The General Data Protection Regulation (GDPR) is designed to protect the personal data of EU residents by regulating how that information is collected, stored, processed and destroyed. The data security and privacy law applies to all organizations that collect the personal data of European Union citizens, regardless of location. The penalties for noncompliance with GDPR requirements are stiff.
Many organizations are struggling with how to comply with GDPR. In this article, you will find 10 steps that will help your business achieve, maintain and prove compliance with GDPR requirements.
How to be GDPR compliant
1. Determine whether and how the law applies to your organization.
Is your organization subject to the GDPR?
First, determine whether you need to comply with the GDPR. For a simple litmus test, consider whether you have users or customers who live in the EU. If the answer is yes, you need to implement compliance measures.
To be more specific, here are some examples of common circumstances that would require your organization to comply with the GDPR:
- You collect or process the data of EU residents.
- You ship to the EU, mention the EU on your website, or accept payment in EU currency.
- You offer software, such as a game or app, that collects personal data as part of the registration process, and the software is available in the EU
Are you a data processor or a data controller?
If the GDPR applies to you, your next step is to determine if you’re a data processor or a data controller, since they have different compliance obligations.
- Data controllers are responsible for protecting data, and their obligations include:
- Obtaining consent
- Governing access
- Ensuring the lawfulness of data processing
- Transparency of information
- Protecting accuracy
- Ensuring confidentiality
- Data processors collect and manipulate data. In some cases, this may be the data controller, but it may also be a third party or another service that analyzes the data. Processors have less autonomy over the data they process, but they still have obligations, including:
- Processing data only per instructions from the data controller
- Entering into a binding contract with the processor
- Not engaging sub-processors without the consent of the controller
- Ensuring the security of the data
- Notifying the controller of data breaches
- Following accountability guidelines
- Following international transfer protocols
- Cooperating with authorities
What data do you need to protect?
Finally, determine which data the GDPR requires you to protect. Under the GDPR, personal data is defined as, “any information related to a living, identified or identifiable natural person.” This includes all information that could be used to identify a person, such as:
- Names
- Location data
- Online identifiers
- Racial or ethnic origin
- Religious beliefs
- Political opinions
- Health information
- Sex life
- Genetic data
- Biometric data such as fingerprints or facial recognition
2. Assign roles and responsibilities.
Some of the new roles you may need for compliance include:
- Compliance officer
- Project manager
- Data protection officer (DPO) — Under Article 37, you need to designate a DPO if you are a public company, your company’s core activities involve handling data, or your company processes and stores large amounts of personal data belonging to EU citizens.
Outline the roles and responsibilities to see which can be filled by current staff and which will require new hires.
Tip: Invest time in getting support from your management team or the board because they will need to allocate resources. Make sure members understand the risks of insufficient data protection measures and the benefits of GDPR compliance.
3. Choose one or more frameworks.
Complying with the GDPR can be easier if you follow a framework that helps you implement core best practices for reducing data security and privacy risks in your systems and services. There is no one perfect framework, but there are various frameworks that can help you comply with different aspects of the GDPR. They include:
- ISO 27001 — An information security management system (ISMS) framework that helps reduce the risk of a breach
- ISO/IEC 27701:2019 — An extension to ISO/IEC 27001 focused on data privacy
- NIST Privacy Framework — A framework that helps identify and manage privacy risks
- NIST 800-30 Risk Assessment Framework — A guide for conducting risk assessments (which are discussed below)
- NIST 800-53 Security and Privacy Controls for Information Systems and Organizations — A catalog of security and privacy controls for information systems and organizations to protect against many different types of risks
- BS 10012 Personal Information Management — A framework for managing personal information
- PCI DSS Framework — A framework used to protect consumers’ payment card data
- NIST Cybersecurity Framework — A framework that helps organizations measure the maturity of their cybersecurity and risk management systems and identify steps to strengthen them
4. Perform risk assessments.
Performing risk assessments is an essential component of complying with Article 32 and Article 35 of the GDPR.
This is accomplished with a Data Protection Impact Assessment (DPIA), which is a method of analyzing, identifying and minimizing the data protection risks of a project. You must conduct a DPIA before you begin data processing that is likely to result in a high risk to personal data. Examples of high-risk processes include:
- Using new technology or using existing technology in a new way
- Automated decisions that could result in denial of services
- Large-scale monitoring of public places or other profiling on a large scale
- Processing biometric data used to identify an individual
- Processing genetic data, unless it’s done by an individual health care provider for the care of the data subject
- Matching or combining personal data from multiple sources
- Processing data that wasn’t obtained from the data subject
- Tracking an individual’s geolocation or behavior, online and offline
- Processing children’s data for marketing, profiling, automated decision making, or offering services
- Processing data that could result in physical harm to an individual if it were leaked
This list is not exhaustive; it’s up to you to decide whether to perform a DPIA for processes that aren’t specifically mentioned in Article 35. If you have any doubt, it’s better to do one. Ideally, a DPIA will be carried out during the planning stage of a project and will help you decide if there is a risk and how to mitigate it.
A DPIA should do all of the following:
- Identify the need for a DPIA by explaining the goal of your project and the type of processing involved
- Describe the processing, including its nature, scope, context and purpose
- Involve consulting with relevant stakeholders or explain why it’s not necessary
- Assess necessity and proportionality, including lawfulness and data minimization
- Identify and assess risks
- Identify measures to reduce risks
- Include sign-offs and record outcomes
After completing a DPIA, you should implement the measures you identified into your project and continue to review them throughout your project. For more information about performing a DPIA, read this article.
5. Establish data governance.
Data governance concerns the policies and processes around the appropriate use of personal data as it flows into and out of your organization. Data governance procedures ensure that high standards are maintained throughout the entire lifecycle of your data. Your data governance process must also meet the requirements of Article 30 that relate to records of the processing activity.
Your data governance strategy should include the following:
- A data inventory that provides a record of all sources of data your company has, what data is collected and how, and what happens to it
- Data classification, which groups data into types so it can be protected in accordance with its value and sensitivity
- Strategies for ensuring that your data collection processes are lawful, fair and transparent
- Methods for keeping records of the personal data processing up to date
- Procedures for performing a DPIA whenever your data processing is likely to result in a high risk, as outlined above
- Records that are in writing, including electronic form
- Records that are available to the supervisory authorities when requested
6. Implement appropriate controls.
The GDPR doesn’t specify the controls required for compliance, but lays out that you need to implement measures to address the “security of processing”:
- Use the most up-to-date software tools to secure customer data.
- Document the nature, purpose and scope of data processing.
- Segregate data and apply security measures appropriate to risk.
- Encrypt and pseudonymize data when possible.
- Make data available to the data subject.
- Protect personal data from being read or tampered with by unauthorized users.
- Regularly test and evaluate the effectiveness of your controls.
- Consider all the risks when you handle or process data.
Managing security controls, like most other aspects of GDPR compliance, is an ongoing process. Once you’ve implemented your controls, you’ll need to audit your data processing activities and security controls regularly. Look for a software solution that will automate the management of as many security controls as possible.
7. Uphold data subject rights.
You will also need policies for upholding the rights of data subjects — the people whose data you collect. In particular, you need a plan for how you will handle the following:
- Collecting and verifying data subject access requests (DSARs)
- Responding to DSARs within one month in order to avoid costly penalties
- Consent management policies that include data collection, retention and erasure
- Your cookie policy, including consent forms and methods for changing cookie preferences
- Policies and procedures for handling personal data breach obligations, including detecting, reporting and investigating breaches
8. Create and maintain required documents.
A number of articles of the GDPR require you to create documentation outlining how you store and process data. The GDPR doesn’t mandate how you should name your documents, so you may choose different titles than shown below. Additionally, some documents can be combined if appropriate. Here is a list of the documents you’ll need:
- Personal data protection policy (Article 24) — Outlines how privacy is managed in your company
- Privacy notice (Articles 12,13,14) — Outlines how personal data is processed
- Employee privacy notice (Articles 12, 13, and 14) — Explains how personal data of employees is processed
- Data retention policy (Articles 5, 13, 17, and 30) — Describes the process of deciding how long data is kept and how it’s destroyed
- Data retention schedule (Article 30) — Lists regulated data and explains how long each type of data will be kept
- Data flow mapping (Article 30, 25, 6, 28, 35) — Maps the flow of information
- Data subject consent form (Articles 6, 7, and 9) — Used to obtain consent to process personal data
- Supplier data processing agreement (Articles 28, 32, and 82) — Outlines data protection measures required of processors and other suppliers
- DPIA register (Article 35) — Documents the results of DPIAs
- Data breach response and notification procedure (Articles 4, 33, and 34) — Outlines the procedures to be performed before, during and after a data breach
- Data breach register (Article 33) — Records all data breaches
- Data breach notification form to the Supervisory Authority (Article 33) — The form you use to notify the Supervisory Authority of a data breach
- Data breach notification form to data subjects (Article 34) — The form you use to notify data subjects of a breach involving their private information
- Inventory of processing activities (Article 30) — An inventory that must be maintained by the controller
- Data Protection Officer job description (Articles 37, 38, and 39) — Details the responsibilities of your DPO (needed only if you are required to have a DPO)
Create and publish public documents.
The GDPR requires organizations to make the following information publicly available in clear, easy to understand language:
- Privacy policy
- Data retention policy
- Terms of data transfer to other countries
- Data protection policy
- Contact information, including how to contact your DPO if you have one
- Terms of use
- Payment policy & cookie policy
9. Train your employees.
Training your staff is a key rule of GDPR compliance. Following the regulations is not just an IT issue. You’ll need a comprehensive communication and training strategy that includes everyone from every level of the company.
Moreover, training shouldn’t be looked at as a one-and-done proposition. It should begin at the top of the company with a focus on creating a culture of compliance. Online training should be supplemented with specific, role-based education aimed at each department’s responsibilities and areas of risk.
10. Regularly perform gap analysis and remediation.
A gap analysis will assess your current measures compared to compliance standards. It will give you a deeper understanding of the steps you need to take to implement the processes, controls and other measures required to ensure compliance.
A GDPR compliance checklist can provide a place to start. Another way to gain insight into areas that may be out of compliance in your organization is by monitoring why other companies are fined for noncompliance.
Fines for GDPR Violations
Noncompliance with GDPR can result in hefty fines: up to 24.1 million dollars or 4 percent of the company’s annual global turnover, whichever is higher.
There are both mitigating and aggravating circumstances that affect the amount of the fine. Intentional violations are fined more harshly than negligent ones. Reporting violations as soon as possible and cooperating with authorities are mitigating circumstances. More serious violations, such as ones that involve data subjects’ rights and consent, are subject to higher fines.
Here are some of the steepest fines levied to date:
- H&M Clothing— This Swedish company was fined $41M for recording employee meetings and making the recordings available to over 50 managers. The sensitive data obtained from these recordings were used to evaluate employee performance and make other employment decisions.
- Google— Google was fined $56.6M for violations related to how they provided privacy notices and how they requested consent to use personal data for personalized advertising and other data processing. This fine could have been avoided if Google had provided more information and given data subjects more control over how their information was used. Google’s appeal was unsuccessful.
- Amazon — Amazon’s $877 million dollar fine is the largest ever recorded, by a factor of 15. The violation had to do with cookie consent, and it wasn’t the first time Amazon had been fined for this, which is likely one reason the fine was so hefty. The best way to avoid fines related to cookies is to obtain freely given, informed and clear consent before installing any cookies on a user’s device.
How can Netwrix help?
With Netwrix solutions, you can achieve, maintain and prove GDPR compliance with less effort and expense today. Netwrix products:
- Automate change, access and configuration auditing.
- Ensure accurate discovery and classification of regulated data.
- Provide actionable insight into your data and infrastructure security.
- Streamline data subject requests by automating the data collection process — a crucial and resource-intensive step.
Frequently Asked Questions
1. What is required for GDPR compliance?
The GDPR requires businesses to implement measures to protect the privacy of the personal data of EU residents.
2. How do you prove you are GDPR compliant?
You need to provide specific documents that demonstrate that you adhere to data protection principles, conduct DPIAs as required, have the necessary work roles assigned, are ready to report security breaches promptly, and so on.
