Any company doing business or collecting data within the EU is subject to GDPR.
GDPR mistakes can cost millions.
Fines for general data protection regulation violations can cost up to €20 million or 4% of your company’s worldwide annual revenue.
Our GDPR compliance framework is fool proof.
Strike Graph’s easy-to-use platform ensures you meet and maintain every GDPR requirement.
Strike Graph takes the guesswork out of GDPR.
GDPR compliance tracking at your fingertips
Follow every detail of your GDPR compliance framework easily on Strike Graph’s dashboard and get automated notifications when something needs to be updated.
Pre-loaded GDPR controls to save time
Our extensive library of pre-loaded GDPR controls lets you choose what you need, plug it into your GDPR compliance framework, and move to the next step! No more writing from scratch.
Cross-framework functionality that grows with you
As your company grows, you’ll need additional security compliance measures. Strike Graph’s versatile platform leverages the work you’ve already done for GDPR to easily expand to SOC 2, ISO, HIPAA, PCI DSS, or CCPA compliance.
Here’s how it works.
Strike Graph helps you reach, maintain, and prove GDPR compliance quickly and easily.
Start building your security and compliance posture.
Assign controls to each of your risks.
Maintain GDPR compliance.
Document your GDPR compliance with ISO 27701 certification.
More and more companies are turning to Strike Graph for privacy support.
GDPR: Dig into the details.
Want more details on the GPDA compliance framework? Read on for answers to all your questions.
What is GDPR?
Put into effect on May 25, 2018, the General Data Protection Regulation (GDPR) is Europe’s data privacy and security law that imposes obligations on organizations around the world that target or collect data related to people in the EU.
Who needs to comply with GDPR?
Your company is subject to general data protection regulation (GDPR) if it meets any of the following criteria:
- Processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed
- Was established outside the EU and is offering goods and/or services (paid or for free) to or is monitoring the behavior of individuals in the EU
If processing personal data isn’t a core part of your business — and your business activity doesn't create risks for individuals — then some obligations of GDPR won’t apply to your company.
How do I comply with GDPR?
Once you’ve determined whether or not your business needs to comply with GDPR, you need to determine if you’re a data processor or a data controller.
If you’re a data controller and therefore responsible for protecting data, you’re responsible for the following steps:
- Obtain consent.
- Govern access.
- Ensure the lawfulness of data processing.
- Ensure the transparency of information.
- Protect accuracy.
- Ensure confidentiality.
If you’re a data processor and/or controller that collects and manipulates data, you need to take the following actions:
- Process data only per instructions from the data controller.
- Enter into a binding contract with the processor.
- Not engage sub-processors without the consent of the controller.
- Ensure the security of the data.
- Notify the controller of data breaches.
- Follow accountability guidelines.
- Follow international transfer protocols.
- Cooperate with authorities.
Finally, you’ll need complete the following items:
- Perform risk assessments.
- Establish data governance.
- Implement the appropriate controls.
- Uphold data subject rights.
- Create and maintain the required documents.
- Train your employees.
- Regularly perform gap analysis and remediation.
What are the seven GDPR protection and accountability principles?
Instead of acting as hard rules, the seven GDPR protection and accountability principles are an overarching framework designed to lay out the broad purposes of GDPR:
- Lawfulness, fairness, and transparency: Lawfulness indicates that whenever you’re processing personal data, you should have a good reason for doing so. Fairness means you shouldn’t purposely withhold information about what or why you’re collecting data and that you won’t mishandle or misuse the data you collect. Transparency calls for clarity, openness, and honesty about who you are and why and how you’re processing personal data.
- Purpose limitation: This means that data must be “collected for specified, explicit, and legitimate purposes” only, meaning you must state your purposes for processing data clearly and follow those purposes closely.
- Data minimization: Don’t collect more personal information than you need from your users.
- Accuracy: Ensure the accuracy of the data you collect by setting up checks and balances to update, correct, or erase it.
- Storage limitation: You must justify the length of time you keep each piece of data you store and create a standard time period after which you’ll anonymize any data you’re not actively using.
- Integrity and confidentiality: Personal data must be secure from internal or external threats, including "unauthorized or unlawful processing," accidental loss, destruction, or damage.
- Accountability: You must have appropriate measures and records in place as proof of your compliance. This means documenting how personal data is handled and how you ensure only people who need access to information have it.
How can I prove I’m GDPR compliant?
There is no GDPR certification. You must determine via internal audit (or a third-party product like Strike Graph) that you maintain the standards of compliance.
For companies who prefer to have an outside certification to prove compliance, ISO 27701 is a great option and can be achieved easily via Strike Graph in conjunction with GDPR.
How are GDPR and ISO 27701 related?
ISO 27701 was released in 2019 as a direct response to the EU GDPR. While one can be GDPR compliant through a self-assessment, an ISO 27701 certification offers a way for organizations to demonstrate this compliance with an independent assessment. That’s because you’ll have already implemented core best practices for reducing data security and privacy risks in your systems and services.
Whereas GDPR is a set of regulations, ISO 27701 is a privacy framework, and it can be used for other privacy frameworks, not just GDPR.
What is the EU Information Commissioner's Office (ICO)?
According to Gov.uk, the Information Commissioner's Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. This includes GDPR. ICO is a non-departmental public body which reports directly to the UK Parliament.
What’s the difference between data processors and data controllers?
GDPR applies to “controllers” and “processors” operating within the EU as well as to those outside the EU that offer goods or services to individuals in the EU.
While a controller determines the purposes and means of processing personal data, a processor is responsible for processing personal data on behalf of a controller.
Processors are required to maintain records of personal data and processing activities and have legal liability if they’re responsible for a breach. Meanwhile, controllers must ensure their contracts with processors comply with the GDPR.
Can’t find the answer you’re looking for? Contact our team!