The General Data Protection Regulation (GDPR) is a European Union (EU) law that governs how organizations collect and use personal data. Any company operating in the EU or handling EU residents’ data must adhere to GDPR requirements.
However, GDPR compliance is not necessarily a straightforward matter. The law outlines a set of data privacy rights for users and a series of principles for the processing of personal data. Organizations must uphold these rights and principles, but the GDPR leaves some room for each company to decide how.
The stakes are high, and the GDPR imposes significant penalties for non-compliance. The most serious violations can lead to fines of up to EUR 20,000,000 or 4% of the organization’s worldwide global turnover in the previous year. GDPR regulators can also terminate illicit data processing activities and compel organizations to make changes.
The checklist below covers the core GDPR regulations. How an organization meets these regulations will depend on its unique circumstances, including the kinds of data it collects and how it uses that data.
The GDPR applies to any organization based in the European Economic Area (EEA). The EEA includes all 27 EU member states plus Iceland, Liechtenstein and Norway.
The GDPR also applies to organizations outside of the EEA if:
- The company regularly offers goods or services to EEA residents, even if no money is exchanged.
- The company regularly monitors the activity of EEA residents, such as by using tracking cookies.
- The company processes data on behalf of a company based in the EEA.
The GDPR doesn’t only apply to businesses using customer data for commercial purposes. It applies to nearly any organization that processes EEA residents’ data for any purpose. Schools, hospitals and government agencies all fall under GDPR authority.
The only data processing activities exempt from the GDPR are national security or law enforcement activities and purely personal uses of data.
The GDPR uses some specific terminology. To understand compliance requirements, organizations must understand what these terms mean in this context.
The GDPR defines personal data as any information relating to an identifiable human being. Everything from email addresses to political opinions counts as personal data.
A data subject is the human being who owns the data. Put another way, it’s the person the data relates to. Say a company collects phone numbers to send marketing messages via SMS. The owners of those phone numbers would be data subjects.
When the GDPR refers to data subjects, it means data subjects who reside in the EEA. Subjects need not be EU citizens to have data privacy rights under the GDPR. They merely need to be EEA residents.
A data controller is any organization, group or person that obtains personal data and determines how it is used. Returning to a previous example, a company collecting phone numbers for marketing purposes would be a controller.
Data processing is any action done to data, including collecting, storing or analyzing it. A data processor is any organization or actor that performs such actions.
A company can be both a controller and a processor, like a company that both collects phone numbers and uses them to send marketing messages. Processors also include third parties that process data on behalf of controllers, like a cloud storage service that hosts a phone number database for another business.
Supervisory authorities are the regulatory bodies that enforce GDPR requirements. Each EEA country has its own supervisory authority.
The GDPR compliance checklist
At a high level, an organization is GDPR compliant if it:
- Adheres to the data processing principles
- Upholds the rights of data subjects
- Applies appropriate data security measures
- Follows the rules for data transfers and data sharing
The following checklist breaks these requirements down further. The practical steps an organization takes to meet these requirements will depend on its location, resources and data processing activities, among other factors.
Data processing principles
The GDPR creates a set of principles organizations must follow when processing personal data. The principles are as follows.
The organization has a lawful basis for processing data.
The GDPR defines the circumstances under which companies can legally process personal data. An organization must establish and document its legal basis before collecting any data. The organization must communicate this basis to users at the point of data collection. It cannot change the basis after the fact unless it has user consent to do so.
The possible lawful bases include:
- The organization has the subject’s consent to process their data. Note that user consent is only valid if it is informed, affirmative and freely given.
- Informed consent means the company clearly explains what data it is collecting and how it will use that data.
- Affirmative consent means the user must take some intentional action to show consent, such as by signing a statement or checking a box. Consent cannot be the default option.
- Freely given consent means the company does not attempt to influence or coerce the data subject. The subject must be able to withdraw their consent at any time.
- The organization must process the data to execute a contract with the data subject or on the data subject’s behalf.
- The organization has a legal obligation to process the data.
- The organization must process the data to protect the life of the data subject or another person.
- The organization is processing data for reasons of the public interest, such as journalism or public health.
- The organization is a public authority processing data to perform an official function.
- The organization is processing the data to pursue a legitimate interest.
- A legitimate interest is a benefit the controller or another party could gain by processing the data. Examples include conducting background checks on employees or tracking IP addresses on a corporate network for cybersecurity purposes. To claim a legitimate interest basis, the organization must prove that the processing is necessary and does not infringe on subjects’ rights.
The organization collects data for a specific purpose and only uses it for that purpose.
According to the GDPR principle of purpose limitation, controllers must have an identified and documented purpose for collecting data. The controller must communicate this purpose to users at the point of collection, and it can only use the data for this named purpose.
The organization only collects the minimum amount of data necessary.
Controllers can only collect the minimum amount of data necessary to fulfill their stated purpose.
The organization keeps data accurate and up to date.
Controllers must take reasonable steps to ensure the personal data they hold is accurate and current.
The organization deletes data when it is no longer needed.
The GDPR requires strict data retention and deletion policies. Companies can only keep data until the specified purpose for collecting that data has been fulfilled, and they must delete the data once they no longer need it.
The organization takes extra precautions when processing children’s data or special category data.
Controllers and processors must apply additional protections to certain types of personal data.
Special category data includes highly sensitive data like a person’s race and biometrics. Organizations can only process special category data in very limited circumstances, such as to prevent serious public health threats. Companies can also process special category data with the subject’s explicit consent.
Criminal conviction data can only be controlled by public authorities. Processors can only process this information at a public authority’s direction.
Controllers must obtain a parent’s consent before processing children’s data. They must take reasonable steps to verify the ages of subjects and the identities of parents. If collecting data from children, controllers must present privacy notices in child-friendly language.
Each EEA state sets its own definition of “child” under the GDPR. These range from “anyone under the age of 13” to “anyone under the age of 16.”
The organization documents all data processing activities.
Organizations with more than 250 employees must keep records of data processing. Organizations with less than 250 employees must keep records if they process highly sensitive data, process data regularly or process data in a way that poses a significant risk to data subjects.
Controllers must document things like the data they collect, what they do with that data, data flow maps and data safeguards. Processors must document the controllers for which they work, the types of processing they do for each controller and the security controls they use.
The controller is ultimately responsible for ensuring compliance.
Under the GDPR, ultimate responsibility for compliance rests with the data’s controller. This means the controller must ensure—and be able to prove—that its third-party processors meet all relevant GDPR requirements.
Data subjects’ rights
The GDPR grants data subjects certain rights over their data. Controllers and processors must honor these rights.
The organization offers data subjects easy ways to exercise their rights.
Organizations must give data subjects a simple means of asserting their rights over their data. These rights include:
- The right to access: Subjects must be able to request and receive copies of their data, as well as relevant information about how the company uses the data.
- The right to rectification: Subjects must be able to correct or update their data.
- The right to erasure: Subjects must be able to request deletion of their data.
- The right to restrict processing: Subjects must be able to restrict how their data is used if they suspect the data is inaccurate, no longer necessary or being misused.
- The right to object: Subjects must be able to object to processing. Subjects who have previously granted their consent must be able to easily withdraw it at any time.
- The right to data portability: Subjects have the right to transfer their data, and controllers and processors must facilitate these transfers.
In general, organizations must respond to all data subject access requests within 30 days. Companies must typically comply with a subject’s request unless the company can prove it has a legitimate, overriding reason not to.
If an organization rejects a request, it must explain why. The organization must also tell the subject how to appeal the decision to the company’s data protection officer or the relevant supervisory authority.
The organization offers data subjects a way to contest automated decisions.
Under the GDPR, data subjects have a right not to be bound by automated decision-making processes that could have a significant impact on them. This includes profiling, which the GDPR defines as using automation to evaluate some aspect of a person, such as predicting their work performance.
If an organization does use automated decisions, it must give data subjects a way to contest those decisions. Subjects can also request that a human employee review any automated decisions that impact them.
The organization is transparent about how it uses personal data.
Controllers and processors must proactively and clearly inform data subjects about data processing activities, including the data they collect, what they do with it and how subjects can exercise their rights over data.
This information must typically be communicated through a privacy notice presented to the subject during data collection. If the company does not collect personal data directly from subjects, privacy notices must be sent to the subjects within a month. Companies may also include these details in privacy policies that are publicly accessible on their websites.
Data privacy and protection measures
The GDPR requires controllers and processors to take steps to prevent the misuse of personal data and protect data subjects from harm.
The organization has implemented appropriate cybersecurity controls.
Controllers and processors must deploy security measures to protect the confidentiality and integrity of personal data. The GDPR does not require any particular controls, but it does state that companies must adopt both technical and organizational measures.
Technical measures include technology solutions, such as identity and access management (IAM) platforms, automated backups and data security tools. While the GDPR does not explicitly mandate encrypting data, it does recommend that organizations use pseudonymization and anonymization wherever possible.
Organizational measures include employee training, ongoing risk assessments and other security policies and processes. Companies must also follow the principle of data protection by design and by default when creating or implementing new systems and products.
The organization conducts data protection impact assessments (DPIAs) as required.
If a company plans to process data in a way that poses a high risk to the rights of subjects, it must first conduct a data protection impact assessment (DPIA). Types of processing that could trigger a DPIA include automated profiling and the large-scale processing of special categories of personal data, among others.
A DPIA must describe the data being used, the intended processing and the purpose of the processing. It must identify the risks of processing and ways to mitigate those risks. If significant unmitigated risk exists, the organization must consult a supervisory authority before moving forward.
The organization has appointed a data protection officer (DPO) if required.
An organization must appoint a data protection officer (DPO) if it monitors subjects on a large scale or processes special category data as a core activity. All public authorities must appoint DPOs as well.
The DPO is responsible for ensuring the organization remains GDPR compliant. Key duties include coordinating with data protection authorities, advising the organization on GDPR requirements and overseeing DPIAs.
The DPO must be an independent officer who reports directly to the highest level of management. The organization cannot retaliate against the DPO for performing their duties.
The organization notifies supervisory authorities and data subjects when data breaches occur.
Organizations must report most personal data breaches to the relevant supervisory authority within 72 hours. If the breach poses a risk to data subjects, the organization must also notify the subjects. Organizations must notify subjects directly unless direct communication would be unreasonable, in which case a public notice is acceptable.
Processors that suffer a breach must notify the relevant controllers without undue delay.
If located outside the EEA, the organization has appointed a representative in the EEA.
Any company outside the EEA that regularly processes EEA residents’ data or processes particularly sensitive data must appoint a representative within the EEA. The representative coordinates with government authorities on behalf of the company and acts as the point of contact for GDPR compliance matters.
Data transfers and data sharing
The GDPR sets rules for how organizations share personal data with other companies within and outside the EEA.
The organization uses formal data processing agreements to govern relationships with processors.
A controller can share personal data with processors and other third parties, but these relationships must be governed by formal data processing agreements. These agreements must outline the rights and responsibilities of all parties with respect to the GDPR.
Third-party processors can only process data according to the controller’s directions. They cannot use a controller’s data for their own purposes. A processor must obtain approval from the controller before sharing data with a sub-processor.
The organization only conducts approved data transfers outside the EEA.
A controller can only share data with a third party located outside the EEA if the data transfer meets at least one of the following criteria:
- The European Commission has deemed the data privacy laws of the country where the third party is located to be adequate.
- The European Commission has deemed the third party to have adequate data protection policies and controls.
- The controller has taken all the steps necessary to ensure the security and privacy of the data being transferred.
Explore GDPR compliance solutions
GDPR compliance is an ongoing process, and an organization’s requirements can change as it collects new data and engages in new kinds of processing activities.
Data security and compliance solutions like IBM Security® Guardium® can help streamline the process of reaching—and maintaining—GDPR compliance. Guardium can automatically discover GDPR-regulated data, enforce compliance rules for that data, monitor data usage and empower organizations to respond to threats to data security.