What is GDPR and Who Needs It?

Ben Pournader
11 min readJun 12, 2024

--

Introduction

The goal of General Data Protection Regulation (GDPR) is to provide EU residents with a consistent and harmonized approach to privacy concept, strengthening individuals’ rights to data protection. After nearly four years of discussion and negotiation, the GDPR was approved by the EU Parliament back in 2016. Although it became effective 20 days after approval, enforcement began in 2018. While this might seem like ample preparation time, significant changes necessitated extensive work.

By enacting the GDPR, the EU demonstrates its strong commitment to protecting the personal data of EU data subject, aka PII principles as mentioned in ISO/IEC 29100, extending this protection beyond companies operating within the EU.

This article explains the GDPR. A fundamental change from the previous data protection framework (EU Data Protection Directive) is the decision to establish the new privacy framework as a regulation. A regulation is a binding legislative act directly applicable to all EU member states and beyond eliminating the need for individual local legislative acts. However, variations in interpretation and enforcement across different member states were expected.

What Does GDPR Bring to The Table?

Data Security Measures: Both Data Controllers (those who determine the purpose and means of processing personal data) and Data Processors (those who manage it) must implement organizational measures and techniques to ensure an appropriate level of privacy insurance and data security. This includes maintaining the confidentiality, integrity, availability, and resilience of systems, as well as regularly validating the effectiveness of these measures.

Global Reach: The GDPR extends beyond EU companies to cover companies outside the EU that offer goods or services to EU Data Subjects (identified or identifiable individuals to whom personal data relates), even if provided for free, or even they do some basic tasks like monitoring the behavior of Data Subjects within the EU.

Data Minimization and Consent: Organizations must minimize data collection and retention and may obtain explicit consent from consumers when processing their data. This involves collecting only the information needed for the intended purpose, minimizing data sharing, and limiting how long data is kept.

Right to be Forgotten: The GDPR strengthens the right of individuals to have their personal data erased by organizations, including data published publicly on the web! Organizations are obligated to erase personal data without undue delay, especially data collected when the individual was a child.

Data Breach Notification: In the event of a personal data breach, companies must notify the Data Protection Authority (DPA) within 72 hours of detecting the violation. Affected individuals must also be notified if there is a risk of unauthorized access to their information. Notification is not required if the breach is unlikely to result in a risk to individuals’ rights and freedoms.

Data Protection Officer (DPO): Big corporations or organizations handling special categories of personal data on a large scale must appoint a DPO as part of their board.

Penalties for Non-Compliance: Non-compliance with GDPR can result in severe penalties, including fines of up to €20 million or up to 4% of annual turnover, whichever is higher!

New Rights for Data Subjects

GDPR introduced new rights for data subjects, including:

Rights to Access, Rectification, and Portability

Right to Object

Rights to Erasure and Restriction of Processing

There are a total of eight key data subject rights under GDPR:

  1. Right to be informed,
  2. Right of access,
  3. Right to rectification,
  4. Right to erasure (right to be forgotten),
  5. Right to restrict processing,
  6. Right to data portability,
  7. Right to object to processing,
  8. Rights related to automated decision-making and profiling

These rights empower individuals with control over their personal data, requiring organizations to handle data with transparency and respect.

The most notable of these changes is the “right to be forgotten,” This right can be invoked in specific situations, such as when the data subject withdraws consent or when there is no longer a valid reason for processing their personal data.

When receiving these requests, the data controller must respond without undue delay and notify all entities with whom the data has been shared. So, to comply with these requirements, data controllers must have a thorough inventory and mapping of the personal data they hold, in addition to a document called Inventory of Processing Activities enabling them to respond promptly to data subject access requests in all forms.

Should our Organization Become GDPR Compliant?

Both of the following organizations should comply with GDPR:

EU-Based Companies: Companies (both controllers and processors) established in the EU, regardless of where the data processing occurs.

Non-EU Companies: Companies (both controllers and processors) not established in the EU but offering goods or services within the EU or to EU individuals.

One of the most important changes under the GDPR is its extended applicability, affecting entities not established in the EU. The GDPR applies to the processing of personal data of EU data subjects, regardless of where the processing activities occur. It also applies to entities outside the EU if they offer goods or services to individuals in the Union or monitor the behavior of individuals in the Union (e.g., profiling activities, tracking individuals’ activities on the internet).

The GDPR applies to personal data concerning individuals within the Union, irrespective of their nationality or habitual residence. For example, a company based in the EU processing the data of American individuals must comply with the GDPR. Consequently, these American individuals will benefit from all rights provided by the GDPR, even if such rights do not exist under their national laws.

However, if the data of EU citizens is processed outside the EU by companies also outside the EU, this does not fall under “in the Union.” For instance, the EU GDPR does not apply to a hospital in the United States simply because some of its patients may be EU citizens. In this case, the processing does not occur “in the Union,” nor are the individuals “in the Union.”

One consequence of the extraterritorial reach of GDPR is that companies not established in the EU must appoint a representative based in a Member State where the relevant data subjects are located. A limited derogation is permitted if the processing is occasional, does not involve large-scale processing of sensitive personal data, and is unlikely to pose a risk to individuals.

Additionally, it is important to note that employee personal data falls under the scope of GDPR regulation.

Data Transfer

GDPR imposes restrictions on transfers to locations outside the European Union to ensure an adequate level of personal data protection.
According to the GDPR, data transfer outside the EU is permitted if one of the following conditions is met:

Adequacy Decision: The EU has determined that the country in question has data protection laws equivalent to those of the EU. As an example, Canada, Argentina, Israel, New Zealand, Switzerland and Uruguay are considered countries with adequate protection by EU.

Appropriate Safeguards: These can include mechanisms such as contracts incorporating EU model clauses for the transfer of personal data.

Specific Derogations: These include instances such as obtaining clear and informed consent from the data subject.

Data transfers are super complicated in GDPR. Organizations that have traditionally relied on user consent for data transfers may need to revise their data transfer frameworks to comply with GDPR requirements or risk facing significant penalties.

Security in GDPR

GDPR mandates that companies secure personal data. Although this obligation is broadly stated, it provides some guidance on protective measures, such as:

  1. Encryption and Pseudonymization: Techniques to enhance some aspects of data security.
  2. Maintaining IT System Security: Ensuring the confidentiality, integrity, availability, and resilience of IT systems.
  3. Restoration Capabilities: Ability to restore availability and access to personal data in a timely manner.
  4. Regular Testing: Regularly assessing and testing the effectiveness of deployed security measures.

These measures are examples and not mandatory. Companies must demonstrate their security measures by assessing the risk and making sure they are suitable for protecting personal data.

Controllers and Processors

In the context of GDPR, data controllers and data processors have distinct roles and responsibilities regarding the handling of personal data:

A Data Controller is an entity (individual, company, or organization) that determines the purposes and means of processing personal data. Controller’s responsibilities are:

  1. Decision-Making: Controllers decide why and how personal data should be processed.
  2. Compliance: Controllers are primarily responsible for ensuring that the processing activities comply with GDPR.
  3. Data Subject Rights: Controllers must facilitate and address data subjects’ rights (such as access, rectification, and erasure of personal data).
  4. Contracts with Processors: When engaging a processor, controllers must establish a contract outlining the processor’s data protection obligations.
  5. Data Breach Notification: Controllers must notify the data protection authority (DPA) in 72 hours of awareness with details if it is likely to result in a risk to the freedom and rights of data subjects.

A Data Processor is an entity that processes personal data on behalf of the controller, following the controller’s instructions. Processor’s responsibilities are:

  1. Processing Data: Processors handle the data only as directed by the controller and cannot use it for their own purposes.
  2. Security Measures: Processors must implement appropriate technical and organizational measures to ensure data security.
  3. Sub-Processing: Processors must obtain the controller’s consent before engaging any sub-processors and ensure that sub-processors comply with the same data protection obligations.
  4. Data Breach Notification: Processors must notify the controller of any data breaches without undue delay.

Key Differences

  1. Control and Decision-Making: Controllers have the authority to decide the purposes and means of processing, whereas processors act on the controller’s instructions.
  2. Compliance and Accountability: Controllers bear the primary responsibility for GDPR compliance, while processors are responsible for implementing adequate security measures and following the controller’s instructions.
  3. Contracts and Agreements: Controllers must ensure that data processing agreements with processors clearly outline the responsibilities and obligations of both parties regarding data protection.

DPO, to Have or Not to Have?!

Certain organizations are required to appoint a Data Protection Officer (DPO), but only in specific instances:

When the data controller or processor is a public authority.

When the core activities of the data controller or processor involve regular and systematic monitoring of data subjects on a large scale.

When the data controller or processor conducts large-scale processing of special categories of personal data (such as ethnicity, racial origin, political opinions, religious beliefs, etc.).

OK, Who is DPO?!

Under the GDPR, a Data Protection Officer (DPO) is a designated individual responsible for overseeing an organization’s data protection strategy and ensuring compliance with GDPR requirements. The DPO’s role is critical in fostering a data protection culture within the organization and acting as a point of contact between the organization, data subjects, and the supervisory authorities.

Responsibilities of a DPO:

  1. Monitoring Compliance: Ensuring that the organization complies with GDPR and other data protection laws.
  2. Advising on Data Protection Impact Assessments (DPIAs): Providing guidance on when and how to conduct DPIAs.
  3. Training and Awareness: Conducting training sessions and raising awareness about data protection within the organization.
  4. Cooperating with Supervisory Authorities: Acting as the contact point for data protection authorities and cooperating with them during investigations or audits.
  5. Responding to Data Subject Requests: Assisting in the handling of requests from data subjects concerning their data protection rights.

Role and Independence

  1. Autonomy: The DPO should be able to operate independently and report directly to the highest level of management.
  2. Resources: The organization must provide the DPO with the necessary resources to perform their duties effectively.
  3. No Conflict of Interest: The DPO should not have a role within the organization that leads to a conflict of interest, ensuring impartiality in their data protection responsibilities.

Is End User Consent Really Needed?

Under GDPR, there are six legal bases for processing data, which are not limited to obtaining consent. These bases include:

  1. Compliance with a legal obligation.
  2. Contractual necessity.
  3. Protection of vital interests.
  4. Public interest or official authority.
  5. Legitimate interests.
  6. And finally: Data subjects’ consent.

Each basis has specific criteria and examples, and organizations must determine and document the appropriate legal basis for their data processing activities to ensure GDPR compliance.

Breach Notification

Organizations must also adhere to specific standards for breach notifications. If a data breach occurs, organizations must notify the supervisory authority (an independent public authority established by a member state pursuant to Article 51 of the GDPR) “without undue delay,” unless the breach poses no risk to data subjects. If there is a risk to the affected individuals, organizations must also communicate this to the affected data subjects, again “without undue delay.”

Under the GDPR, breach notification rules are stringent and aim to ensure that both the supervisory authorities and affected individuals are promptly informed of data breaches. The key rules regarding breach notifications are as follows:

Notification to Supervisory Authority

Data controllers must notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach. The notification to the supervisory authority must include:

  1. The nature of the personal data breach, including where possible, the categories and approximate number of data subjects and personal data records concerned.
  2. The name and contact details of the data protection officer (DPO) or other contact point where more information can be obtained.
  3. The likely consequences of the personal data breach.
  4. The measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

Notification to Data Subjects

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller must communicate the breach to the affected data subjects without undue delay. The notification to data subjects must be in clear and plain language and include:

  1. The nature of the personal data breach.
  2. The name and contact details of the DPO or other contact point where more information can be obtained.
  3. The likely consequences of the personal data breach.
  4. The measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

Exemptions from Notification to Data Subjects

The notification to data subjects is not required if:

  1. The controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, such as encryption.
  2. The controller has taken subsequent measures that ensure the high risk to the rights and freedoms of data subjects is no longer likely to materialize.
  3. It would involve disproportionate effort. In such cases, a public communication or similar measure whereby the data subjects are informed in an equally effective manner should be used instead.

Notification by Data Processors

Data processors must notify the data controller without undue delay after becoming aware of a personal data breach.

GDPR Documents

Most Organizations think having a privacy policy and a consent form on their website is enough to comply with GDPR but it is only a small part of the documents that are required to be fully compliant with GDPR. Note that the names of the documents are not prescribed by the GDPR, so you may use anything for the titles. You also have a possibility to merge some of these documents together.

  1. Personal Data Protection Policy
  2. Privacy Notice
  3. Employee Privacy Notice
  4. Data Retention Policy
  5. Data Retention Schedule
  6. Data Subject Consent Form
  7. Parental Consent Form
  8. DPIA Register
  9. Supplier Data Processing Agreement
  10. Data Breach Response and Notification Procedure
  11. Data Breach Register
  12. Data Breach Notification Form to the Supervisory Authority
  13. Data Breach Notification Form to Data Subjects

Fines and Penalties

Fines and penalties can reach up to 4% of the company’s global turnover if found in breach. Higher penalties is imposed to non-compliant organizations. Companies will find it increasingly challenging to tolerate any level of risk when handling personal data, as the penalties can be financially devastating.

Categories of Penalties under GDPR

Penalties under GDPR are categorized based on the severity of the offense:

Category 1: Up to 2% of Annual Worldwide Turnover or €10 Million (whichever is higher)

This category applies to infringements such as:

  1. Failing to report a data breach.
  2. Failing to comply with privacy by design principles as outlined in Article 25 of GDPR.
  3. Failing to appoint a representative if the entity is based outside the EU.
  4. Failing to obtain consent when processing children’s data.
  5. Failing to include adequate data protection clauses in contracts with processors.
  6. Failing to appoint a data protection officer.
  7. Failing to maintain written records.

Category 2: Up to 4% of Annual Worldwide Turnover or €20 Million (whichever is higher)

This category covers more serious offenses, including:

  1. Failing to comply with the principles of lawful data processing as set out in GDPR.
  2. Failing to meet provisions related to personal data transfers outside the EU.
  3. Failing to comply with data subject rights.

Additional Enforcement Powers

Alongside these penalties, data protection supervisory authorities have several other enforcement powers, including:

  1. Issuing warnings of non-compliance.
  2. Conducting audits.
  3. Requiring specific remediation within a set timeframe.
  4. Ordering the erasure of data.
  5. Suspending data transfers to third countries.

These robust measures ensure that organizations take GDPR compliance seriously and prioritize the protection of personal data.

--

--

Ben Pournader

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CGEIT, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB