The General Data Protection Regulation (GDPR) was created by the European Union (EU) to establish guidelines for the collection and processing of their citizens’ personal information. While the bulk of data referred to in the GDPR requirements is collected online from websites and applications, it also covers data collected on paper and other media.
GDPR requirements apply to all EU citizens, whether inside or outside of an EU member country. It also applies to all organizations that touch EU citizens’ personal data regardless of where their website or company is based. According to GDPR requirements, companies must employ data and privacy protections for Personally Identifiable Information (PII) related to any EU citizen they engage with, including employees, customers, and third-party vendors.
GDPR was approved by EU members in 2016 and went into full effect two years later. It is a replacement for the Data Protection Directive, which was enacted in 1995. The driver for GDPR was to give EU consumers control over their personal data by regulating how companies can use this information.
What is considered personally identifiable information (PII)?
Almost all interactions with organizations involve an exchange of personal data. In many cases, individual pieces of this data are not enough to identify a person, such as:
- Date of birth
- Education information
- Email address
- Employment information
- Financial information
- Geographical indicators
- Medical information
- Place of birth
- Telephone number
However, when aggregated, personal data, such as that noted above, can identify a particular person and become personally identifiable information or PII. Examples of PII include:
- Biometric data—retina scans, voice signatures, or facial geometry
- Name—full name, maiden name, mother’s maiden name, or alias
- Personal address information—physical address or email address
- Personal characteristics—photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
- Personal identification numbers—social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number
- Personal telephone numbers
To comply with GDPR, companies must employ data and privacy protections for PII related to any EU citizen they engage with, including employees, customers, and third-party vendors.
Read on to learn about:
- GDPR requirements
- Who must comply with GDPR requirements
- The seven principles of GDPR and related requirements
- GDPR requirements for individual rights
- Ensuring compliance with GDPR requirements
What are GDPR requirements?
1. Lawful, fair, and transparent processing (GDPR Chapter 2, Article 5a)
“Personal data shall be:”
5a: “processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency.’)”
5b: “Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);”
To comply with these GDPR requirements, organizations must have documented a lawful reason for processing personal data. They must also have consent from data subjects to collect the information as well as make them aware of how it will be processed and used.
Meeting GDPR requirements for lawful, fair, and transparent processing means:
- Lawful means all processing should be based on a legitimate purpose.
- Fair means companies take responsibility and do not process data for any purpose other than the stated, legitimate purposes.
- Transparent means that companies must inform data subjects about the processing activities used for their personal data.
2. Limitation of purpose, data, and storage (GDPR Chapter 2, Article 5b and 5c)
“Personal data shall be:”
5c: “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);”
GDPR requirements compel organizations to document the reason information is collected and processed as well as ensure that information is deleted when it’s no longer needed (i.e., data minimization). Leeway is given for information processing for archiving purposes, including the public interest, as well as for scientific, historical, or statistical purposes.
To effectively meet GDPR requirements, organizations should:
- Forbid processing of personal data outside the legitimate purpose for which the personal data was collected.
- Mandate that no personal data, other than what is necessary, be requested.
- Ask that personal data be deleted once the legitimate purpose for which it was collected is fulfilled.
3. Data subject rights (GDPR Chapter 3, Articles 12-23)
Eleven rights of data subjects that detail GDPR requirements are codified in five sections:
- Transparency and modalities
- Information and access to personal data
- Rectification and erasure
- Right to object and automated individual decision-making
4. Consent (GDPR Chapter 2, Article 6)
“Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
According to GDPR requirements, data subject consent is only one of six lawful prerequisites for processing information. To gain consent, the processor must have active approval from an individual. That is, data subjects must take affirmative action to grant consent rather than the processor using a passive approach.
In addition, the consent must be documented, and the data subject must have the ability to withdraw consent at any time. For processing data for children under the age of 16, parental or guardian consent is required.
5. Notification of data breach (GDPR Chapter 4, Article 33)
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. “
Article 4 (in chapter 2) defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
It is notable that what qualifies as a data breach under GDPR goes beyond a cybercrime. A data breach could be something as simple as sharing files with someone outside of the organization, an employee sending an email containing sensitive information to the wrong person, or someone accessing files without authorization.
6. Data protection by design and by default (Chapter 4, Article 25)
“…at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing…”
To meet GDPR requirements for data protection by design, organizations must consider data privacy at the start of data processing.
7. Data protection impact assessment (Chapter 4, Article 35)
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
According to GDPR requirements, a data protection impact assessment must be performed in these cases:
- “A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
- Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offenses referred to in Article 10; or
- A systematic monitoring of a publicly accessible area on a large scale.”
8. Data transfers (GDPR Chapter 5, Article 44)
“Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organization to another third country or to another international organization. The rules surrounding data transfers depend on where you are moving data to and from.”
Additional GDPR requirements related to data transfers are detailed in Articles 45, 46, 47, and 48, which are also part of chapter 5. These articles cover specific types of transfers and required data protection, including transfers to countries outside of the EU.
9. Data protection officer or DPO (Chapter 4, Articles 37, 38, and 39)
Article 37 states, “The controller and the processor shall designate a data protection officer in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10.”
GDPR requirements for the DPO are outlined in Article 38. A key point in Article 38 is, “Data subjects may contact the data protection officer with regard to all issues related to the processing of their personal data and to the exercise of their rights under this Regulation.”
The tasks of a DPO are enumerated in Article 39. These include:
- Advising staff on their data protection responsibilities.
- Briefing management on whether data protection impact assessments (DPIAs) are necessary.
- Monitoring the organization’s data protection policies and procedures.
- Serving as the point of contact between the organization and its supervisory authority as well as for individuals on privacy matters.
10. Awareness and training (Chapter 4, Article 39)
“to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including… awareness-raising and training of staff involved in processing operations…”
To adhere to GDPR requirements, organizations need to ensure that training is comprehensive and designed for each of the different roles in an organization. Data protection training related to GDPR is mandatory for any employee who handles sensitive information from an EU citizen.
Who must comply with GDPR requirements?
GDPR requirements apply to all members of the EU and the European Economic Area (EEA) that store or process information about EU citizens regardless of where websites and residents are based. Therefore, they apply to any organization with digital properties with European visitors, even if EU citizens are not their target market. And, even if the EU citizen is visiting or resides elsewhere, GDPR requirements still must be followed.
The criteria for organizations to comply with GDPR requirements are as follows; they apply to many companies:
- A presence in an EU country
- No presence in the EU, but processes the personal data of European residents
- More than 250 employees
- Fewer than 250 employees, but data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data
GDPR requirements in the 7 principles of GDPR
Article 5 in chapter two of the GDPR details seven principles relating to the processing of personal data.
1. Lawfulness, fairness, and transparency: Lawfulness is based on having a good reason to process personal data. Fairness refers to users being able to understand why their data is processed and that it will not be mishandled or misused. Finally, transparency directs organizations to be clear, open, and honest about who they are and what they are doing with the data.
2. Purpose limitation: GDPR establishes parameters for how data can be used, stating that it only be “collected for specified, explicit, and legitimate purposes.”
3. Data minimization: The GDPR requirements for data minimization direct organizations to only collect the bare minimum of information needed to achieve objectives.
4. Accuracy: To comply with GDPR requirements, organizations must take responsibility for the accuracy of the personal data that is collected and stored, including implementing checks and balances to assure and maintain the integrity of the data.
5. Storage limitation: The amount of time that data can be stored is also part of GDPR requirements. Organizations must explain why they need to store the data and the reasoning behind the retention period.
6. Integrity and confidentiality: Organizations are responsible for data protection. Security systems must be in place to ensure that personal data is protected from unauthorized access, unlawful processing, and accidental damage, loss, or destruction.
7. Accountability: Proof of compliance with GDPR requirements and processing principles is mandatory. Organizations can be called upon at any time to demonstrate compliance.
GDPR requirements regarding individual rights
In chapter three, eight rights of individuals under GDPR are defined.
1. The Right to Information: Right to be informed by organizations about how information is collected, how long it will be stored, and with whom it will be shared.
2. The Right of Access: Right to be informed by organizations about what information is collected, how it is stored and processed, and how it will be used.
3. The Right to Rectification: Right to have incomplete or inaccurate information corrected.
4. The Right to Erasure: Right to have records with personal data permanently erased.
5. The Right to Restriction of Processing: Right to limit the processing of personal data in the event that it cannot be erased.
6. The Right to Data Portability: Right to obtain and reuse their personal data as well as request that organizations send this information to third parties.
7. The Right to Object: Right to object to the processing of personal data. However, organizations can override objects in some circumstances.
8. The Right to Avoid Automated Decision-Making: Right to deny the use of algorithms to make decisions and to opt out of automated decision-making.
Ensuring compliance with GDPR requirements: Tips and rewards
The broad reach and steep penalties (i.e., €20 million or 4% of global annual turnover) that come with GDPR noncompliance demand attention. Following are several best practices to consider with regard to meeting GDPR requirements.
- Assess mobile apps for compliance with GDPR requirements. With many team members accessing and storing PII on mobile devices, ensuring that those applications and devices meet GDPR requirements is important.
- Conduct periodic risk management strategy assessments. With ongoing organizational and operational changes, it is important to stay on top of exactly what EU citizen data is stored and processed and any associated risks. Mitigation and remediation measures should also be considered as part of the risk management strategy assessment. Particular attention should be paid to shadow IT instances that are collecting and storing PII.
of business risk can be
tied to just 5% of users
minimum fine for
non-compliance to GDPR
Compliance with GDPR requirements necessitates a comprehensive review of who has access to what data and where regulated data resides.
- Develop and maintain a data protection plan that addresses GDPR requirements. If a data protection plan is not in place, make putting one together a top priority. For organizations that have a data protection plan in place, review it to ensure alignment with GDPR requirements. Data protection plans should also be checked regularly to adjust to changes and updates to GDPR requirements.
- Drive a sense of urgency from top management. Having executive leadership initiate the prioritization of compliance with GDPR requirements ensures that it is top-of-mind throughout the organization.
- Hire or appoint a DPO, if the position has not been filled already. While GDPR requirements do not explicitly call out the need for a DPO as a discreet position, it behooves organizations to have someone focused on executing this function. And, since GDPR allows a DPO to work for multiple organizations, a consultant can be engaged on a part-time basis.
- Involve all the stakeholders. Commonly, GDPR requirements are thought to be an IT issue—not so. IT alone is ill-prepared to meet GDPR requirements. Most groups in an organization collect, analyze, or use customers’ PII, including marketing, finance, sales, and operations.
- Monitor systems and processes for meeting GDPR requirements. Ongoing monitoring should be in place to ensure that an organization remains compliant with GDPR requirements.
- Test data-related incident response plans. Among the many GDPR requirements is one specifying that organizations must report a data breach within 72 hours of becoming aware of it. A well-thought-out incident response plan that is tested and put through dry runs can go a long way to meeting GDPR requirements and mitigating damage.
Yes, this takes time, but any organization that is subject to GDPR should invest in systems and processes to ensure compliance. The benefits go far beyond simply being compliant. Many of the GDPR requirements have the halo effect of enhancing security and bolstering brand perception by improving consumer confidence.
You might also be interested in:
Take control of your cloud platform.
Learn more about SailPoint Identity Security.