The EU’s General Data Protection Regulation (GDPR) is one step in the crusade to strengthen citizens’ fundamental rights in the digital age. Therefore, it’s essential for companies to abide by GDPR when handling EU and EEA citizens’ private data. Failure to do so results in severe ramifications.
The European Commission and Data Protection Authorities issued official guidelines to aid companies in GDPR compliance requirements, including but not limited to protocols for a personal data breach, the role of data protection officers, and how to execute a Data Protection Impact Assessment (DPIA). So let’s dive into these compliance requirements.
GDPR Compliance: Everything You Need to Know
The data protection reform package, which took effect May 25, 2018, set new standards for data protection, introducing rules relating to protecting a citizen’s fundamental rights and freedoms concerning the processing and free movement of personal data. It replaced the Data Protection Directive 1995/46.
This guide will break down everything you need to know about the EU’s GDPR, including:
- The EU’s data privacy framework and requirements and permitted uses of personal data per GDPR
- An explanation of GDPR compliance requirements when processing personal data of EU and EEA citizens, and the ramification of failed compliance to GDPR requirements
By the end of this blog, you’ll understand the regulations set out by the GDPR and how to implement them effectively into your business practices.
GDPR Privacy Framework Explained: Requirement Implementation
The objective of the GDPR framework is to introduce and implement rules that protect personal data and the movement of personal data, including transatlantic data transfers. The GDPR offers the following rights to EU and EEA citizens in relation to the collection of personal data:
- The right to be informed
- The right of access
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights relating to automated profiling and decision-making
GDPR requirements primarily apply to companies that process personal data.
Personal Data: Defined
GDPR requirements only apply to the processing of “personal data,” as defined by the legislation. Per GDPR, “personal data” refers to any information relating to an identifiable EU or EEA citizen, directly or indirectly, such as name, location data, or any online identifiers that divulge the physical, physiological, genetic, mental, economic, cultural, or social status of a citizen.
This includes all personal data processed wholly or partly by automated means or any processed personal data intended for a manual filing system.
Companies must also understand the terms “processing.” Processing refers to any set of business operations that are performed on personal data through automation or other means. Processing comprises numerous practices, including but not limited to the collection, recording, storage, alteration, retrieval, and erasure of personal data.
The GDPR requires that businesses implement appropriate technical and organizational measures to secure the personal data they process. The seven critical provisions set by the legislation when processing sensitive information include:
- Lawfulness, fairness, and transparency – Per Article 5(1)(a), personal data must be processed in a lawful, fair, and transparent manner. In practice, businesses must:
- Divulge why and how it plans to process personal data
- Only collect relevant personal information that fulfills an intended purpose
- Avoid using the data for unlawful matters
- Process personal data only for the intended purpose
- Purpose Limitation – Per Article 5(1)(b), the collection of personal data must be for specific, explicit, and legitimate purposes. It must not be processed in a manner that is incompatible with those objectives. In practice, businesses must:
- Clearly state the intention of personal data collection and processing
- Specify and document its objectives
- Comply with transparency provisions by informing individuals of its objectives
- Data Minimization – Per Article 5(1)(c), businesses should only collect the minimum amount of personal data necessary to fulfill their objectives. Additionally, all data collection must be relevant to the intended purpose.
- Accuracy – Processed personal data must be relevant and up to date. Companies must erase inaccurate or outdated information promptly.
- Storage Limitation – Per Article 5(1)(e), personal data should not be stored longer than necessary if it identifies the subject. In addition, once achieving the intended purpose, the data should be deleted or anonymized. To fulfill storage limitation requirements:
- Implement a policy that identifies and sets retention periods regarding the storage of personal data
- Delete or anonymize personal data that becomes irrelevant, excessive, or inaccurate
- Integrity and Confidentiality – Personal data must be kept secure, including protection against unlawful usage or accidental loss, destruction, or damage. In practice, businesses must:
- Implement efficient anonymization and pseudonymization systems to protect the identity of data subjects
- Consider acquiring official certification, such as ISO 27001 certification
- Accountability – There are two principles concerning accountability. The first principle indicates that your business is responsible for complying with the requirements set by GDPR. The second principle declares that your business must demonstrate its compliance through the adoption, implementation, and documentation of data protection policies through:
- Written contracts with contractors and data processors
- Documentation of your business’ data processing activities
- The employment of a data protection officer
- Staff and volunteer training programs about data protection
- The implementation of data protection security measures
GDPR Compliance Explained: Protocols and Assessments
Businesses established outside of EU and EEA countries may still be subject to GDPR requirements. Consider the following principles regarding GDPR compliance:
- Principle 1 – A company based in a country outside of the European Union may have to comply with the regulation when processing the personal data of an EU and EEA citizen if:
- The company provides goods and services to citizens in the EU.
- The company monitors the behavior of EU citizens through data processing.
- Principle 2 – The availability of a company’s website within the EU is an insufficient reason to subject the company to GDPR unless the company is offering goods or services in the EU.
- Principle 3 – Companies that are established outside the EU but subject to GDPR requirements must designate an EU representative for GDPR compliance in writing.
- Exceptions include companies that perform small-scale or occasional processing of non-sensitive data.
- Principle 4 – International data transfers require compliance with GDPR requirements. In support of transatlantic commerce, the EU-US Privacy Shield Framework provides a mechanism to comply with data protection rules when transferring personal data to the United States from the European Union.
Businesses must also consider their responsibilities for the personal data they are processing when determining compliance requirements. In other words, is your company a controller, joint controller, or processor?
Controllers and joint controllers exercise overall control over the processing of personal data, while processors act on behalf of the controllers. As such, controllers have a higher degree of compliance responsibility in comparison to processors.
Compliance Protocols Explained: Data Breach, DPO, and Assessment
As touched on above, most American businesses must comply with GDPR standards when handling personal data collected from EU and EEA data subjects.
Companies must appoint a data protection officer (DPO) — think of them as the canary in the coal mine. Data protection officers are responsible for overseeing the company’s data protection strategies to comply with GDPR requirements and handle any data breaches that may occur.
In the case of a personal data breach, processors and controllers must notify the breach to a supervisory authority within 72 hours if the data breach is likely to put the rights and freedoms of natural persons at risk. The notification must:
- Inform – Report the nature of the breach and the categories and approximate numbers of data subjects and personal data records involved.
- Communicate – Share the name and contact details of the data protection officer where more information can be obtained.
- Specify – Describe the likely consequences of the data breach and the measures intended to be taken to address the data breach and future mitigation strategies.
A controller must advise a DPO when complying with GDPR documentation requirements, such as a Data Protection Impact Assessment (DPIA). A DPIA is required by law if a company plans to process personal data that is likely to put personal information at high risk. These conditions include, but are not limited to:
- The use of new technologies
- Tracking citizens’ locations or behaviors
- Processing personal data in relation to racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and genetic identifiers
- Processing children’s data
If the high-risk standard is not met, it may still be beneficial for companies to complete a DPIA to minimize liability and ensure best practices in regard to data privacy and security.
Failure to Comply
Failure to comply with GDPR requirements, including intentional infringement, failure to mitigate damage after a data breach or lack of collaboration with authorities, may result in fines of up to 4% of the company’s global turnover of the previous fiscal year.
RSI Security and GDPR Compliance Requirements
Here at RSI Security, we offer EU GDPR compliance services and data protection officer services. We can work with your company to provide audit, assessment, and implementation services to comply with the requirements set by GDPR.
Also, consider outsourcing your company’s DPO roles to our experienced team of data privacy experts. We’ll help mitigate risk and prevent data breaches to keep your company on top. Finally, if you want to see just how simple following GDPR compliance requirements can be, contact RSI Security today!