Doing business in Europe? GDPR isn’t optional.

Put into effect on May 25, 2018, the General Data Protection Regulation (GDPR) is Europe’s data privacy and security law that imposes obligations on organizations around the world that target or collect data related to people in the EU.

Your company is subject to general data protection regulation (GDPR) if it meets any of the following criteria:

• Processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed
• Was established outside the EU and is offering goods and/or services (paid or for free) to or is monitoring the behavior of individuals in the EU

If processing personal data isn’t a core part of your business — and your business activity doesn't create risks for individuals — then some obligations of GDPR won’t apply to your company.

Once you’ve determined whether or not your business needs to comply with GDPR, you need to determine if you’re a data processor or a data controller.

If you’re a data controller and therefore responsible for protecting data, you’re responsible for the following steps:

• Obtain consent.
• Govern access.
• Ensure the lawfulness of data processing.
• Ensure the transparency of information.
• Protect accuracy.
• Ensure confidentiality.

If you’re a data processor and/or controller that collects and manipulates data, you need to take the following actions:

• Process data only per instructions from the data controller.
• Enter into a binding contract with the processor.
• Not engage sub-processors without the consent of the controller.
• Ensure the security of the data.
• Notify the controller of data breaches.
• Follow accountability guidelines.
• Follow international transfer protocols.
• Cooperate with authorities.

• Perform risk assessments.
• Establish data governance.
• Implement the appropriate controls.
• Uphold data subject rights.
• Create and maintain the required documents.
• Train your employees.
• Regularly perform gap analysis and remediation.

Instead of acting as hard rules, the seven GDPR protection and accountability principles are an overarching framework designed to lay out the broad purposes of GDPR:

1. Lawfulness, fairness, and transparency: Lawfulness indicates that whenever you’re processing personal data, you should have a good reason for doing so. Fairness means you shouldn’t purposely withhold information about what or why you’re collecting data and that you won’t mishandle or misuse the data you collect. Transparency calls for clarity, openness, and honesty about who you are and why and how you’re processing personal data.
2. Purpose limitation: This means that data must be “collected for specified, explicit, and legitimate purposes” only, meaning you must state your purposes for processing data clearly and follow those purposes closely.
3. Data minimization: Don’t collect more personal information than you need from your users.
4. Accuracy: Ensure the accuracy of the data you collect by setting up checks and balances to update, correct, or erase it.
5. Storage limitation: You must justify the length of time you keep each piece of data you store and create a standard time period after which you’ll anonymize any data you’re not actively using.
6. Integrity and confidentiality: Personal data must be secure from internal or external threats, including "unauthorized or unlawful processing," accidental loss, destruction, or damage.
7. Accountability: You must have appropriate measures and records in place as proof of your compliance. This means documenting how personal data is handled and how you ensure only people who need access to information have it.

There is no GDPR certification. You must determine via internal audit (or a third-party product like Strike Graph) that you maintain the standards of compliance.

For companies who prefer to have an outside certification to prove compliance, ISO 27701 is a great option and can be achieved easily via Strike Graph in conjunction with GDPR.

ISO 27701 was released in 2019 as a direct response to the EU GDPR. While one can be GDPR compliant through a self-assessment, an ISO 27701 certification offers a way for organizations to demonstrate this compliance with an independent assessment. That’s because you’ll have already implemented core best practices for reducing data security and privacy risks in your systems and services.

Whereas GDPR is a set of regulations, ISO 27701 is a privacy framework, and it can be used for other privacy frameworks, not just GDPR.

According to Gov.uk, the Information Commissioner's Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. This includes GDPR. ICO is a non-departmental public body which reports directly to the UK Parliament.

GDPR applies to “controllers” and “processors” operating within the EU as well as to those outside the EU that offer goods or services to individuals in the EU.

While a controller determines the purposes and means of processing personal data, a processor is responsible for processing personal data on behalf of a controller.

Processors are required to maintain records of personal data and processing activities and have legal liability if they’re responsible for a breach. Meanwhile, controllers must ensure their contracts with processors comply with the GDPR.