GDPR compliance — what is it and are you fully compliant?
GDPR stands for the General Data Protection Regulation and was passed by the European Parliament, the Council of the European Union and the European Commission in April 2016. In the United Kingdom, it replaced the Data Protect Directive and superseded the Data Protection Law of 1998. As one of the largest data protection laws passed globally, GDPR doesn't just affect EU citizens and EU corporations. The law became compulsory on May 25, 2018, meaning all persons inside the European Union now have the right to know how their data is controlled ' not just within the EU but globally. For corporations and organizations that do business in the EU or have customers in the EU, the law sets up numerous regulations that not only reprimand those who do not abide by these regulations, but also enforces strict monetary penalties ' upon individuals such as board directors and upon corporations.
Whether you are a citizen of the European Union, someone with plans to travel in the EU, a corporation or entity located in the EU, or a board member on a company that serves EU customers or a global entity, it is likely that GDPR and its laws on data protection will affect you directly in some way. With 99 articles that outline numerous core tenants of data protection and the responsibilities of organizations of any size that store any kind of data, many businesses are still trying to get their heads around the regulation two years after its official implementation. This GDPR guide will help you and your organization stay GDPR compliant ' and avoid the massive personal fines and organizational restrictions resisters can accrue.
What Is the Data Protection Law?
Before GDPR, the Data Protection Act of 1998 was a United Kingdom Act of Parliament that was modeled after the EU Data Protection Directive of 1995. Affecting corporation or company use rather than personal use, the data protection act fell into eight areas of protection with various exemptions.
The primary relevance of the act was the creation of a clear definition of personal data, defined in this act as any data that can identify a singular individual in any manner. The act also outlined that individuals have the right to Subject Access Requests (for a fee) from any organization that holds data on that individual.
The complications of the act derived from its unwieldy size. As it was a large and complex law, many organizations were unsure of what its aims or primary principles were. The enforcement of the Data Protection Act was also challenging, as it did not extend throughout the full European Union, or hold global entities responsible, and had fewer protections on personal data than on sensitive personal data. With the expansion of the Internet and the advent of cloud-based technologies, enforcement for data centers outside of the U.K. became equally problematic.
A primary goal of the Global Data Protection Regulation was to override the Data Protection Act of 1998 to create a simpler law with stricter enforcement with a global reach.
What is GDPR?
GDPR is, as the Data Protection Act before it, an act that seeks to strengthen data protection of individuals. GDPR encompasses the full European Union and addresses personal data outside of the borders of the EU. The full scope of the GDPR encompasses not just data subjects of entities within the EU, but also any processor ' cloud-based or otherwise ' that is based in the EU. For example, a United States-based company with a client in the EU is just as liable for a breach of data as an organization located in the EU physically.
The EU says that GDPR was designed to 'harmonize' data privacy laws across its 27 member countries, as well as providing greater rights and protection for individuals within these states. After all, it was created following public attitudes over privacy. Although the EU Data Protection Directive was previously in place, it was seriously out of date and did not account for the internet and how many organizations collect, store and transfer data in the modern age.
The Seven Principles of GPDR
GDPR sets out seven key principles. These include:
- Lawfulness, fairness and transparency: Organizations must be clear about the data and how it's going to be collected.
- Purpose limitation: Organizations must have a 'legitimate' reason for collecting and processing personal data. Once collected, it must not be utilized for any other purposes unless consent was gained.
- Data minimization: Data must be 'adequate, relevant, and limited to what is necessary concerning the purposes for which they are processed.' In laymen's terms, this means that data shouldn't be collected for the sake of it but instead, should only be stored for a specific purpose.
- Accuracy: All data must be fit for purpose and up to date, meaning organizations should regularly review the data they have on file. Individuals can also have their say on the accuracy, and if they request that inaccurate or incomplete data be erased or rectified, this has to be addressed within 30 days.
- Storage limitation: The GDPR does not state how long you can keep personal data but if you no longer need it for the same purpose for which it was originally obtained, it should be deleted unless new permissions are granted.
- Integrity and confidentiality: Dealing exclusively with security, this principle focuses on protecting the data you hold, ensuring all appropriate measures are in place to do so. This includes protection from external cybersecurity threats too so as phishing, malware, or data theft, to name a few. Poor security could impact your GDPR compliance.
- Accountability: A principle introduced under GDPR specifically, the accountability principle states that organizations must take responsibility for the data they hold and demonstrate their compliance with the six previously mentioned principles.
It's advised that these principles should be at the heart of an organization's approach to data.
What Is Involved in GDPR Compliance?
Individuals have the right to know how their data is handled, stored and regulated. The onus of keeping track of data is no longer on the data subject but on the data processor (the organization or representative of an organization capturing or storing data).
To this end, GDPR requires that each data processor has a Data Protection Manager (also referred to as a Data Protection Officer). The primary responsibility of the Data Protection Manager is similar to a Compliance Officer and is expected to manage all data within an organization, including but not limited to: IT processes, information privacy issues, data storage and protection, cyberattacks, breaches of data protection and both personal and sensitive data.
GDPR looks to achieve a 'Digital Single Market', insomuch as all EU members will follow the regulation. Each member of the EU has been responsible for creating their own Independent Supervisory Authority to serve as a regulatory unit for complaints, concerns, and enforcement. Similarly, a company has a 'one-stop-shop' that is responsible for supervising all behaviors under the regulation, no matter how many locations they may or may not have to reside within the EU. This serves to limit the confusion between different laws in various countries within the EU and on the consumer side as well.
What Is Sensitive Personal Data and What Is Meant by Personal Data?
GDPR allows regulators the opportunity to refine and modernize the definitions of data as it relates to an individual. Both sensitive and personal data are protected by GDPR, though higher fines are accrued for breach of data protection as it relates to sensitive personal data.
Personal data is any data that relates to a living individual that can assist in the identification of the individual. For example, phone numbers, addresses of current or former domiciles, email addresses, or digital data like non-anonymized cookies or IP addresses. Sensitive personal data is a specific type of personal data that includes any details of one's race, ethnicity, political affiliations, health biometrics, sex life or criminal records.
How Does GDPR Affect Me?
As an individual, the Global Data Protection Regulation imbues an individual with distinct rights when it comes to any personal data. Some of these rights include:
- 'The Right to Be Forgotten' ' also referred to as the Right to Erasure, allows an individual to request a company removes all data that they have stored on that data subject. The individual can decide on the scope of that data.
- Additionally, an individual can ask that their email is removed from mailing lists or complete removal of all their data from the server. An organization is responsible for illustrating that it has complied with such a request.
- Personal data must be protected by default. An example of this is pseudonymization (also referred to as Data Masking) that removes any links that can trace that information to the individual data subject. For example: a credit card number contains 16 digits. Masking the data would still maintain a 16-digit format would change the numbers so that the original credit card number could not be elucidated.
- Notification for a breach of data protection: If the Data Controller is aware of a breach of data protection that comprises personal data, they have 72 hours (when feasible) to alert the data subject. If they are unable to notify a data subject within that window of time, they must provide credible and substantive reasons as to why they did not notify in the allocated window of time.
How Does Data Protection Affect My Board?
GDPR changes the responsibilities of the board of directors immensely when it comes to data protection and information privacy. The primary step involves appointing a Data Protection Manager (also referred to as a Data Protection Officer). Numerous experts feel that this should be a board-level position. However, finding someone with the unique skillset to mitigate risk and effectively manage and maintain compliance and legal issues is not an easy task. This is why many business leaders are turning to compliance software to help complete internal audits and identify any gaps as part of their risk management strategy.
The board of directors also play a role in data protection that can create personal and company-wide liabilities. If an action by the board of directors or an individual board member is found to be culpable of fault in a breach of data protection, criminal charges may be pressed. Even beyond criminal actions, the board of directors or the organization itself may engage in other actions, such as termination of a director, due to fault in protecting personal data.
How Does GDPR Affect My Company?
The Global Data Protection Regulation affects your company if you collect, retain or have ever collected data and any of the following are true:
- You have customers ' current or former ' residing within the EU.
- You have locations or entities located in the EU.
- You house any data within the EU.
- You have any customer or employee who has traveled in the EU. This particular regulation of GDPR protects those who may be traveling through the EU but are not EU citizens ' whether the travel is for business, pleasure or country (in the case of the military).
- In broad terms, your organization or company is the controller of data. As controller, you may use any number of processors to collect, modify, or store data (for example, a payroll company for your employee salaries or a cloud-based technology company that manages your servers).
Are There Any Other Privacy Laws Like GDPR?
Other nations across the world have recognized the need for greater, more modern regulation around data privacy. Currently, there are six other countries globally that have implemented privacy laws similar to GDPR. Stricter privacy laws are appearing more frequently and are more likely to become the norm for economies across the globe meaning that ongoing compliance will be expected. These six countries include:
- Australia: Similar to the EU's GDPR, the Privacy Amendment (Notifiable Data Breaches) came into force in 2018. It means that any organization with a turnover of over 3 million Australian Dollars will need to disclose data breaches within 30 days or risk fines of up to 1.8 million Australian Dollars.
- Brazil: Officially introduced in 2020, Brazil's Lei Geral de Prote?'ao de Dados (LGPD) attempts to unify the over 40 different statutes that currently govern personal data. It has several similarities to the GDPR including its approach to personal data and data subject rights.
- Japan: Having recently been amended in May 2017, Japan's Act on Protection of Personal Information applies to both foreign and domestic companies that process the data of Japanese citizens. Further amendments are expected to come into effect by 2022 to ensure its continued relevance.
- South Korea: As the longest-standing privacy act in this list, South Korea's Personal Information Protect Act has been in effect since 2011. It includes regulation around data consent, the scope of applicable data, and limitations around justification.
- Thailand: The Thailand Personal Data Protection Act (PDPA) came into effect in May 2020. Similar to the GDPR, it has a very broad definition of personal data as well as the requirement to establish a legal basis for the collection of said data. According to the Data Protection Report, a violation of PDPA could result in 'civil liability, criminal liability, and administrative fines.'
- USA: Although every state has its own data privacy laws, the strictest being in the California Consumer Practice Act (CCPA) which came into force on January 1st, 2020. It states that businesses must use 'reasonable security procedures and practices' to protect personal information should a customer's data become exposed in a breach or risk legal action.
Failure to Comply
With GDPR in place for over two years, awareness and compliance is still not where it should be. Despite its official introduction, only 69% of people in EU member states are aware of GDPR. This may then help to explain why in the first 20 months of GDPR, approximately $135 million in fines were issued. Digital heavyweight Google has been subject to several violations alone, totaling approximately $68.4 million with cases filed in Belgium, Sweden and France. But Google is not alone. Research in September 2019 highlighted that only one in three businesses are fully GDPR compliant, with 36% believing that the requirements of GDPR are too complex or difficult to implement.
Yet despite the ongoing confusion, GDPR levies heavy financial penalties both for non-compliance and for a breach of data protection. For businesses who fail to comply, there are two tiers of administrative fines that can be issued - up to €10million or 2% of annual global turnover, whichever is higher, or up to €20million or 4% annual global turnover. The fines are based on the specific articles of regulation that the organization has breached. According to IT Governance EU, 'Infringements of the organization's obligations, including data security breaches, will be subject to the lower level, whereas infringements of an individual's privacy rights will be subject to the higher level.'
How Can I Ensure My Company Is Fully GDPR-Compliant?
Due to the significant fines we're continuing to see, it would be futile and detrimental to your business to disregard the importance of GDPR. However, compliance is fully achievable if you put the right processes in place, and in 2019, a McKinsey report summarized three key areas that need particular attention across all sectors ' security controls, data management and automation. So, what should be on your GDPR checklist?
- Data encryption: If your organization falls victim to a data breach, any unencrypted data will be readily available to anyone who understands how to access it. This may not be a specific requirement of GDPR, but it's a legitimate and effective way to protect business data. If you store data in the cloud instead of inside your premises, it will mean it can be accessed from multiple locations either via At-Rest Encryption, which protects data from the server-side and client-side, or In-Transit Encryption, which protects data while it is moving. Make sure that this can only be accessed by those who absolutely need to.
- Proactiveness: Prevention is better than cure and we know that GDPR compliance requires ongoing commitment. Continuously monitor your data, evaluate any cybersecurity vulnerabilities, and implement good cyber hygiene practices to reduce the risk of a breach.
- Relevant data only: GDPR regulated all data that is identifiable (we've listed the full list higher in this blog). Ensure that you are holding on the most necessary data for your organization and delete any that may no longer be serving a purpose.
- A security-first culture: Contrary to what some may lead you to believe, GDPR is not solely the responsibility of your IT or marketing departments. It will have an impact on a broader spectrum of departments, and they must all have an understanding of GPDR, what it is, and the steps needed to be implemented to put security first. Invest in training and ensure that data protection is at the forefront of conversations across the board.
- A knowledge around responsibilities: Knowledge is power and the more you know about your compliance responsibilities, the better. All parties who are responsible for handling data and bounder under the GDPR. Whether you're a data controller, a data processor, or a data protection officer, the GDPR clearly defines your responsibility.
Are You a Data Processor or Data Controller?
A data controller determines the purpose and means by which data is processed. For this reason, they are subject to several requirements under EU law and must: notify the relevant national authority before carrying out any data processing; comply with EU data protection laws; implement strategies or processes to protect personal data; provide information about the data you hold; and formally enter into agreements with processors with clear instruction of how you expect the data to be utilized.
A data processor is usually a third, external party, which processes personal data on behalf of the controller. This party is typically subject to fewer obligations under the law (previously they could avoid all direct liability) but now they do have a level of responsibilities including maintaining a record of all processing; implement security measurements; inform the controller of any data breach; need to appoint a new data protection officer if the right criteria are not met.
It's critical to understand what category your business or role falls under to fully comply with the GDPR.
GDPR brings with it many additional considerations beyond the day to day running of a business and failure to comply can result not only in financial penalties, but the wider reputational impact of non-compliance can have an even bigger impact on an organization. However, compliance management is easier than you think. By making the most of technology and using compliance software like ours to undertake internal audits, you will not only be able to save time and money, but you will be able to identify any gaps and mitigate any potential risks quickly.
Don't get caught out. Our compliance software, Diligent Compliance, can highlight and identify gaps in GDPR compliance across your entire organization, and suggest remedial improvements so that your organization is audit-ready, always. Book a demo now and mitigate any potential risks.