What does it mean to be GDPR Compliant? | GDPReu.org (2022)

Organisations must be GDPR compliant to avoid penalties or reputational damage and to protect the rights of data subjects living within the EU.

What does it mean to be GDPR compliant?


If you’re wondering how exactly a business can be GDPR compliant, then this simple guide is for you. GDPR compliance, at its core, is about an organisation meeting the requirements of the General Data Protection Regulation 2018. Read on to find out why compliance is so important and what organisations must do to avoid breaches and penalties.

What it means to be GDPR compliant

The General Data Protection Regulation (GDPR) clearly lays out the strict rules for companies regarding personal data processing. GDPR compliance means ensuring that all of these are followed and that the eight data subject rights linked to data processing are followed. The data subjects pertain to the individual entitlements of the data subjects.

The General Data Protection Regulation basics

The privacy laws under GDPR are the strictest in the world. Devised and implemented by the European Union in 2018, the GDPR lays out organizational measures that international organisations must take when it uses personal data relating to anyone who comes from one of the EU members states.

GDPR was launched officially on 25 May 2018 and replaced the previous data protection act that was no longer considered wide-ranging enough. Designed specifically to strengthen the rights of data subjects on how the data controller uses their information.

Main goals of GDPR and the data protection principles

There are three main personal data goals affecting EU data subjects. They are:

  1. To establish and protect the privacy rights of EU citizens regarding the unlawful processing of their information.
  2. To unify data privacy laws across EU member states to clarify and regulate the legal obligation of every data controller.
  3. To adapt and update the old laws surrounding personal data to ensure they reflect technological changes of the last 25 years.

Defining a data protection officer and other GDPR terminology

It’s always helpful to explain GDPR terminology before we go into how to adequately comply and how to avoid GDPR fines. The following list explains the major terminology used within the legislation and should help to explain the kind of data protection measures organisations must take to tick off their GDPR compliance checklist.

Data subject refers to individuals who live in the EU and who have had their data collected, held, or otherwise processed by a data protection officer, controller, or another processor.

Data controllers are the entities responsible for defining the lawful basis for data collection and the processing of personal data related to data subjects.

Data processors work with the data controller and process data.

Data processing means regular and systematic monitoring or operations performed on sets of personal data. This can include automated processing or manual.

Personal data means any data, whether large scale or not, related to the data subject. The data here must be able to identify the individual due to it relating to a name, photos, bank statements or an email address.

Consent in this context means the necessity of obtaining the consent of the data subject to process data. The organisation must provide data subjects with an option to give consent and it must be a “freely given, specific, informed and unambiguous indication”.

Is your company a data processor?

When working out whether this personal data protection legislation impacts your organisation, you need to consider whether your data activity comes under GDPR and whether you fall into the territorial scope of the law. For example, US businesses can still be subject to GDPR if they are collecting or using sensitive personal data or other personal data belonging to individuals who live in the EU. Business practices must reflect whether their core activities consist of services online or offline that come under GDPR to avoid criminal convictions or any kind of breach. This includes third countries, such as the UK.

As the GDPR puts in place appropriate safeguards and security measures surrounding the processing of personal data by a controller, it applies whether the actual processing takes place in the EU. Therefore, it can cover overseas Government agencies or non-profit organisations as well as any public authority or private company that deals with data owned by EU citizens.

What are the 8 data subject rights under GDPR?

Along with the right to withdraw consent, the GDPR lays out the following data subject rights regarding consumer data. Some of these rights alter processing to maintain data privacy and, as such, should be considered by organisations to maintain compliance.

  1. Articles 12 to 14: the right to be informed

Data subjects have the right to be told about how their data, whether basic identity information, IP addresses, cookie data, sensitive information or even biometric data is being collected and used.

  1. Article 15: right to access

The right to see and ask for copies of their personal data.

  1. Article 16: right to rectification

The right to ask for inaccurate or out-of-date information to be corrected or updated.

  1. Article 17: right to be forgotten

This gives subjects the right to ask for their personal data to be deleted. However, this is not an absolute right and for any customer data to be deleted here must fall under specific laws.

  1. Article 20: right for data portability

The right to ask for their personal information to be transferred to a different controller. This must be in a format that can be used for automated decision-making.

  1. Article 18: right to restrict processing

The right to ask for data minimisation or suppression of personal data.

  1. Article 7: right to withdraw consent

This is the right of the individual to withdraw any consent that they have previously given regarding their personal data. GDPR compliance resources must, therefore, ensure that they offer this opportunity regularly.

  1. Article 21: right to object

The right for individuals to object to the way that their data is being processed.

Is your organisation GDPR compliant ?

It is important to conduct data protection impact assessments to create an actionable plan. Any plan for compliance must revolve around the 7 GDPR principles. These are:

  1. Lawfulness, fairness, and transparency – there must be a lawful basis for any processing of data flows. The subject must be fully informed and there should be no possibility of a personal data breach.
  2. Purpose limitation – to comply with data protection authorities and to fulfil data protection obligations, you must be clear about the purposes of the processing.
  3. Data minimisation – data breaches can be avoided by only processing personal information to a minimum extent.
  4. Accuracy – any data that is processed must be accurate and up to date. It is up to your information security to erase or correct information that is inaccurate at the earliest possible time.
  5. Storage limitation – a risk assessment should tell you whether you really need to keep the data.
  6. Integrity and confidentiality – security should be in place to avoid any possibility of a data breach.
  7. Accountability – take responsibility for all processing and data mapping and ensure it is all on record so that the requisite information systems can demonstrate compliance with all the principles listed.

What happens if your organisation is not GDPR compliant?

Organisations that either does not comply with the legislation or cause a breach could face large fines. The most serious cases of non-compliance could lead to a fine of up to seventeen million Euros (or 4% of the organisation’s annual turnover). When deciding on whether to penalise an organisation, the Information Commissioner’s Office (ICO) will consider certain aspects of the breach. These include:

  • How severe the breach is and how long it will last.
  • Whether the breach was due to negligence or on purpose.
  • Whether the organisation has previously done the same thing.
  • The kind of data involved in the breach.
  • Whether the individual’s rights and freedoms have been impacted.

However, the ICO is clear that compliance is not about finding organisations. Rather, it is about protecting the privacy of an individual’s information, something that is increasingly important in the age of ‘big data’. The reason for the extremely high fines is to demonstrate just how important compliance is with GDPR, and that organisations should do everything they can to ensure that they are within all the regulatory guidelines. Perhaps just as damaging as a fine is the negative impact such a breach could do on your company’s reputation. In the worst cases, this reputational damage can be impossible to rectify.