GDPR compliance - the essentials

By Michael Fornander on Jul 26, 2021

The General Data Protection Regulation is a regulation that came into force on May 25th 2018 and settles, in 99 articles, how the personal information of EU citizens should be collected and stored. But what are the key points in this lengthy GDPR compliance regulation and what do they mean for IT?

First, you should be clear that this regulation does not apply only to EU companies, but to any company doing business with the EU, regardless of its location. So, even if you are a US business interacting with EU customers, or a US business with offices in the EU - you need to comply with GDPR. Personal data refers to both customer and employee data, and thus even if you only have employees in EU but not customers - you are still subject to GDPR compliance.

The key GDPR compliance points you should be familiar with

What is considered personal data

Personal data is any information that allows to identify a person in a unique way. Such data is the name, address, ID, browser IP, cookies and others. Collecting and storing this data is subject to GDPR regulations. Data that is particularly sensitive and for which stronger security should be applied is health data, genetic, biometric data and so on.

When data is encrypted so it could not identify the person without having the information to decrypt, this data is called pseudonymous data. It poses lower risk for exposure and hence, can be used for analytics and research. But if the pseudonymous data comes with the information needed to ‘decypher’ it, it becomes personal data and is subject to the GDPR.

You should only collect user data required to do business, following granted consent

You are required to obtain the user’s consent before you can store and process their personal data. In addition, you can only store and process the data for as long as is needed for the purpose you are collecting it. When you no longer need this data for the stated purpose, you need to destroy it or use protection mechanisms like encryption for example, to secure the data. 

The GDPR has defined that personal data can only be collected 1/ for a specific purpose 2/ if acting in public interest/as required by a public authority 3/ because of a legal obligation 4/ when entering a contract 5/ to protect the vital interest of a data subject or another person 6/ for purposes of legitimate interests

The consent the user has granted should be documented and proof provided, if needed

Before you can collect user data, you should receive the user’s explicit consent for this action. This consent should be obtained separately from the consent to the terms and conditions agreement. In addition, it should not be required to grant data collection and processing consent in order to receive a specific service, unless the service itself requires it.

The consent text should clearly describe the purposes for which data is collected and stored, and should be broken down in a granular way. The consent should also state whether or not this data will be used by third-party apps. In addition, the consent should not include any pre-checked boxes.

When the user has consented to having their data collected and stored, this should be documented - what the user consented to, when, and via what method of consent. Companies should be able to present proof of this consent. At any time the person may decide to withdraw their consent.

Companies should be accountable for their GDPR compliance

Companies should not only be introducing GDPR compliance policies but also be able to demonstrate this compliance when required. They should be performing regular GDPR compliance assessments, during which their data processing policies should be carefully examined.

GDPR relates to the data controllers and data processors

You should become well familiar with the concept of data controllers and data processors, because if your company is in either of these roles, it should comply with the GDPR.

The data controller defines how and why the personal data is being processed, including for what purpose. Each company is a data controller for its employee data at the very least. 

Data processors are third-party companies who are processing personal data on behalf of the data controller. Data processors are for example the SaaS apps who are working with client data, the employee payroll companies processing employee data and so on. One and the same company may be data processor and data controller at the same time. The data controller must make sure that the data processors comply with GDPR.

Companies may need to appoint a Data Protection Officer (DPO)

This is a new role responsible for ensuring the GDPR compliance and for monitoring the execution of the data security strategies. A DPO may be appointed by both a data processor or data controller company, if the core activity of that company involves processing a lot of sensitive data, or if it requires regular monitoring of data objects on a large scale. If the company has less than 250 employees, however, exceptions may apply.

The DPO can be either an employee or an external contractor. S/he is generally the point of contact for supervisory authorities and when an audit is being done by such an authority, the DPO contacts should be shared with this authority. In addition, the DPO should be familiar with all GDPR requirements and inform the company about its compliance obligations, should monitor and assess compliance.

Failing GPDR compliance is subject to hefty fines

GDPR audits can be done any time by the supervisory authorities. In addition, data subjects can submit complaints regarding privacy or security infringements of their data and audits and court proceedings can follow as a result of that.

If the audit shows that a company failed to comply with the data privacy and security regulations, it can face solid fines, amounting to 4% of its global annual turnover and 20 million, whichever is more. 

The transfer of user data between countries is subject to specific regulations

Generally, transfer of personal data outside the EU can only happen if there are adequate safety measures taken. Some countries have been defined by the EU to have adequate level of protection and transfer of data between EU and them is possible. Transfer of personal data from EU to the US is possible for companies who have certified themselves under the Privacy Shield agreement. Transfers of personal data between groups of enterprises are also possible if the companies are adhering to data protection policies like the Binding Corporate Rules or the Standard Contractual Clauses.

Users can request that their data be forgotten

The right to be forgotten is a new concept introduced with GDPR. It allows a person to request that all their data collected by the company is erased. The company should then take action to delete all user data as soon as possible. A company should also delete a user’s personal data if it was collected in an unlawful manner, if the data is not needed anymore or if the user objected to its collection. 

However, if the company is legally obliged to keep some data, a request to be forgotten does not supersede the obligation.

Companies should take steps to prepare for processing such data erasing requests. They should:

  • have a reliable way to inform any other controller that has processed the user data about a data erasing request 
  • be aware of all places where the user data is being stored
  • know if specific data needs to stay because of retention requirements. This data should generally be marked as not possible to delete
  • have a process for managing requests for data erasing
  • train employees on how to handle requests for data erasing

Users have the right to ask the data processor for data portability

Users can request that any online data they have (e-books, media, photos, etc.) can be ported to other devices, so it can be reused. The data should be provided by the data processor in a common and machine-readable format.

This implies that data controllers need to enable the easy export of the data subjects data, so it can be ported to another data controller. 

Companies have 72 hours to report a breach

In the event of a data breach, the companies have 72 hours to report the incident to the local Data Protection Authorities, along with details regarding the scope of the breach. Also the companies should have a prepared a data breach incident response plan that includes stakeholders from all related departments like IT, compliance, PR and others.

GDPR compliance requires careful planning

Preparing for GDPR compliance takes time - for assessment, evaluating the data flow and documenting it and then creating processes, new controls or other activities to ensure compliance. Then, once you ensure GDPR compliance, make sure you perform annual compliance audits. Customers take privacy seriously and would count that you do the same. Being a GDPR-compliant company would also help to stand out as a reliable partner for other companies. So, ensure that your annual GDPR audits are thorough and performed on time:

  • Make sure that any products or services you are offering incorporate data portability, granting consent for collection and storing of personal data and the right to be forgotten
  • Review your contracts with customers and employees and make sure they include the needed GDPR clauses
  • Review any internal and external privacy policy for the required GDPR statements

GDPR is a regulation that requires careful preparation and then ongoing compliance audits. If you are using a SaaS management platform like Viio, however, the majority of your compliance efforts will be automated. How? Find out in a personalized demo!


Ready to start saving?

Viio is the modern way for finance teams to optimize their software spending.

Talk to a specialist

Oliver Quittek

CRO

Get in touch