The General Data Protection Regulation (GDPR) is a landmark piece of legislation that affects how organizations can handle, process, and store the personal data of European Union (EU) citizens and residents. But what does the GDPR require exactly, and how can you be sure that your organization complies with it? We go over everything you need to know in this all-in-one guide to GDPR compliance.
Table of Contents
What is the GDPR?
The General Data Protection Regulation is a data privacy and data security regulation passed by the European Union; it largely replaces the EU's Data Protection Directive of 1995. Since coming into fruition in May 2018, the GDPR has revolutionized how organizations can perform the large-scale processing of personal data — including data collection, data transfer, and data storage. The GDPR has also inspired other similar privacy laws and privacy regulations, such as the California Consumer Privacy Act (CCPA).
GDPR Article 4 defines a number of terms that are essential to understanding GDPR compliance. Let's look at some of this terminology now:
A data subject is any "identified or identifiable natural person" (i.e. any individual who is identifiable through the use of personal data).
Personal data comprises identifiers such as names, addresses, phone numbers, ID numbers, location data, gender, age, birthdate, genetic tests, credit card numbers, and photographs. It may also include online identifiers such as IP addresses and cookies, as well as biometric data like fingerprints.
A data controller is an entity that makes decisions about the "purposes and means" of GDPR data processing activities.
A data processor is an entity that actually processes personal data, often on behalf of a data controller.
A supervisory authority is an "independent public authority" that monitors organizations' GDPR compliance.
How to Comply with the GDPR
One widespread misconception is that U.S. companies don't have to comply with the GDPR because it's an EU regulation. However, this is not the case. The GDPR does not apply to EU businesses, but rather to EU citizens and residents of EU countries.
In other words, the GDPR protects the personal data, customer data, and user data of anyone who lives in one of the 27 member states in the EU. Any company that handles this data, no matter where the company itself is in the world, must comply with the GDPR. Also, you may be subject to other data protection laws, such as the CCPA, that closely resemble the GDPR.
If you fail to comply with the GDPR during your data processing operations, either intentionally or unintentionally, the penalties of non-compliance can be harsh. The EU's data protection authorities (DPA) can issue fines as high as €20 million or 4 percent of annual global revenue — whichever is higher. The website enforcementtracker.com keeps track of GDPR fines and penalties issued by EU authorities.
So how can you ensure your own organization is GDPR-compliant? The GDPR website has prepared a GDPR compliance checklist for organizations to follow. Below are some of the most important things to know about GDPR compliance:
Small businesses with fewer than 250 employees have fewer obligations under the GDPR — unless they are performing data processing operations regularly or their data processing activities are high risk for "the rights and freedoms of data subjects."
All businesses to whom the GDPR applies must designate a position data protection officer (DPO). The DPO handles training and education programs about GDPR requirements, conducts audits of data processing activities, and serves as a liaison between the organization and the supervisory authority.
The GDPR requires data subjects to provide "freely given, specific, informed and unambiguous" opt-in consent for organizations to process their personal data. In practice, this often takes the form of an "Accept" button for marketing and analytics cookies the first time that a user visits your website.
Data subjects have the "right to erasure," also known as the "right to be forgotten" if they wish to withdraw their consent. They can request that data controllers erase all of their personal information, and the data controllers must comply "without undue delay" (roughly one month). Data subjects also have the right to data portability; they can request that data controllers send them all the personal data that the controller is storing or processing.
New projects likely to pose a "high risk" to data subjects' personal data must first undergo a data protection impact assessment (DPIA). This includes an evaluation of how necessary the project is; the proposed technologies and processing activities; the potential dangers to subjects' rights and freedoms; and the proposed measures to protect subjects' privacy.
In the event of a personal data breach or malware attack that exposes personal data, the GDPR requires you to notify the supervisory authority within 72 hours of discovering the breach. To avoid the ensuing financial and reputational damage, you need to strengthen your cybersecurity with security measures such as data masking and data encryption.
How Integrate.io Can Help with GDPR Compliance
Integrate.io can help you remain in compliance with GDPR. It is a feature-rich ETL and data integration platform with a user-friendly, drag-and-drop interface. Integrate.io does not access any of your personal data itself — it only serves as the pipeline between your data sources and the target data warehouse.
With Integrate.io, it's easy to track your GDPR compliance efforts and access, change or delete data as needed. Want to learn more? Get in touch with our team of big data experts today for a chat about your business needs and objectives, or to start your 14-day pilot of the Integrate.io platform.