Guide to GDPR (General Data Protection Regulation) Compliance: All You Need to Know in 2024

Industries across the board face regulatory scrutiny, creating tremendous pressure for organizations to respond quickly to ensure data protection compliance. Whether it is heavily regulated industries such as financial services or sectors with lighter regulatory oversight like retail, the imperative to adhere to regulations remains paramount. This year marks a significant financial commitment from corporations and small businesses towards General Data Protection Regulation compliance. According to CMS, a total of €22.7 billion has been disbursed due to violations surrounding GDPR requirements. 

Navigating the compliance landscape calls for a proactive approach, in which businesses must meet demanding and even complex conditions to mitigate risks and uphold their reputation. In this GDPR guide, we delve into the intricacies of becoming GDPR compliant; exploring key regulatory points, shedding light on how the regulation impacts companies collecting data on persons in the EU, and elucidating GDPR principles, with the aim of providing actionable insights for your business. 

What is the GDPR (General Data Protection Regulation)?

Enacted by the European Union (EU) in 2018, the GDPR stands as the most stringent privacy and security law globally. It is one of the most meticulous regulations, with rules that address every facet of data processing. The GDPR advocates for the legality, openness, and equity of data collection and processing, while also guaranteeing the confidentiality of clients and organizations’ responsibilities in these procedures. Although passed by the EU, compliance with GDPR applies universally, provided businesses target or gather data pertaining to individuals from the EU region. This regulatory framework is designed to empower individuals by affording them more control over their personal information and how it is used by companies, thereby augmenting their autonomy.

The GDPR has overhauled how businesses handle personal data. The regulation underscores Europe's strong stance on data privacy and security, especially during a time when people progressively trust cloud services as well as websites with their personal data and breaches occur with alarming frequency. It is more than just a framework — it is a law that complicates the exploitation of private individual data for financial gain. However, achieving GDPR security compliance is a formidable task for both large corporations and small businesses on account of it being broad in scope yet lacking in detailed directives. 

What is GDPR Compliance?

Recent years have shown that our reliance on data has increased significantly, with individuals habitually disclosing personal information on digital platforms. We now know that GDPR is a set of comprehensive compliance data protection laws that builds upon established principles and has brought about substantial changes, but what is GDPR compliance exactly?

GDPR compliance entails that an organization adheres to the stipulated standards for handling personal data as defined in the extensive 99 Articles. This comprehensive set of compliance data protection laws outlines how to be GDPR compliant; from obtaining individual consent to ensuring data security measures are in place and even implementing procedures that provide transparent privacy notices regarding data collection activities to individuals. 

It is vital to understand that GDPR compliance doesn’t just apply to customers. PwC, for instance, was fined €150,000 by the Greek Data Protection Authority (DPA) for not diligently following GDPR requirements and mishandling employee data. Due to the unequal relationship between employers and employees, it was deemed inappropriate for the accounting firm to use consent to process personal data.

Obtaining a GDPR compliance certification is a good step for organizations to take irrespective of their size and industry. This move signals to current or prospective clients as well as employees that their personal information is in safe hands. Incorporating strict privacy laws will not only safeguard your company’s image but will also help avoid hefty fines from being imposed.

History of the GDPR

The intention underlying the creation of the GDPR was to facilitate the harmonization of data privacy legislation across all member states comprising the EU. Using the basis of the right to privacy in the 1950 European Convention on Human Rights, the EU passed the European Data Protection Directive in 1995, establishing minimum data privacy and security standards. Following the endorsement of the European Parliament, the GDPR was enacted in 2016, mandating adherence from all organizations as of May 25, 2018.

Understanding GDPR Key Terminologies

The GDPR offers comprehensive definitions for a variety of legal terms:

• Personal data — Personal data refers to information regarding an individual that has the capacity to identify them, either directly or indirectly. This encompasses identifiers such as names, email addresses, geographic locations, racial or ethnic backgrounds, gender classifications, biometric data, religious affiliations, online identifiers, and political viewpoints. Additionally, pseudonymous data may fall within the realm of personal data if it can reasonably be linked to an individual.
• Data processing — Any action performed on data, whether automated or manual. These encompass actions such as acquisition, documentation, organization, retention, utilization, and deletion of data.
• Data subject — The person whose data is processed. These are your customers or site visitors.
• Data controller — The person who decides why and how personal data will be processed.
• Data processor — A third-party entity, tasked with the processing of personal data on behalf of a designated data controller, is subject to distinct regulatory stipulations within the framework of the General Data Protection Regulation (GDPR).
• Obtaining the consent of the data subject — “freely given, specific, informed and unambiguous indication” that the data subject agrees to the processing of personal data related to them, either through a statement or affirmative action.  

7 GDPR Key Regulatory Points

Should you want to process any data, you will need to adhere to the seven data protection principles outlined in Article 5.1-2:

1. Lawfulness, fairness, and transparency 

Lawfulness compels you to avoid intentionally concealing information about the nature or purpose of your data collection. Fairness, on the other hand, ensures that collected data is handled responsibly and not misused. Both concepts are closely related to the GDPR. Here are some valid reasons for processing data:

• Consent has been given.
• It is necessary to make good on a contract.
• It is necessary to fulfill a legal obligation.
• For the protection of vital interests of a natural person.
• It is a public task serving the public interest.
• You can demonstrate legitimate interest that outweighs the rights and interests of the individual.
  

2. Purpose limitation 

This second principle ensures that data is only used for explicitly stated, legitimate reasons. These purposes must be clearly defined and communicated to individuals through a privacy notice. Any deviation from these purposes requires explicit consent from the individual unless there is a legal obligation or clear function outlined. In some instances, the organization may use the data for a purpose compatible with the original purpose, and one that the individual could reasonably expect. This is when a “compatibility assessment” needs to be carried out to ensure continued compliance with the GDPR.

3. Data minimization

Data minimization refers to collecting and processing only as much data as needed to complete your original purpose. An example of this would be to gather information related to sending out newsletters to subscribers such as their email addresses and not their phone numbers or home addresses, both of which are not helpful to your purpose.

4. Accuracy

Regular audits and cleaning up your data will help in your journey to becoming GDPR compliant. It is your company’s responsibility to keep personal data accurate and up to date. 

5. Storage limitation 

You should retain personally identifying data only for as long as it's needed for its intended purpose. Under the GDPR, reasons must be provided for the duration of each piece of stored data. Establishing data retention periods is advisable to comply with this storage limitation policy. You should also set a standard timeframe for pseudonymized data that is not actively used. This means data that has been altered, making it difficult to identify a specific person. Names could be replaced with numbers or email addresses might be partially obscure. Even if some identifying details are redacted from the files, they may still be considered personal data subject to regulations like the GDPR. Consequently, it is better to maintain such data within a clearly defined timeframe as mandated by a data retention policy. This proactive approach mitigates the potential risks and legal ramifications associated with non-compliance or the inadvertent disclosure of such information.

6. Integrity and confidentiality 

To keep data safe, you need to make sure it's secure, intact, and private. This involves taking steps like encryption. The GDPR demands that you maintain data integrity and confidentiality, safeguarding it against any unauthorized or illegal access or loss. This requires careful planning and active monitoring to prevent any accidental loss or harm.

7. Accountability 

The data controller must show they follow GDPR principles. Regulators are aware that organizations might claim compliance without actually adhering to the rules. This is why accountability is crucial — you need to have measures and records to prove your compliance with data processing principles. Supervisory authorities can request this evidence whenever necessary. Proper documentation is essential as it establishes a trail for audits and enables you to demonstrate responsibility when needed.

Is GDPR Applicable In the US?

Understanding Material Scope under GDPR

The material scope requires the data in question to be considered personal data. This term is defined, and further discussed, in Article 4(1) of the GDPR: Any information that relates to an identified or identifiable natural person falls under the GDPR, this also includes pseudonymized data. 

Examining the Territorial Scope: Does GDPR Apply Outside the EU?

The GDPR regulates the activities of controllers or processors with a presence in Europe, denoted as an "establishment." This means that the GDPR typically applies if your company is headquartered in Europe or if it maintains a presence in Europe while operating from outside the continent. However, there are exceptions to this rule, which necessitate careful consideration.

If your company is headquartered in Europe, the GDPR generally applies. Similarly, if your company operates from outside Europe but has an establishment within Europe, the GDPR encompasses that establishment. The GDPR also applies to companies not established in Europe if they are offering goods or services to Europeans. This means that if your company operates outside of Europe but caters to or intends to cater to European customers, adherence to GDPR regulations becomes mandatory when handling their personal data. The presence or absence of offices, employees, or physical infrastructure in Europe does not affect the determination of GDPR applicability.

Regulatory authorities may consider various factors to determine whether a company is targeting individuals in Europe. These factors may encompass the language used on your website, the currency used for transactions, or the availability of shipping to Europe. Even without a presence in Europe or an intention to engage European customers, adherence to the GDPR may be necessary if your company is monitoring the behavior of European users. The GDPR offers clarification in Recital 24, defining it as activities such as tracking individuals online, employing personal data processing techniques for profiling, and making decisions or predictions about their preferences, behaviors, or attitudes.

The European Data Protection Board (EDPB) provides examples of activities that could constitute monitoring individuals' behavior, including behavioral advertising, geo-localization for marketing purposes, online tracking via cookies, personalized health analytics, CCTV surveillance, market surveys based on individual profiles, and monitoring or reporting on people's health.

The 8 Fundamental GDPR Data Subject Rights

1. The right to be informed 

Individuals have the right to know certain details about how their personal data is handled. This includes information on what data is collected, why it's collected, who collects it, how long it's kept, how to make a complaint, and if it's shared with others. Specifically, data controllers must provide details such as their contact information, the purpose of data processing, the legal basis for processing, third-party involvement, data retention duration, data subject rights, complaint procedures, and whether providing data is mandatory. All of this information should be communicated clearly and simply.

1. Transparent information, communication, and modalities for the exercise of the rights of the data subject

Controllers must ensure data subjects receive easily comprehensible information regarding their personal data. This information can be communicated in written, electronic, or oral form upon request. Additionally, controllers must enable data subject rights and address requests within one month, with a possible extension of two months for complex cases. If unable to fulfill a request, controllers must promptly notify the data subject and provide reasons for the inability to act. Information should generally be provided free of charge unless requests are deemed excessive or unfounded, in which case a reasonable fee may be charged or the request refused. Additional information may be requested for identity verification purposes. Standardized icons may be employed to summarize data processing activities, with the content represented by these icons determined by the Commission.

2. Transparent information, communication, and modalities for the exercise of the rights of the data subject

When a company gathers your personal information, they are obliged to inform you about several key aspects as outlined in Article 13 of the GDPR:

• the identity and the contact details of the controller and, where applicable, of the controller’s representative;
• the contact details of the data protection officer, where applicable;
• the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
• where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
• the recipients or categories of recipients of the personal data, if any;
• where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

3. Information to be provided where personal data have not been obtained from the data subject

Upon acquiring personal data from a source other than the individual, the controller is obligated to supply specific information to the individual. This includes the controller's contact particulars, the purpose of data processing, data categories, and potential international data transfers. Additionally, they must convey details about data retention, legal processing grounds, and the individual's data rights. This disclosure must occur within a reasonable timeframe and before any further data processing takes place.

2. The right of access

Employees, customers, as well as any individuals whose data is processed indirectly such as contractors or vendors all have the right to request access to their personal information from the organization. The organization, in turn, must then provide a copy of the individual's personal data along with details such as the purpose of processing, types of personal data processed, recipients of the data, data retention period, GDPR rights, information on automated decision-making, and the source of the data.

3. The right to rectification

The right to rectification empowers individuals to request updates to any inaccurate or incomplete data. If the company in question verifies the inaccuracy. They must then confirm the inaccuracy and make the necessary corrections. Implementing this the right way poses operational challenges for organizations, as rectifying one dataset may impact the entire database.

4. The right to erasure

The right to be forgotten, or the right to erasure, lets individuals request their personal data to be deleted in certain situations:

• When the data is no longer needed
• If the individual withdraws consent
• When the data is unlawfully processed
• If the individual objects to processing and there's no valid reason to continue
• When deletion is necessary to follow the law

5. The right to restrict processing

Did you know that users can ask an organization to limit how it uses their personal data? Below are some situations where the organization must stop processing:

• When the data is inaccurate (while verifying it)
• If processing is unlawful but the individual doesn't want it deleted and asks for restriction (different from the right to be erased)
• When the organization no longer needs the data but the individual wants it kept for legal reasons
• While the organization verifies a data deletion request
• Once the data is restricted, the organization can't process it unless they have consent, need it for legal claims, or to protect other people's rights.

6. The right to data portability

Data portability is a new right for users that allows them to get their personal data from a business in a format that's easy for machines to read. They can also ask for their data to be sent directly to another organization. However, it is important to note that this only applies to data they already gave to the organization, and depends on whether the processing is automated or not. This includes data about their actions, like search history, location data, and website visits.

7. The right to object

The right to object lets users object to their personal data being processed in specific situations, depending on why and how it's being processed. They can object to processing based on legitimate interests or public tasks too.

8. Rights in relation to automated decision-making and profiling. 

The GDPR has stringent regulations for processing personal data without human involvement. This includes various forms of profiling, like evaluating work performance, economic status, health, preferences, and behavior, if it has a significant legal impact on individuals. These rules don't apply if the processing is necessary for a contract, authorized by law, or based on explicit consent.

New additions to data subject rights include:

1. Notification obligation regarding rectification or erasure of personal data or restriction of processing

It is the responsibility of the data controller to notify recipients of the personal data about any revisions or deletions made unless such actions present undue difficulty or require excessive effort. If requested, they must also communicate these changes to the data subject.

2. Restrictions

Union or Member State regulations have the authority to limit the obligations and rights articulated in Articles 12 to 22 and Article 34, as well as Article 5, provided they uphold fundamental rights and are deemed necessary for:

• National security
• Defense
• Public security
• Preventing, investigating, detecting, or prosecuting criminal offenses
• Significant public interests, including economic or financial matters, public health, social security, and judicial independence
• Regulating professions
• Protecting the rights and freedoms of data subjects or others
• Enforcing civil law claims

These regulations must include specific provisions addressing:

• Purposes and categories of data processing
• Types of personal data
• Scope of the restrictions
• Safeguards against misuse or unlawful access
• Details of the controller
• Data retention periods and safeguards
• Risks to data subjects' rights and freedoms
• Data subjects' right to be informed

GDPR Compliance Checklist

12-Step GDPR Compliance Checklist

1. Ensure the lawfulness of your data processing

Establish the lawful justification — consent, contract, legal obligation, or vital interests — for every instance of data collection and processing by identifying as well as documenting the legal basis for each data processing activity undertaken by your organization.

2. Minimize the data you collect

Only collect the personal data essential for your business purposes.

3. Limit data retention

Ensure that your organization does not hold on to any data longer than necessary. Once the retention period ends, implement procedures for securely deleting data.

4. Be transparent with the data subjects

The regulation requires businesses to provide clear privacy notices explaining data collection, use, and security. Companies should also make it easy for individuals to see their data and exercise these rights: 

• Access: Users can request to see what data you hold about them.
• Rectification: Users can request corrections to inaccurate data.
• Erasure (Right to be Forgotten): Users can request the deletion of their data under certain circumstances.
• Restriction of Processing: Users can limit how they use their data.
• Data Portability: Users can request their data transferred to another service.
• Object: Users can request that their data will no longer be processed

5. Manage data subjects’ rights efficiently

The GDPR enforces a one-month timeframe for businesses to respond to data subject requests. If a user requests access to the data you have on them, you’ll have one month to respond with a copy of their data in a commonly used and machine-readable format. Similarly, you have one month to make corrections to any inaccurate or incomplete data if a user requests it. This timeframe extends to other rights such as erasure, restriction of processing, and data portability. The timeframe can be expanded to two additional months if the request is complex or if two many requests have been made. If so, you have to inform the data subject of this extension within the one-month timeframe. 

6. Secure the data

To ensure GDPR compliance, prioritize data security. Implement robust measures like encryption to scramble data for authorized access only. Restrict who can access personal data with access controls. Regularly back up your data to guarantee recovery in case of incidents. Finally, develop a comprehensive incident response plan to identify, address, and report data breaches effectively.

7. Comply with the GDPR from the design stage of your projects (Privacy by Design)

The GDPR promotes a proactive approach to data protection, encouraging businesses to integrate data privacy considerations from the very beginning of any project. This “Privacy by Design” principle emphasizes several strategies. First, data minimization focuses on collecting only the essential personal data truly necessary for your project's goals. Purpose limitation requires clearly defining why you collect data and ensuring it's only used for that specific purpose. Data pseudonymization, on the other hand, encourages using non-identifiable alternatives whenever possible, minimizing privacy risks. Lastly, Privacy Impact Assessments (PIA) are crucial to analyze new projects and identify any potential data privacy risks that might need to be addressed before launch.

8. Learn about data protection through training

Staff should be educated on GDPR regulations through comprehensive training.  This training should cover the essentials: understanding GDPR principles, identifying personal data, following data handling procedures, and recognizing and reporting data breaches.

9. Choose GDPR-compliant providers

GDPR compliance success hinges on choosing the right provider to work with. When using third-party services that handle personal data, ensure they are GDPR compliant. Evaluate their security practices as well as data processing agreements and assess their ability to handle data subject requests.

10. Supervise data transfers outside the EU

When transferring data outside the EU, GDPR requires ensuring the receiving country offers adequate data protection. Pre-approved Standard Contractual Clauses (SCCs) offer one method, while Binding Corporate Rules (BCRs) allow multinational companies to establish internal data transfer rules.

11. Document the GDPR compliance of your operations

Demonstrate your commitment to GDPR by maintaining clear records of your compliance efforts. This includes a data inventory listing all personal data you collect, a Record of Processing Activities (ROPA) detailing your data processing actions, and documented policies and procedures related to data privacy.

12. Ask your DPO for advice

Leverage the expertise of a Data Protection Officer (DPO). They can guide you in implementing GDPR requirements, navigate complex data privacy issues, and ensure ongoing compliance.

Conclusion

GDPR compliance is not just a legal requirement but also a strategic imperative for businesses — it enhances customer loyalty and improves brand reputation among customers while averting legal liabilities as well as financial penalties. Adherence to the regulation mitigates the risk of data breaches and cyberattacks, thereby safeguarding sensitive information from potential leaks. 

FAQs

1. What is the GDPR equivalent in the US?

In the realm of US data privacy regulation, the CCPA (California Consumer Privacy Act) stands as the equivalent of the GDPR. This extensive legislation in California grants residents enhanced insight and authority regarding the collection and utilization of their personal information by businesses.

2. How often should a GDPR compliance audit be conducted?

It is advisable to perform a GDPR compliance audit at least once per year. However, the frequency of these audits should be determined based on several factors, including any changes to your company's data security protocols, updates to data breach prevention policies, and the adoption of new technologies within your organization.

3. What are the penalties for non-compliance with GDPR?

Failure to comply with GDPR regulations may lead to administrative fines, potentially reaching up to 20 million euros or 4% of the annual global turnover, whichever is higher. However, in reality, the fines imposed are typically lower and are influenced by the nature of the violation and the extent of your GDPR compliance efforts. 

4. Can small businesses be exempt from GDPR?

There are no exceptions. Typically, any business handling personal data or Personally Identifiable Information (PII) is bound by the GDPR's regulations and requirements. Consequently, small business owners are also subject to GDPR mandates, which prohibit the collection of an individual's contact information from sources like business cards or LinkedIn profiles without explicit consent.

How DPO Consulting Facilitates GDPR Compliance

DPO Consulting was created by Marine Brogli, President of the Group, as a firm specializing in personal data protection. Our purpose is to assist organizations of all sizes and sectors in their GDPR compliance and actively participate in the creation of the information assets of companies by democratizing and making it easier for companies to access and manage their data.

This vision translates into a turnkey service that allows customers to have a complete knowledge of the data they process. We support all our clients in their strategic choices, both from an organizational and technical point of view, to protect the personal data they process. From consulting, to support, training, and even outsourcing the DPO role, DPO Consulting meets all your data protection needs in an adapted manner. Throughout the life cycle of your data processing, DPO Consulting’s expert team members will support you in order to make your compliance in terms of personal data protection a real competitive advantage.

Our solutions

GDPR and Compliance

• GDPR Software (myDPO)
• GDPR Compliance Audits
• Privacy Impact Assessments (PIA)
• Clinical Trial Compliance

Outsourced DPO & Representation

• Outsourced DPO
• International DPO
• EU Representative
• UK Representative
• US Privacy Services

Training & Support

• Customized DPO Coaching
• GDPR Training

‍