Protection of personal data isn’t a novelty idea. European Union citizens have had a Data Protection Directive since 1995. It aimed to protect people’s right to privacy. However, there was a caveat — it was formulated as a directive.
In principle, EU member countries could take this as a recommendation and customize laws around it, with varying degrees of strictness. While most member states enacted their legislation based on this directive, the result was a variety of interpretations.
The General Data Protection Regulation (GDPR) came as a replacement for the Data Protection Directive. As a regulation, it was enforceable in all member countries, unifying the legal requirements across all member states.
If your company is doing business in the EU, it’s subject to GDPR. Our guide breaks it down for you into an easily understandable checklist.
What is GDPR compliance?
GDPR sets a standard for EU citizens’ rights regarding their data. This framework also redefines the definition of personal data as “any data that could be used to identify a person.” It’s a much broader definition that includes:
Name, address, and phone number
IP address, cookie data, and device IDs
Under this expanded definition, GDPR also outlines stricter conditions for said data collection and enforces its protection requirements. It also emphasizes highly sensitive data categories like sexual orientation, race, and biometric data requiring even greater protection. Therefore, organizations are tasked to ensure compliance with the standards set in place, protect data privacy and respect the rights of data owners. Non-compliance can bring harsh financial penalties, making it in each business’s interest to thoroughly follow the regulation’s requirements.
Why is GDPR compliance important?
GDPR requires organizations to diligently protect personal data and provide proof that its standards are followed. Consent plays a significant role in how EU citizens’ data can be gathered, which puts constraints on company data collection. In each instance, the person should be informed about the scope of the collection and a choice of opting out. GDPR compliance also requires greater transparency regarding data storage, usage, and access rights.
It’s a completely different approach to how data collection was handled in Data Protection Directive days. Under GDPR, greater data collection transparency becomes central and is at the forefront of most key business decisions. Businesses are required by law to review their data protection policies and use various tools to ensure that they are following the regulations.
Within a wider cybersecurity field, GDPR is one of the regulations pushing businesses to strive for better security and privacy practices. This has become increasingly relevant with the increasing number of online attacks and data breaches. Putting your customer’s data at risk under GDPR can have severe consequences, which is a good rough reason to look into a better cybersecurity setup.
What companies must comply with GDPR?
A common misconception is that GDPR only applies to businesses in the EU when it can apply to organizations overseas. If a non-EU business serves EU customers or collects their data, GDPR also applies to them. It’s a much more international requirement than it would seem at first glance.
GDPR also applies regardless of where the data is processed, as long as the data owners are EU citizens. This means that online stores with international shipping, digital services, and other enterprises are under GDPR’s regulations. Since most marketplaces require you to create an account, it’s enough to be included in GDPR’s watch.
An important distinction is that GDPR applies to every organization undertaking an economic activity, regardless of the legal status of the entity or the way it’s financed. Therefore, GDPR violations could apply not only to individual companies but also to natural persons and corporate entities.
The only exception applies when the company is based outside the EU and provides services only to customers outside the EU. Even if your clients travel to EU countries, GDPR won’t apply in such a case.
What happens if you violate GDPR?
Fines for GDPR violations are one of the steepest financial slaps an organization could face. For the most severe violations, the amount can reach up to 20 million euros or up to 4% of the annual worldwide turnover, whichever is greater. However, even less severe violations can ramp up fines to 10 million euros or up to 2% of the global turnover of the preceding fiscal year, following the same ruleset. This could have irreparable financial damage to an organization, from which it might not be possible to recover.
However, the regulation also states that the fines must be proportionate, taking the violation’s severity and scope into account. The framework outlines what criteria must be met to be fined specific amounts. However, additional circumstances like failure to mitigate the damage, lack of collaboration with authorities, or intentional infringement can only increase the penalties.
Offenses to the regulation can be revealed during routine inspections by official GDPR authorities. Customers can also proactively issue complaints about suspected negligence, which could drive an in-depth investigation. If you’re interested in past proceedings, you may use the GDPR enforcement tracker to read more about the violations and their amounts.
10-step GDPR compliance checklist
Before you begin taking action, please note that nothing on this page constitutes legal advice. Think of this piece as a broader overview of the matter rather than a consultation on how to be better prepared for GDPR compliance. Each business case is unique and could have specific requirements and approach to reach full regulatory compliance status. You’re better off getting in contact with the GDPR consulting agency or an attorney specializing in GDPR law. This would help you to understand better how your approach to GDPR compliance should be tailored.
1. Perform processed information assessment
The first step you would need to take is to learn what data you are currently holding on EU citizens. Given the global nature of many businesses, it’s likely that GDPR does apply to your organization. Depending on your organization’s size, you may also be required to provide official authorities with a detailed list of processing activities. It’s mandatory for organizations that have at least 250 employees.
The report should include the data’s scope, the purpose of its processing, its kinds, employees allowed to access it, involved third parties, and what’s being done to ensure its protection. The report may also include the retention period and estimated deletion date if it’s applicable.
2. Have legal justification for requested data
One of the core GDPR concepts is having legal justification for data collection. When processing data, the question always must be raised whether it’s essential to the functioning of the service. GDPR forbids excessive data collection without a legal basis.
Then, there are special provisions regarding data collection of minors and data from increased sensitivity categories. Each collection request should have a solid lawful basis for processing that could be provided along with your GDPR report. Consent is also a factor here, so your subjects also must be provided an opportunity to revoke their permission at any time.
In addition, this also applies to any third-party partners that may come into contact with your users' information. In case of a data breach, all parties involved would become jointly liable, making the responsibility of data protection a shared goal.
4. Encrypt personal data when possible
According to GDPR guidelines, data storage should also be reinforced. When storing data at rest, encryption software should be used to make it inaccessible without proper authorization. Most productivity tools now come with built-in encryption capabilities, but it’s never a bad idea to include third-party solutions. This approach should be taken in all data storage cases when feasible.
5. Create an internal security policy for your employees
Your internal security policy should ensure that your key decision-makers, staff, and stakeholders understand GDPR’s role in your business. The document should cover each team member’s responsibilities regarding data security and detail how it’s ensured across the organization. Employees that primarily handle GDPR-protected data should also be given special formal training regarding GDPR requirements and be regularly updated about its changes.
6. Have a data protection impact assessment framework
Privacy impact assessment is a central tool for high-risk data processing areas in your system. It’s a central metric for consumers’ data protection status that can be used to find solutions on how the risks could be averted.
This assessment is mandatory when organizations consider using their user’s data, potentially creating high risks. For instance, migrating the data from one storage facility to the other.
7. Have a data breach action plan
In case of a data breach that exposes EU citizens' personal information, organizations are required to notify the official Data Protection authorities within 72 hours. This applies to any breach that threatens the individual’s rights and freedom regarding their data. Having a clear action plan is extremely helpful in such emergencies and can facilitate damage control. It’s also a good idea to include the steps to how the customers will be informed about the accident.
8. Designate a person, responsible for GDPR compliance
Whether you’ll appoint a Data Protection Officer or not, you’ll need a person whose duties will include ensuring that your organization follows GDPR requirements. Having a transparent chain of responsibility will help you ensure better supervision of all compliance procedures. Note that no matter who is tasked with this role, the person should be given enough authority to be able to enact change in the company through data protection policies and their implementation.
9. Sign a data processing agreement between your organization and any third-parties
Any third-party providers that handle your subjects’ data should be brought into the same responsibility chain. Clear division between rights and obligations should be a cornerstone of each collaboration and minimize misunderstandings that could endanger customer data. Always make sure that your third-party partners are reliable and will be able to provide the necessary degree of data protection to be compliant with GDPR.
10. Ensure your customers' rights to their data
Under GDPR, people have the right to see what their data has been collected and how it’s used. There should be established channels with which customers could reach you to ask to update or delete it. Customers may also ask to withdraw their data in an easily transferable form if they want it to turn to your competitors.
All such requests should comply within a month unless they are obstructed by the grounds of freedom of speech or compliance with a legal obligation. Before accepting the requests, the person’s identity should be verified in all cases.
How can NordLayer help?
Developed with the SSE framework in mind, NordLayer is a secure remote access solution for international teams and businesses of all sizes. Easy to deploy, start and scale, it’s a hardware-free solution for companies looking into ways to plan their cybersecurity roadmap and stay in check with compliance policies and standards.
With data security and network access management at the forefront, NordLayer enhances the existing company’s IT infrastructure with cutting-edge tools and services. The Zero Trust principle designates control practices, cloud VPN service, data encryption, network segmentation, and fixed IPs within a layered security framework.
Get in touch with our team and learn more about our approach and how you could achieve better security that aligns with your business needs.
Disclaimer: This article has been prepared for general informational purposes only and does not constitute legal advice. We hope that you will find the information helpful. However, you should use the information provided in this article at your own risk and consider seeking advice on this matter from a professional counsel licensed in your state or country. The materials presented on this site may not reflect the most current legal developments or the law of the jurisdiction in which you reside. This article may be changed, improved, or updated without notice.