The General Data Protection Regulation (GDPR) forms a pillar for information privacy in the European Union and European Economic Area. Its provisions and principles encompass everything from the rights of data subjects and duties of data controllers and processors to liabilities and penalties for breach of rights.
GDPR applies even to organizations outside the EU that sell to individuals located in Europe or collect data on them, so even if you're not EU-based, you may still be held liable for compliance violations.
In this guide, we'll summarize what your organization needs to know about GDPR data protection requirements.
General Data Protection Regulation compliance is conformity with one of the EU's most fundamental laws safeguarding the personal data of EU citizens and residents. The law protects data which can be used to personally identify individuals, such as names and email addresses. It encompasses all processes involving operations on data, including collection, storage, transmission, and destruction of data.
The GDPR applies to both organizations that determine purposes and means of processing data (controllers) and other parties that process data on their behalf (processors). Its regulations apply to both controllers and processors operating in the EU and those outside the EU who target or collect data on EU citizens and residents.
This regulatory framework has severe penalties for non-compliance. Enforcement authority resides in individual data protection authorities (DPAs) from individual states. Infringement of rights protected by the GDPR can result in fines up to the greater of €20 million or 4% of an organization's annual worldwide turnover as well as criminal charges.
GDPR general provisions provide dozens of definitions of key terms used in the regulation. Some of the most important terms for understanding the GDPR include:
As the GDPR defines it, personal data refers to any information related to an identified or identifiable person. Such persons can be identified directly or indirectly by designations such as names, identification numbers, locations, or online identifiers of their physical, physiological, genetic, mental, economic, cultural, or social identity.
Data processing refers to any operation or set of operations performed manually or automatically on personal data or sets of data. Data processing operations include:
A data subject is a natural person identified or identifiable by personal data.
A data controller refers to the natural or legal person, public authority, agency or other body which determines the purposes and means of processing personal data, alone or jointly with other parties. When the purposes and means of such processing are determined by Union or Member State law, the Union or Member State may establish the controller or the specific criteria for its nomination.
A data processor refers to the natural or legal person, public authority, agency or other body which processes personal data on a controller's behalf.
The GDPR contains 11 chapters covering the following topics:
The full text of the GDPR runs hundreds of pages. Here are some key highlights:
The GDPR lays out six groups of principles that govern its provisions:
Here's what each principle means:
This principle requires that data must be collected lawfully, fairly, and transparently. For data to be collected lawfully, one or more of the following conditions must apply:
The GDPR provides less guidance on what constitutes fairness, as legal analysts have noted.
With respect to transparency, the GDPR requires that data subjects be informed clearly in writing or other means about the fact data is being collected on them and how this data is being processed. Subjects should be informed why data is being collected on them, how long it's being retained, and who it's being shared with.
The principle of purpose limitation means that data must be collected for specific, explicit, legitimate reasons. This does not exclude further processing for archival purposes related to public, scientific, historical, or statistical interests.
The principle of data minimization requires that data collection be adequate for its intended purpose, relevant for that purpose, and limited to what is necessary for that purpose.
The principle of accuracy requires that collected data be correct and current. Inaccurate or outdated data should be erased or rectified immediately.
The principle of storage limitation requires that collected data be kept no longer than necessary for its intended purpose. As with purpose limitation, this does not exclude data archiving for designated reasons.
The principle of data integrity and confidentiality states that data must be safeguarded through organizational and technical means that prevent unauthorized processing, unlawful processing, data loss, data destruction, or data damage.
The principles of the GDPR aim to protect eight privacy rights of data subjects, based on the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union. Data subject rights include:
These rights may be subject to designated restrictions for specific reasons, such as national security, law enforcement, tax collection, or civil law enforcement.
To implement its principles, the GDPR compels data controllers to adopt a policy of data protection by design and default.
This means that controllers should take data protection into account throughout the product and data lifecycle from the time of determination of means of processing to the time of actual processing. Data protection measures should ensure that by default, only data necessary for specific purposes is collected and data is not made accessible without the subject's consent to other natural persons. These measures apply to the amount of data collected, data processing, and data storage and accessibility.
Controllers must implement both organizational procedures and technical measures to ensure data protection. Organizational measures include standard operational procedures such as training staff, adding a data privacy policy to employee handbooks, minimizing data collection, and restricting data access. Technical measures include cybersecurity techniques such as encryption and two-factor authentication.
An approved certification mechanism may be used to help demonstrate compliance with data protection by design and default.
The GDPR holds data controllers accountable for being able to demonstrate compliance. Means of demonstrating compliance include:
These accountability requirements help ensure that organizations not only follow GDPR principles and provisions, but can demonstrate compliance.
To meet the technical measures requirement of the GDPR, data controllers must implement appropriate data security procedures.
The GDPR article on security of processing does not detail specific security measures beyond a few examples, but requires data controllers to take into account the state of the art in cybersecurity, costs of implementation, processing scope, and risks.
In the event of a breach, companies have 72 hours to notify data subjects, unless technological safeguards such as encryption already have neutralized the value of data for attackers.
The EU provides a general GDPR compliance checklist for data controllers as well as specific guidance for US companies. The general checklist covers four key areas:
To comply with the GDPR lawful basis and transparency requirements, data controllers must:
Organizations with at least 250 employees and organizations that conduct high-risk processing must keep a detailed, current list of processing activities, to be provided upon request to regulatory authorities. Organizations with fewer than 250 employees will find that keeping such a list will assist with other compliance requirements.
The list should include:
GDPR data security requirements obligate data controllers to:
These requirements follow the GDPR's principle of "data protection by design and default", which includes applying " appropriate technical and organizational measures". Technical measures include cybersecurity practices such as encryption. Organizational measures include policies such as minimizing data collection and deleting unneeded data.
GDPR accountability and governance requirements compel data controllers to:
These requirements ensure that someone in your organization is accountable for GDPR compliance and has authorization to review data protection policies and execute them.
GDPR privacy rights requirements obligate call for controllers to make it easy for customers to:
These requirements ensure the rights of data subjects to see what data you have about them, understand how you're using it, know how long you keep it, and receive a copy of their information in a timely manner.
US companies can comply with the GDPR by:
The GDPR's website provides forms and templates to assist with compliance.
Whether you operate in the EU, sell to EU customers, or collect data on EU citizens or residents, GDPR compliance applies to you.
Achieving compliance involves both policy and technical implementation. On the technical side, you need to ensure that data you collect, store, and transmit remains secure from cyberattacks that can compromise customer privacy.
Cobalt assists you with achieving GDPR compliance requirements by providing compliance pentesting services to identify and mitigate vulnerabilities in your IT infrastructure. Our team of offensive security experts helps you rapidly schedule simulated attacks on your data and produce audit-quality attestation reports identifying your vulnerabilities and what you've done to mitigate them.
Our pentesting platform makes it easy for our experts to collaborate with your security team and plan tests that meet your requirements for compliance with the GDPR or other regulatory frameworks. Talk to our team today to get started on the road to compliance.