What does it mean to be GDPR Compliant? | GDPReu.org (2022)
Organisations must be GDPR compliant to avoid penalties or reputational damage and to protect the rights of data subjects living within the EU.
If you’re wondering how exactly a business can be GDPR compliant, then this simple guide is for you. GDPR compliance, at its core, is about an organisation meeting the requirements of the General Data Protection Regulation 2018. Read on to find out why compliance is so important and what organisations must do to avoid breaches and penalties.
The General Data Protection Regulation (GDPR) clearly lays out the strict rules for companies regarding personal data processing. GDPR compliance means ensuring that all of these are followed and that the eight data subject rights linked to data processing are followed. The data subjects pertain to the individual entitlements of the data subjects.
The privacy laws under GDPR are the strictest in the world. Devised and implemented by the European Union in 2018, the GDPR lays out organizational measures that international organisations must take when it uses personal data relating to anyone who comes from one of the EU members states.
GDPR was launched officially on 25 May 2018 and replaced the previous data protection act that was no longer considered wide-ranging enough. Designed specifically to strengthen the rights of data subjects on how the data controller uses their information.
There are three main personal data goals affecting EU data subjects. They are:
It’s always helpful to explain GDPR terminology before we go into how to adequately comply and how to avoid GDPR fines. The following list explains the major terminology used within the legislation and should help to explain the kind of data protection measures organisations must take to tick off their GDPR compliance checklist.
Data subject refers to individuals who live in the EU and who have had their data collected, held, or otherwise processed by a data protection officer, controller, or another processor.
Data controllers are the entities responsible for defining the lawful basis for data collection and the processing of personal data related to data subjects.
Data processors work with the data controller and process data.
Data processing means regular and systematic monitoring or operations performed on sets of personal data. This can include automated processing or manual.
Personal data means any data, whether large scale or not, related to the data subject. The data here must be able to identify the individual due to it relating to a name, photos, bank statements or an email address.
Consent in this context means the necessity of obtaining the consent of the data subject to process data. The organisation must provide data subjects with an option to give consent and it must be a “freely given, specific, informed and unambiguous indication”.
When working out whether this personal data protection legislation impacts your organisation, you need to consider whether your data activity comes under GDPR and whether you fall into the territorial scope of the law. For example, US businesses can still be subject to GDPR if they are collecting or using sensitive personal data or other personal data belonging to individuals who live in the EU. Business practices must reflect whether their core activities consist of services online or offline that come under GDPR to avoid criminal convictions or any kind of breach. This includes third countries, such as the UK.
As the GDPR puts in place appropriate safeguards and security measures surrounding the processing of personal data by a controller, it applies whether the actual processing takes place in the EU. Therefore, it can cover overseas Government agencies or non-profit organisations as well as any public authority or private company that deals with data owned by EU citizens.
Along with the right to withdraw consent, the GDPR lays out the following data subject rights regarding consumer data. Some of these rights alter processing to maintain data privacy and, as such, should be considered by organisations to maintain compliance.
Data subjects have the right to be told about how their data, whether basic identity information, IP addresses, cookie data, sensitive information or even biometric data is being collected and used.
The right to see and ask for copies of their personal data.
The right to ask for inaccurate or out-of-date information to be corrected or updated.
This gives subjects the right to ask for their personal data to be deleted. However, this is not an absolute right and for any customer data to be deleted here must fall under specific laws.
The right to ask for their personal information to be transferred to a different controller. This must be in a format that can be used for automated decision-making.
The right to ask for data minimisation or suppression of personal data.
This is the right of the individual to withdraw any consent that they have previously given regarding their personal data. GDPR compliance resources must, therefore, ensure that they offer this opportunity regularly.
The right for individuals to object to the way that their data is being processed.
It is important to conduct data protection impact assessments to create an actionable plan. Any plan for compliance must revolve around the 7 GDPR principles. These are:
Organisations that either does not comply with the legislation or cause a breach could face large fines. The most serious cases of non-compliance could lead to a fine of up to seventeen million Euros (or 4% of the organisation’s annual turnover). When deciding on whether to penalise an organisation, the Information Commissioner’s Office (ICO) will consider certain aspects of the breach. These include:
However, the ICO is clear that compliance is not about finding organisations. Rather, it is about protecting the privacy of an individual’s information, something that is increasingly important in the age of ‘big data’. The reason for the extremely high fines is to demonstrate just how important compliance is with GDPR, and that organisations should do everything they can to ensure that they are within all the regulatory guidelines. Perhaps just as damaging as a fine is the negative impact such a breach could do on your company’s reputation. In the worst cases, this reputational damage can be impossible to rectify.