable steps to make sure that data subjects’ information is accurate. While no specific requirements are dictated, there must be a consideration for the circumstances, the type of personal data being processed, and the reason that it is being used.
To meet this requirement, an assessment is needed to determine how important the personal data is. As its importance increases, the measures taken to assure accuracy should as well. As part of the accuracy requirement, GDPR compliance mandates that procedures are in place to allow data subjects to have personal information updated at their request.
Consent requirements
Contrary to popular belief, GDPR compliance does not require the consent of data subjects to process their information. It is one of six lawful bases for processing data subject’s information and is usually sought if one of the other five is not applicable.
However, if consent is used as a basis for GDPR compliance, organizations must abide by several rules, including:
- Children under 13 can only give consent with permission from their parents.
- Consent must be “freely given, specific, informed, and unambiguous.” Users must actively grant consent rather than the organization utilizing pre-ticked boxes giving consent.
- Data subjects may withdraw previously given consent at any time. (It is important to note that if consent is withdrawn, organizations cannot replace it with one of the other five legal reasons for processing the data subject’s information.)
- Documentary evidence of consent must be retained.
- Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
Data protection impact assessment requirements
GDPR compliance includes identifying and minimizing risk in data processing using data protection impact assessments (DPIAs). Article 35 introduces the concept of DPIAs, a GDPR compliance requirement when data processing “is likely to result in a high risk to the rights and freedoms of natural persons.”
In the context of GDPR compliance, high risk refers to:
- Special category or criminal offense data on a large scale
- Systematic and extensive profiling
- Systematic monitoring of publicly accessible places on a large scale
Data subject rights requirements
GDPR compliance must take into account eight data subject rights.
- The right to be informed
Organizations must inform data subjects, concisely and in plain language, about what information is being collected, how it is being used, how long it will be retained, and whether it will be shared with any third parties. - The right of access
Data subjects can request that organizations provide a copy of any stored personal data and receive this information within a month, with some exceptions. - The right to rectification
Data subjects can request that their information be updated if it is found that the data is inaccurate or incomplete. This must be done within a month, with some exceptions. - The right to erasure
Under certain circumstances, data subjects can request that an organization erase their data, such as if the data is no longer necessary, the data was unlawfully processed, or it no longer meets the lawful ground for which it was collected. - The right to restrict processing
When a data subject no longer uses the product or service for which their data was initially collected, they can request that it be erased. If the organization makes the case that it is required (e.g., to establish, exercise, or defend a legal claim), restrictions can be placed on how the data is used. - The right to data portability
Data subjects’ information should be accessible in a standard format so that it is usable across different services. - The right to object
Even if an organization processes personal data using legitimate interest or the performance of a task in the interest of official authority as their lawful basis, data subjects have the right to object to the processing. - Rights related to automated decision-making, including profiling
Limitations are placed on using data subjects’ information for automated decision-making, such as profiling and other applications of artificial intelligence and machine learning.
Data transfer requirements
The rules for data transfers vary depending on where data is moved. Basic GDPR data and privacy protections are acceptable if a data subject’s information is transferred within the EU.
However, data may only be transferred to a third party or international organization if the processing organization “has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”
Integrity and confidentiality requirements
Data processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality to meet GDPR compliance requirements. The level of security controls should be commensurate with the impact of a data breach on a data subject.
Data protections are required to prevent data being processed from being compromised accidentally or deliberately. Only authorized users should be able to access, alter, disclose, or delete data subjects’ information.
Lawful, fair, and transparent processing requirements
Processing must be lawful, fair, and transparent to the data subject. One of six lawful reasons for data processing must be met to ensure GDPR compliance.
While data processing does not need to be essential, there should be a specific purpose for processing a data subject’s information:
- Express consent of the data subject must have been obtained.
- Processing is necessary for compliance with a legal obligation.
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter a contract.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights, or freedoms of the data subject.
- Processing is necessary to protect the vital interests of a data subject or another person.
To ensure transparency, organizations should create privacy notices and make them easily accessible to data subjects.
Limitation of purpose, data, and storage requirements
GDPR compliance requires organizations to have a legitimate reason for processing data subjects’ information and explicitly state it to a data subject at the time of collection. When the data is no longer needed, it must be deleted. There are exceptions for data processing done for archiving purposes in the public interest and for scientific, historical, or statistical purposes.
Personal data breach notification requirements
In the event of a data breach, there are very specific requirements for GDPR compliance. One of the most important is related to a data breach that involves personal information being compromised and people potentially being put at risk.
In this case, the organization must report the incident within 72 hours of being identified. Subsequently, there is a process to assess what happened to the data and the implications for the data subjects.
Article 4, Section 12 defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthori[z]ed disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This means a personal data breach goes beyond a cyber criminal’s attack and includes accidental insiders who mistakenly compromise a data subject’s information.
Privacy by design and default requirements
To meet the GDPR compliance requirements for privacy by design and by default, an organization must begin the development of its data processing program with security embedded rather than added later. This means building in the appropriate technical and organizational data protection measures along with those needed to protect a data subject’s privacy rights.
Security awareness training requirements
Staff security awareness training is mandatory for GDPR compliance. Anyone who handles personal data or is responsible for overseeing data protection practices must be educated about their responsibilities, the threats that target personal data, and the rights of data subjects. Security awareness training should also cover privacy by design and by default and DPIAs.
Storage limitation requirements
Organizations must have retention policies and schedules that define how long data subjects’ information will be stored to meet GDPR compliance requirements. This retention period should be only as long as the data is needed.
Systems must be in place to ensure that data is deleted or anonymized when it reaches the end of its defined period of usage. In addition, there must be a process for early deletion (e.g., if a request is made by a data subject or if the data is no longer being used).
Who is required to comply with the GDPR?
GDPR compliance is required for any organization that processes the personal data of an EU citizen. Regardless of where the organization is located, GDPR compliance is required if the organization:
- Monitors the behavior of an EU citizen, such as tracking cookies or IP (internet protocol) addresses
- Offers goods and services to an EU citizen from its website
What rights do users have under the GDPR?
GDPR compliance establishes rights for data subjects along with obligations for organizations processing their personal data. Following is a summary of the data subject rights that the GDPR enforces.
The right of access
Organizations must make it easy for users to access their personal data to maintain GDPR compliance. Individuals should be able to request a copy of the personal data that an organization holds and receive a copy of along with any supplementary information, such as the purposes of the processing and the data retention period. This information must be delivered within one month of the date of the request, with a few exceptions.
The right to data portability
GDPR compliance requires that a data subject be able to transfer their personal data from one service provider to another. This right gives data subjects more control over their data and more freedom when moving between service providers, such as to get better service or pricing.
The right to erasure
Also known as the right to be forgotten, this GDPR compliance mandate allows data subjects to request that organizations erase any personal data they have collected. Some exemptions to this right are situations where there is a legal obligation to hold it and where it is used in a task that is carried out for the public interest. A request for erasure must be responded to within a month of the request.
The right to be informed
To adhere to GDPR compliance requirements, organizations must ensure that data subjects have clear information about what an organization does with their personal data. The requirements vary depending on whether a business collects personal data directly from the individual or obtains it from another source.
- If collected directly from a data subject, the organization is required to provide the personal information.
- If collected from a third-party source, the organization only has to inform that data subject about the source, rather than provide the personal information.
The right to rectification
GDPR compliance requirements mandate that if an organization receives a request for rectification, it is obliged to take reasonable steps to confirm that the data is correct or correct it. Organizations have one month from the time of receipt to comply with the request.
Rights in relation to automated decision-making and profiling
Automated decision-making is a process that does not have human involvement, such as profiling and making judgments about aspects of an individual. Automated decision-making can only be used in three situations:
- Data subjects are given information about the processing
- A data subject can easily request human intervention or challenge a decision
- Regular checks are performed to ensure that the system is working as intended
The right to restrict processing
GDPR compliance requires that organizations must have the clear consent of a data subject to process their personal data. The process of gaining consent must be transparent and easily accessible. Data subjects also have the right to the need for an individual’s explicit consent to the processing of his or her personal data and the extent of that processing.
What penalties exist for non-compliance with GDPR?
Failing to meet the criteria for GDPR compliance comes with heavy fines, which vary based on the severity of the infringement. There are two tiers of fines for not meeting GDPR compliance requirements. In addition to fines, GDPR gives data subjects the right to seek compensation from organizations that cause them material or non-material damage as a result of failing to meet GDPR compliance requirements.
Tier One fines
A fine of up to €10 million, or 2% of the organization’s worldwide annual revenue from the preceding financial year, whichever amount is higher, is imposed when there is a violation of rules related to:
- Certification bodies (Articles 42 and 43)
- Controllers and processors (Articles 8, 11, 25-39, 42, and 43)
- Monitoring bodies (Article 41)
Tier Two fines
A fine of up to €20 million, or 4% of the organization’s worldwide annual revenue from the preceding financial year, whichever amount is higher, is imposed when there is a violation of rules related to:
- Any violation of member state laws adopted under Chapter IX (Chapter IX grants EU member states the ability to pass additional data protection laws as long as they are in accordance with the GDPR)
- Non-compliance with an order by a supervisory authority
- The basic principles for processing (Articles 5, 6 and 9)
- The conditions for consent (Article 7)
- The data subjects’ rights (Articles 12-22)
Fines for not meeting GDPR compliance requirements are administered by the data protection regulator in each EU country. They determine if a violation has occurred and what the penalty will be.
The following ten criteria are used to judge whether an organization has violated GDPR compliance and, if so, the associated penalty. If it is determined that the organization has multiple violations, it will be penalized for the most severe one, assuming all of the violations are part of the same processing operation.
- Gravity and nature
- How it happened
- How long it took to resolve
- The damage they suffered
- The number of people affected
- What happened
- Why it happened
- Intention
- Intentional
- Accidental
- Result of negligence
- Mitigation
- Whether the organization took actions to mitigate the damage
- How long it took to take action
- Precautionary measures
- Technical safeguards
- Organizational preparation
- History
- Any relevant previous infringements under the Data Protection Directive and the GDPR
- Compliance with past administrative corrective actions under the GDPR
- Cooperation with the supervisory authority
- To discover the violation
- To remedy the violation
- Data category
- The type of personal data affected
- Notification
- The firm proactively reported the incident
- The incident was reported by a third-party
- Certification
- Whether the firm followed approved codes of conduct
- Whether the firm was previously certified
- Aggravating / mitigating factors
- Financial benefits gained
- Losses avoided
What is the relationship between the GDPR and data breaches?
To adhere to GDPR compliance requirements, organizations must report a personal data breach to the regulator if it is likely to result in a “risk to the rights and freedoms of data subjects.” According to GDPR compliance rules, there are three types of personal data breaches, and data breaches may fall into all three categories.
- Confidentiality breach—an unauthorized or accidental disclosure of or access to personal data
- Availability breach—an accidental or loss of access to or destruction of personal data
- Integrity breach—an unauthorized or accidental alteration of personal data
GDPR compliance requires organizations to report a security breach that affects personal data to a Data Protection Authority (DPA) within 72 hours of becoming aware.
What is a Data Subject Access Request?
A data subject access request (DSAR) is an individual’s request to access their personal data that a company has processed as well as:
- Categories of personal data the organization is processing
- The data retention period
- Information about automated decision-making (e.g., profiling)
- Information about their GDPR rights
- The purpose of personal data processing
- The source of data (i.e., if the data is not collected from the data subject)
- Third parties with whom the organization is sharing personal data
What is a data protection officer?
A data protection officer (DPO) is responsible for ensuring that an organization adheres to GDPR compliance requirements. In larger organizations, the DPO function is handled by multiple people or a full department.
The role of the DPO is to:
- Act as the point of contact between the organization and its supervisory authority
- Advise staff on their data protection responsibilities
- Approve workflows for how data to be accessed
- Define how retained data is anonymized
- Establish defendable retention periods for personal data
- Help management decide whether DPIAs (data protection impact assessments) are necessary
- Monitor all these systems to ensure they work to protect private customer data
- Oversee data protection policies and procedures
- Serve as a point of contact for data subjects
Note that not every organization needs to adhere to GDPR compliance rules. A DPO should be appointed when the organization has:
- Activities that are large-scale processing of special categories of data listed under Articles 9 and 10 of the GDPR
- Core activities that require it to monitor data subjects systematically and regularly on a large scale
- Public authority other than a court acting in a judicial capacity
Take GDPR compliance requirements seriously
GDPR compliance is not something to be taken lightly. The penalties just from regulators are high. On top of this, individuals can and do pursue additional compensation and are regularly awarded it. Although GDPR compliance requires effort, it also helps bolster overall security, which benefits organizations.