The General Data Protection Regulation (GDPR) is an important piece of international legislation that’s been in effect since May 2018. Non-compliance penalties can have a substantial business impact, yet many organizations are still not fully compliant. Becoming GDPR-compliant can be difficult, as it requires organizations to make significant changes to their data processing practices.
However, there are a number of measures that organizations can take to achieve compliance, such as appointing a data protection officer, conducting data protection impact assessments, and implementing technical and organizational security measures. The steps needed to achieve compliance will vary depending on the organization’s specific circumstances.
What is GDPR and why is it so important
The GDPR is a European Union regulation that sets out rules for the collection and processing of personal data of individuals within the European Union. It applies to all organizations, regardless of their size or location, that process the personal data of individuals in the EU. The GDPR gives individuals more control over their personal data and requires organizations to be more transparent about how they collect and use this data.
The 7 Principles of GDPR
The GDPR sets out seven key principles that apply to the collection, sharing, storage, and use of personal data. Compliance with these principles is essential for protecting people’s privacy and avoiding administrative fines.
1. Lawfulness, fairness, and transparency
Processing of personal data should be lawful, fair, and transparent to the data subject (the individual), meaning:
- Personal data can only be processed if there is a legal basis for doing so. The six legal bases are consent, contract, legal obligation, vital interests, public task, and legitimate interests.
- Personal data must be processed fairly and in a way that is transparent to individuals.
- Organizations must be transparent about how they collect, use, and share personal data.
Example: Let’s say a company wants to collect personal data from its customers in order to send them marketing emails. The company would need consent, meaning that the customers would need to explicitly agree to have their data collected and used for marketing purposes. The company would also need to be transparent about how it would use the data, and it would need to give customers the right to access, correct, and delete their data.
2. Purpose limitation
Personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes, meaning:
- Organizations should only collect personal data for specific, explicit, and legitimate purposes.
- Organizations should not collect personal data for any purpose that is not directly related to the original intent of the collection.
Example: A company that sells shoes collects the names and contact information of its customers. This data is collected for the purpose of sending out marketing emails about new shoes and sales. The company cannot use this data for any other purpose, such as selling it to a third party or using it to create a customer profile
3. Data minimization
Data collection should be limited to what is necessary in relation to the purpose, meaning:
- The data minimization principle requires organizations to only process the personal data that is necessary for the specific purpose for which it is being processed.
- Data minimization is closely linked to the concept of privacy by design, which is the practice of embedding privacy and data protection into products and services from the earliest stages of their development.
Example: A social media platform collects the following data from its users: name, email address, date of birth, gender, and location. However, the platform only needs to collect the name and email address of its users in order to provide the service. Therefore, the platform should minimize the amount of data it collects by not collecting the date of birth, gender, and location of its users.
Data should be accurate and, where necessary, kept up to date, meaning:
- Organizations (not the individuals themselves) are responsible for ensuring that personal data is accurate and up to date.
- Organizations must take every reasonable step to correct or update inaccurate or incomplete data.
Example: A retail company has a customer database that contains the names, addresses, and phone numbers of its customers. The company discovers that one of the customer’s phone numbers is incorrect. The company must update the customer’s phone number in its database to ensure that the data is accurate.
5. Storage limitation
Data should be kept in a form that permits identification of data subjects for no longer than necessary for the purpose, meaning:
- Organizations should inform individuals about how long they will keep each type of personal data they collect. This could be for a specific time period (e.g., one year) or until a triggering event occurs.
- Organizations should always have a good reason to keep personal data for any given period.
Example: A company collects data about its customers for the purpose of providing customer support. The company keeps this data for a period of 1 year after the customer has last interacted with the company. After 1 year, the company must delete the data to ensure that it is not storing personal data for longer than is necessary.
6. Integrity and confidentiality
Data should be processed in a way that ensures its security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, meaning:
- Organizations must take appropriate technical and organizational measures to secure personal data, guard against internal and external threats, and avoid a data breach.
- Organizations must implement appropriate technical and organizational measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. They should include measures such as encryption, pseudonymization, and access controls. Organizations should also regularly test their security measures and train their employees on data security.
Example: A bank that collects personal data from its customers must take appropriate technical and organizational measures to protect that data from unauthorized access, use, disclosure, alteration, or destruction. For example, the bank could encrypt the data, restrict access to it to authorized personnel, and have a policy in place for disposing of it securely.
The data controller (the entity processing the data) is responsible for, and must be able to demonstrate compliance with, the other principles, meaning:
- Organizations must be able to demonstrate their compliance with the GDPR principles
- Organizations can demonstrate accountability under the GDPR by developing policies and procedures, appointing a data protection officer, and conducting data mapping exercises. They can also perform data protection impact assessments (DPIAs) where appropriate.
Example: A company that collects personal data from its customers might appoint a data protection officer (DPO) to oversee its compliance with the GDPR. The DPO would be responsible for ensuring that the company has the appropriate policies and procedures in place to protect personal data, and that it is complying with the GDPR’s requirements.
Penalties for non-compliance
GDPR compliance is imperative—even beyond the EU. Any company in the world that processes the data of an EU citizen is bound to GDPR policy. The EU imposes strict penalties for organizations that fail to comply with its requirements. Fines of up to €20 million or 4% of global annual turnover, whichever is greater, can be imposed on organizations that do not comply with the GDPR.
In addition to financial penalties, consider these other potential risks:
- Loss of Trust: Failure to comply with GDPR can result in a loss of customer trust, which could have a longer-term impact than any financial penalties.
- Negative Publicity: Media coverage of GDPR non-compliance can tarnish a company’s image.
- Civil Lawsuits: Individuals affected by GDPR non-compliance can bring civil actions against the company.
- Injunctions: Regulators may impose bans or restrictions on data processing activities.
- Data Flow: Non-compliance may result in a ban on data transfers, which could severely impact business operations, especially for companies that operate across borders.
Resource Drain: Managing the fallout from a GDPR violation can require a significant investment of time and resources, including legal fees and efforts to improve data management systems.
Automate your GDPR compliance
The seven core principles of GDPR are generally good practices to follow. They are incredibly important if you are managing data for people in the EU, no matter where you’re located. Essentially, it comes down to:
- Collect as little data as possible
- Get permission as often as possible
- Keep user data updated
- Use data only for reasonable purposes
- Protect your users
- Be responsible
Compliance with GDPR is not technologically complex nor unrealistic. Yet, so many companies are unable to achieve it because they lack the rigor and discipline to do so.
This is where an automated compliance solution comes into play. ComplianceCow helps companies keep customer data safe. It does this by automating the collection of evidence to demonstrate compliance with industry regulations, such as PCI DSS, HIPAA, and GDPR. ComplianceCow also provides a centralized repository for this evidence, making it easy for companies to track and manage their compliance status.
Here are some specific ways that ComplianceCow helps companies keep customer data safe:
- It automates the collection of evidence for compliance controls. This frees up time for security teams to focus on other tasks, such as incident response and threat hunting.
- It provides a centralized repository for compliance evidence. This makes it easy to track and manage compliance status, and to quickly find the evidence needed to respond to an audit or investigation.
- It provides reports and dashboards that help companies visualize their compliance status. This makes it easy to identify areas where compliance gaps exist and to take corrective action.
- It integrates with a variety of security tools and systems. This makes it easy to collect evidence from all parts of the IT environment.
Overall, ComplianceCow is a powerful tool that can help companies keep customer data safe and compliant with industry regulations.