GDPR, or the General Data Protection Regulation, is Europe’s data privacy and security law. If your business directly targets, collects, and/or manipulates the personal data of EU residents — or does so as a subcontractor of another organization — then you need to comply with the GDPR.

Why is compliance so important? Because the GDPR has some of the heftiest fines for privacy violations in the world. In fact, fines for violations can cost up to €20 million, or 4% of your company’s worldwide annual revenue.

So what exactly is required of your organization in order to achieve — and maintain — GDPR compliance? Let’s take a look.

Lawful reason for personal data

According to Article 5 of the GDPR, companies must have a documented, lawful reason (or “purpose”) for processing personal data. Furthermore — as we’ve discussed in-depth in a previous post — one of the 7 GDPR principles is that data must be processed in a lawful, fair, and transparent manner. This means a data subject — the person whose data you hold — must be aware of the ways in which their information is being used and processed.

So, what does the GDPR mean by a “lawful” reason? It means a subject’s personal data can only be collected for a specified, explicit, and legitimate purpose. In other words, depending on the scope and purpose of the data processing activity your organization intends to carry out, you need to select an appropriate legal ground.

In addition to the need for a purpose or reason, that purpose or reason also needs to be limited, which brings us to our next point.

Limitation of purpose, data, and storage

Purpose limitation ensures that data is only used for specific activities:

• Collection: As noted above, when personal data is collected, it must serve a specific, explicit, and legitimate purpose.
• Notice: These purposes must be clearly established and openly communicated via a privacy notice to your data subjects.
• Processing: Personal data should be processed in a way that’s compatible with your organization’s initial stated purposes.

Make sure your organization follows your purposes closely and limits the processing of data only to those purposes you’ve stated to the data subject at the time of collection.

Data subject rights

GDPR grants people a range of specific data subject rights concerning their personal data. They can exercise these rights under particular conditions, which means your organization must enable the exercising of these rights.

These rights include:

• The right to information: The data subject can ask the company what information it has about them, as well as what personal data is being processed and the rationale for such processing.
• The right to access: The data subject has the ability to access their personal data that’s being processed, meaning they can see or view it as well as request copies of it.
• The right to rectification: The data subject can ask for modifications to his or her personal data if they believe it’s not accurate or up to date.
• The right to withdraw consent: The data subject has the ability to withdraw previously given consent for the processing of their personal data for a given purpose.
• The right to object: The data subject can object to the processing of their personal data.
• The right to object to automated processing: The data subject can object to a decision based on automated processing, meaning they can ask for their request to be reviewed manually.
• The right to be forgotten: The data subject can ask for their data to be deleted.
• The right for data portability: The data subject can ask for the transfer of their personal data, for example, to another controller.

Consent

In GDPR Article 6, the key elements of lawfulness are further established. Consent is one of the legal grounds for personal data processing, and in some cases, explicit consent is needed.

For example, when an organization intends to process personal data beyond the legitimate purpose for which that data was collected, the company must ask the data subject for clear and explicit consent. Once collected, this consent must be documented. Keep in mind that the data subject is allowed to withdraw this consent at any time.

Furthermore, when it comes to the data processing of children under 16, the GDPR requires the explicit consent of their parents or guardians.

Personal data breaches

As defined by GDPR Article 4, a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Companies must maintain a personal data breach register where all information about a data leak — or a suspected data leak — must be recorded. This register will be part of your organization's data protection management. Based on the severity of a breach, the regulator and data subject should be informed within 72 hours of the breach’s identification.

Privacy by design

In order to protect personal data in the design of new systems and processes, organizations should incorporate organizational and technical mechanisms that ensure privacy and protection aspects “by design” at the outset, not retroactively.

Data protection impact assessment

When initiating a new product, project, or change that will affect the processing of personal data, the GDPR states that a data protection impact assessment (DPIA) should be conducted. This will help your organization estimate the impact of these new actions or changes and identify and minimize privacy risks in your data processing activities.

Data transfers

Data controllers — the “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” — must ensure that personal data is protected and GDPR requirements are respected, even if the data processing is being conducted by a third party.

This means controllers must ensure the privacy and protection of personal data when that data is being transferred outside the company, whether to a third party and/or another entity within the same company.

Data protection officer

A Data Protection Officer (DPO) should be assigned when an organization processes a significant amount of personal data. A Data Protection Officer is an independent data protection expert responsible for advising an organization on how to comply with GDPR requirements.

This person must take the following actions:

• Monitor the organization’s data protection policies and procedures
• Advise staff on their data protection responsibilities
• Advise management on whether DPIAs (data protection impact assessments) are necessary
• Serve as the point of contact between the organization and its supervising authority

• Serve as a point of contact for individuals on privacy matters

Awareness and training

Organizations should conduct regular training on key GDPR requirements. Such training is mandatory for anyone who handles personal data or is responsible for overseeing data protection practices.

This will serve to ensure employees remain aware of their responsibilities with regard to the protection of personal data, as well as know how to identify personal data breaches in a timely manner.

How ISO 27701 can help prove GDPR compliance

ISO 27701 was released in 2019 as a direct response to GDPR. GDPR is a set of regulations, but ISO 27701 is a privacy framework.

While your organization can become GDPR compliant through a self-assessment, an ISO 27701 certification offers a way for your business to demonstrate this compliance with an independent assessment.

Because ISO 27701 is a privacy framework, it can be used for other privacy frameworks, not just GDPR. Thankfully, Strike Graph makes it easy to reach compliance with multiple security frameworks using the structures you’ve already implemented for reducing data security and privacy risks in your systems and services.