What Is GDPR Compliance?

The European Union’s General Data Protection Regulation (GDPR) is a data privacy standard introduced in 2018 that provides rules for the protection and privacy of EU citizens’ personal data.

The GDPR specifies how businesses should handle the personal data of any of their customers who reside in the European Union. It also includes mandates for cybersecurity systems and processes that businesses must implement to protect that data.

Any business with customers in the EU, regardless of whether the company itself is located there, is obligated to meet GDPR requirements or face potential fines and potential loss of business. Businesses are also liable for how any third-party vendors or contractors use and protect their customer data.

image
image
How to vendor Risk Management
and the GDPR
WATCH THE WEBINAR

Why Is GDPR Compliance Important?

Over the last several years, there has been a growing demand for greater oversight on how companies collect, use, share and delete customer data. The GDPR requires that if your business collects personal data of EU citizens, regardless of where your business is located, that you have controls in place to protect your customers.

Compliance is non-negotiable, and the price for non-compliance can be hefty. GDPR penalties are two-tiered depending on the severity of the infringement. Even a lower-tier offense, however, could result in fines up to $10.57 million (€10 million) or 2 percent of a company’s annual global revenue, whichever is greater.

On the higher end, a larger violation can result in fines up to $21.16 million (€20 million) or 4 percent of annual global revenue, whichever is greater. These fines are enough to put the long-term sustainability of your business in jeopardy. The repercussions are simply too serious to ignore.

For example, in 2017, LinkedIn suffered a data breach that resulted in compromised sensitive information for 165 million users. The breach cost LinkedIn more than £3 million, or approximately $4.15 million dollars.

GDPR Requirements at a Glance

While the EU has not been updated since its release in 2018, on Jan. 31, 2020, the UK implemented its own version of the standard, UK-GDPR (the United Kingdom General Data Protection Regulation) after Brexit.

For businesses with customers in the EU, GDPR compliance requirements encompass the following criteria:

Data processing, to ensure the privacy of data owners
Data protection, or safeguarding data against breaches and unauthorized use (risk)
Responding to breaches and theft in a timely and effective manner
Data subject rights such as right to access, amend, restrict, delete.

The GDPR also mandates that companies:

  • Hire a data protection officer (DPO) to oversee data security and enforce GDPR compliance.
  • Perform a data protection impact assessment and compile a record of processing activities in certain circumstances.
  • Create an online privacy policy where the organization states the personal data it collects and how such data is used.

GDPR Compliance Audit Checklist

A best practices guide to GDPR compliance revolves around the principle of creating transparency in data practices. It requires an “all-hands” initiative from functions in your business, including HR, IT, security, and even marketing and sales — essentially, any business unit that interacts with customer data.

Furthermore, achieving compliance will likely require developing new processes and controls as well as internal data mapping that ties all of your data to each operation, service, tool, vendor and any other aspect of the business that comes into contact with sensitive data. The following checklist can help you prepare for a GDPR audit.

1

Conduct an information audit to determine whether you need to comply with the GDPR and, if so, to collect evidence for your GDPR audit.

  • What personal data does your organization process? Does any of it belong to EU individuals? Are the processing activities related to offering goods or services to those individuals? If so, you probably need to comply with GDPR.
  • Document all the personal data that you have, where it came from, and with whom you share it.
2

Educate your employees about GDPR and what compliance entails.

3

Review your consent management privacy notices. Make sure they are clear and concise, and that they explain your “lawful basis” for processing personal data.

4

Put procedures in place to provide data subjects’ personal information to them or deletion information within 30 days of their requesting it.

5

Set up a form on your website to obtain data subjects’ consent at the time of collecting their data.

6

Establish a way to verify data subjects’ identities and ages, and for obtaining the parental or guardian consent of minors before processing their data.

7

Encrypt your data. Doing so can reduce your fines should your data get breached.

8

Conduct a data protection impact assessment (DPIA) — a risk assessment concerning your organization’s data handling processes.

9

Tighten your data security. End-to-end encryption is a must.

10

Appoint a data protection officer or another person to oversee GDPR compliance.

11

Draw up a data processing agreement with vendors requiring GDPR compliance, and have them sign it.

12

Designate a representative in an EU member state, if Article 27 requires your organization to do so.

13

If you are a multinational organization, check your compliance with GDPR Article 45, which regulates the transfer of personal data from the EU to non-EU countries.

14

Implement the appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

15

Implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Be prepared for your GDPR Audit! Download our step-by-step guide

DOWNLOAD NOW
image

RiskOptics Has Your GDPR Compliance Solution

Our RiskOptics Risk Insiders can walk you through the GDPR requirements, helping you examine your environment, data and policies and assure that the proper risk management controls are in place to protect your GDPR data.

We can also advise on documentation best practices and provide a readiness assessment template that you can use to assure compliance and verify an appropriate audit trail in the event of an official compliance review.

Using our flexible solutions can also enable you to more efficiently organize and manage GDPR requirements, as it automates many of the tedious manual processes that otherwise monopolize your time and frees up resources required to manage.

ZenGRC GDPR Capabilities

Our fully integrated and automated SaaS risk and compliance management platform equips you with a strong foundation for GDPR compliance, enabling you to monitor your program over time to ensure you remain compliant and avoid non-compliance penalties. Our platform capabilities include:

  • Automation to streamline compliance workflows and data flows
  • Monitoring of the entire compliance lifecycle
  • User-friendly dashboard with real-time metrics on prioritized GDPR audit tasks or required documentation
  • Pre-built evidence request templates to help you prepare for auditing
  • A central repository to organize all your documentation
  • Control mapping to fulfill multiple requirements, whether they be for GDPR, PCI DSS or CCPA, with a single control
  • Tracking of outstanding GDPR tasks
  • Complete Risk Management functionality for assessments, scoring, and treatment throughout the risk lifecycle
Ready to see ZenGRC in action?

Frequently Asked Questions

The GDPR is a legal requirement for any organization that markets to or services customers who reside in the European Union or the United Kingdom.

The GDPR sets forth certain privacy rights for EU and UK citizens, such as the right to be forgotten and the right to obtain your user consent before sharing your data with a third party. For organizations, the GDPR is a legal framework that covers data governance, data privacy and data management for any organization with customers in the U.K. or EU, regardless of where the company itself is located.

On the higher end, a larger violation can result in fines up to $21.16 million (€20 million) or 4 percent of a company’s annual global revenue, whichever is greater.

To guide enforcement of GDPR, the standard sets forth seven principles. They are:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

Yes, G Suite is GDPR compliant — but not out of the box. To achieve GDPR compliance in G Suite, customers must sign the Data Processing Amendment and model contract clauses when purchasing a G Suite professional license.

Both Jira Software and Jira Service Management Cloud editions are GDPR-compliant, according to the Atlassian Cloud Roadmap.

According to its GDPR services readiness announcement, AWS states that its services can be used in compliance with GDPR privacy regulations.