GDPR: A Beginner's Guide
There’s a growing number of security standards in the industry today that companies must keep track of. Some of these are optional industry frameworks, like SOC 2 and ISO 27001, while others are regional, state, or international regulations which organizations are required to comply with. The General Data Protection Regulation law, or GDPR, is considered to be one of the most significant privacy regulations passed in decades. In the first half of 2022 alone, companies were fined over €97.29 million—Meta (formerly Facebook) was fined $400 million in September 2022 for its treatment of children’s data on Instagram, the second highest GDPR fine to date.
This has all left many wondering how it affects their company, especially those not located in the European Union.
We’ve compiled all of the information you need to get and stay compliant.
What is GDPR?
The General Data Protection Regulation was passed by the European Union in 2016 with a goal to regulate how organizations collect, handle, and protect personal data of EU residents.
The regulation was put in place in an effort to:
Consolidate privacy laws from the 28 individual EU member state laws to one unifying regulation.
Establish and protect the fundamental privacy rights of individuals.
Institute necessary updates to privacy laws based on the vast technological changes that have affected personal data.
Why It Matters
GDPR established eight fundamental data subject rights, as well as the right to withdraw consent for EU residents. California Consumer Protection Act, or CCPA, is another data privacy regulation that was passed in 2018. Both nationally and internationally, there has been a growing trend to give people more visibility and control into how their data is being managed by companies. The data subject rights established through GDPR include:
Right to Access
Any individual residing in the EU retains the right to request access to their personal data, as well as how it’s being used, processed, stored, or transferred to other organizations. Companies must provide an electronic copy of the requester’s personal data upon receiving the request.
Right to Be Informed
Individuals must be notified and give informed consent—consent cannot be implied—before their data is gathered or stored.
Right to Data Portability
Individuals have the right to transfer their personal data from one service provider to another without issue, at any time. This data transfer must be available in a standard format that is machine readable.
Right to Be Forgotten
If any individual stops being affiliated with an organization, such as no longer being a customer or they withdraw consent to use their data, organizations must comply with any requests for data deletion.
Right to Object
Individuals reserve the right to object to an organization’s use or processing of their data with no exceptions. All processing must cease immediately upon receiving the request.
Right to Restrict Processing
Users can request organizations to stop processing their data or stop a certain kind of processing, leaving their data in place if they choose.
Right to Object to Automated Decision Making
Individuals have the right to demand human intervention, rather than having important decisions made by algorithms.
Right to Rectification
Users can request any updates or corrections to their personal data.
Each country in the EU has a Data Protection Authority that enforces GDPR, working under the authority of the European Union to enforce GDPR. If any of the rights listed above are violated, companies may face extensive fines. Fines are administered by the DPA in each EU country.
There are two tiers of GDPR fines:
Less severe infringements can result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
More serious infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
Violating GDPR can cause companies significant liabilities beyond financial means, including a loss of trust from customers and a damaged reputation.
Who does GDPR apply to?
GDPR applies to organizations of any size, from startups to massive enterprises.
One way your company may need to comply with GDPR is if your company processes personal data and has a location in the EU—even if the data is not processed in that branch. The other applies even if your company is not located in the EU at all; if a company is located outside of the EU and collects or processes the data of individuals within the EU.
As GDPR is considered to be one of the strictest privacy regulations in the world, there are a number of obligations businesses must comply with. There are four categories these obligations can be broken up into that are listed below, along with their accompanying tasks.
Lawful Basis and Transparency
Companies with at least 250 employees, or those that conduct high-risk data processing, are required to keep a current and detailed list of their processing activities and present that list to regulators upon request. If your company has less than 250 employees or doesn’t conduct high risk processing, such as processing GDPR defined special categories of personal data, completing this list will make complying with other GDPR requirements easier.
This list should include:
The purposes of the processing.
What kind of data you process.
Who has access to data in your organization.
Any third parties (and where they are located) that have access and when that access was granted.
What you're doing to protect the data (e.g. encryption).
When you plan to erase it (if possible).
Companies must be prepared to take data protection into account at all times, from the moment you begin developing a product to each time you process data. Personal data protection is the key aspect of complying with GDPR.
You’re also required to encrypt, pseudonymize, or anonymize personal data wherever possible. Making a point of using end-to-end encryption as often as possible should become a best practice.
Create an internal security policy for your team members, and build awareness about data protection. This should include training around password creation, email security, VPNs, and more.
Conduct a data protection impact assessment, or a privacy impact assessment, to understand how your product or service can leave your customers’ data vulnerable. A DPIA should also be conducted when you launch a new product or service. Being aware of these issues can help you to minimize these risks and keep your customers’ data safe.
As GDPR requires that DPAs be notified within 72 hours of a data breach, having a process in place to alert necessary authorities and users will keep you from scrambling to do it in the moment.
Accountability and Governance
Assigning someone to be responsible for GDPR compliance across your company streamlines the process. They will be your company's source for what needs to be done and responsible for setting up systems that ensure compliance. Keeping your vendors accountable for their role in securing your customers’ data is crucial to a holistic approach on security. Signing a data processing agreement between your company and any third parties that process personal data on your behalf can satisfy that requirement.
It’s also crucial to appoint a representative within one of the EU member states if your company is outside of the EU.
Complying with the fundamental data privacy rights described above essentially means businesses must make it easy for individuals to use those rights. They should be able to have clear visibility into what their data is being used for, get access to it, request deletion without issue, and utilize their other rights with ease.
We’ve broken down the steps to get you started on your GDPR compliance journey.
Start by evaluating where and how your company processes and stores Personal Data. Be sure to consider different personas such as:
Marketing and sales prospects
Examine how your legal counsel or legal function looks like today. Since GDPR is a regulation, you’ll want to implement GDPR alongside your legal function.
If you don’t have a data protection officer, delegate the responsibility to someone in your company. You can find out more about the requirements of a DPO
Determine if your organization needs a
Review or create your product terms of service and customer-facing
(DPA) to address privacy with customers.
Create a vendor-facing DPA to get in place with your sub-processors, or ask your sub-processors for their DPA. Sub-processors are third-party vendors who will have access to personal data as part of your company’s service offering. The best place to start is to answer the question: Where does our user data go as part of their use of the service?
Complete two key
(ROPA) documents. Core application and sub-processors involved in providing this application. This is more formal documentation that builds on the question in step seven. Be sure to consider any processing of data considered sensitive by the GDPR. Processing sensitive data requires a few additional protections.
Ensure you have a method for individuals to exercise their privacy rights, such as setting up and monitoring an email inbox at: [email protected][companyname].com. You should establish a process for handling data subject requests that come to this email, such as ‘Delete My Data.’ GDPR gives you 30 days to fulfill these requests.
to centrally track all activities, processes, and documentation you’ve developed to comply with GDPR.
Despite having only been around for a few years, GDPR has been making a substantial impact on how companies approach data privacy. We go into more detail with some frequently asked questions like who GDPR protects, what data is included, and more.
What Are Some Fines the EU Has Imposed on Companies?
Given the way fines are determined with GDPR violations, there have been some hefty sums imposed in the last few years since it passed. Instagram has been issued a fine of €405 million for how it handled the accounts of underage users when the default settings on the app left the contact information of users between the age of 13 and 17 public.
In 2020, Marriott was dealt a fine of £18.4 million for failing to keep users’ data secure after a cyberattack in 2014 that was not discovered until 2018.
Within days of the Marriott incident, ICO handed British Airways a £20 million GDPR fine because of their failure to identify and resolve security weaknesses that led to the 2018 cyberattack that compromised the data of almost 430,000 customers.
What Are the Seven Principles of GDPR?
GDPR provides seven guiding principles on data processing practices; they include:
Lawfulness, fairness, and transparency
Integrity and confidentiality (security)
Who Does GDPR Protect?
While there’s some confusion and misconceptions on whether GDPR protects EU citizens or not, GDPR actually extends to EU residents. For example, a US citizen traveling to the EU is protected by the GDPR while in the EU. However, an EU citizen traveling to the US would not be protected by the GDPR if their personal data was collected while they were in the US.
What Data is Covered by GDPR?
Data covered by GDPR is anything that can be directly or indirectly used to identify a person. This can include:
After reading up on GDPR, you know there is a lot to do to become compliant. Having one platform to manage it all—tracking your compliance posture of your vendors, implementing a variety of controls, assessing the risks to your organization, and much more—it’s what Drata was made for. Customers have access to our dedicated team of compliance experts for support and counsel.
Whether you’re adding another standard under your belt or just starting your compliance journey, Drata’s compliance automation platform is just what you need to streamline the process. Learn more about how to get started.