The General Data Protection Regulation (GDPR) is a European Union (EU) law that governs how organizations collect and use personal data. Any company operating in the EU or handling EU residents’ data must adhere to GDPR requirements.
However, GDPR compliance is not necessarily a straightforward matter. The law outlines a set of data privacy rights for users and a series of principles for the processing of personal data. Organizations must uphold these rights and principles, but the GDPR leaves some room for each company to decide how.
The stakes are high, and the GDPR imposes significant penalties for non-compliance. The most serious violations can lead to fines of up to EUR 20,000,000 or 4% of the organization’s worldwide global turnover in the previous year. GDPR regulators can also terminate illicit data processing activities and compel organizations to make changes.
The checklist below covers the core GDPR regulations. How an organization meets these regulations will depend on its unique circumstances, including the kinds of data it collects and how it uses that data.
The GDPR applies to any organization based in the European Economic Area (EEA). The EEA includes all 27 EU member states plus Iceland, Liechtenstein and Norway.
The GDPR also applies to organizations outside of the EEA if:
The GDPR doesn’t only apply to businesses using customer data for commercial purposes. It applies to nearly any organization that processes EEA residents’ data for any purpose. Schools, hospitals and government agencies all fall under GDPR authority.
The only data processing activities exempt from the GDPR are national security or law enforcement activities and purely personal uses of data.
The GDPR uses some specific terminology. To understand compliance requirements, organizations must understand what these terms mean in this context.
The GDPR defines personal data as any information relating to an identifiable human being. Everything from email addresses to political opinions counts as personal data.
A data subject is the human being who owns the data. Put another way, it’s the person the data relates to. Say a company collects phone numbers to send marketing messages via SMS. The owners of those phone numbers would be data subjects.
When the GDPR refers to data subjects, it means data subjects who reside in the EEA. Subjects need not be EU citizens to have data privacy rights under the GDPR. They merely need to be EEA residents.
A data controller is any organization, group or person that obtains personal data and determines how it is used. Returning to a previous example, a company collecting phone numbers for marketing purposes would be a controller.
Data processing is any action done to data, including collecting, storing or analyzing it. A data processor is any organization or actor that performs such actions.
A company can be both a controller and a processor, like a company that both collects phone numbers and uses them to send marketing messages. Processors also include third parties that process data on behalf of controllers, like a cloud storage service that hosts a phone number database for another business.
Supervisory authorities are the regulatory bodies that enforce GDPR requirements. Each EEA country has its own supervisory authority.
At a high level, an organization is GDPR compliant if it:
The following checklist breaks these requirements down further. The practical steps an organization takes to meet these requirements will depend on its location, resources and data processing activities, among other factors.
The GDPR creates a set of principles organizations must follow when processing personal data. The principles are as follows.
The GDPR defines the circumstances under which companies can legally process personal data. An organization must establish and document its legal basis before collecting any data. The organization must communicate this basis to users at the point of data collection. It cannot change the basis after the fact unless it has user consent to do so.
The possible lawful bases include:
According to the GDPR principle of purpose limitation, controllers must have an identified and documented purpose for collecting data. The controller must communicate this purpose to users at the point of collection, and it can only use the data for this named purpose.
Controllers can only collect the minimum amount of data necessary to fulfill their stated purpose.
Controllers must take reasonable steps to ensure the personal data they hold is accurate and current.
The GDPR requires strict data retention and deletion policies. Companies can only keep data until the specified purpose for collecting that data has been fulfilled, and they must delete the data once they no longer need it.
Controllers and processors must apply additional protections to certain types of personal data.
Special category data includes highly sensitive data like a person’s race and biometrics. Organizations can only process special category data in very limited circumstances, such as to prevent serious public health threats. Companies can also process special category data with the subject’s explicit consent.
Criminal conviction data can only be controlled by public authorities. Processors can only process this information at a public authority’s direction.
Controllers must obtain a parent’s consent before processing children’s data. They must take reasonable steps to verify the ages of subjects and the identities of parents. If collecting data from children, controllers must present privacy notices in child-friendly language.
Each EEA state sets its own definition of “child” under the GDPR. These range from “anyone under the age of 13” to “anyone under the age of 16.”
Organizations with more than 250 employees must keep records of data processing. Organizations with less than 250 employees must keep records if they process highly sensitive data, process data regularly or process data in a way that poses a significant risk to data subjects.
Controllers must document things like the data they collect, what they do with that data, data flow maps and data safeguards. Processors must document the controllers for which they work, the types of processing they do for each controller and the security controls they use.
Under the GDPR, ultimate responsibility for compliance rests with the data’s controller. This means the controller must ensure—and be able to prove—that its third-party processors meet all relevant GDPR requirements.
The GDPR grants data subjects certain rights over their data. Controllers and processors must honor these rights.
Organizations must give data subjects a simple means of asserting their rights over their data. These rights include:
In general, organizations must respond to all data subject access requests within 30 days. Companies must typically comply with a subject’s request unless the company can prove it has a legitimate, overriding reason not to.
If an organization rejects a request, it must explain why. The organization must also tell the subject how to appeal the decision to the company’s data protection officer or the relevant supervisory authority.
Under the GDPR, data subjects have a right not to be bound by automated decision-making processes that could have a significant impact on them. This includes profiling, which the GDPR defines as using automation to evaluate some aspect of a person, such as predicting their work performance.
If an organization does use automated decisions, it must give data subjects a way to contest those decisions. Subjects can also request that a human employee review any automated decisions that impact them.
Controllers and processors must proactively and clearly inform data subjects about data processing activities, including the data they collect, what they do with it and how subjects can exercise their rights over data.
This information must typically be communicated through a privacy notice presented to the subject during data collection. If the company does not collect personal data directly from subjects, privacy notices must be sent to the subjects within a month. Companies may also include these details in privacy policies that are publicly accessible on their websites.
The GDPR requires controllers and processors to take steps to prevent the misuse of personal data and protect data subjects from harm.
Controllers and processors must deploy security measures to protect the confidentiality and integrity of personal data. The GDPR does not require any particular controls, but it does state that companies must adopt both technical and organizational measures.
Technical measures include technology solutions, such as identity and access management (IAM) platforms, automated backups and data security tools. While the GDPR does not explicitly mandate encrypting data, it does recommend that organizations use pseudonymization and anonymization wherever possible.
Organizational measures include employee training, ongoing risk assessments and other security policies and processes. Companies must also follow the principle of data protection by design and by default when creating or implementing new systems and products.
If a company plans to process data in a way that poses a high risk to the rights of subjects, it must first conduct a data protection impact assessment (DPIA). Types of processing that could trigger a DPIA include automated profiling and the large-scale processing of special categories of personal data, among others.
A DPIA must describe the data being used, the intended processing and the purpose of the processing. It must identify the risks of processing and ways to mitigate those risks. If significant unmitigated risk exists, the organization must consult a supervisory authority before moving forward.
An organization must appoint a data protection officer (DPO) if it monitors subjects on a large scale or processes special category data as a core activity. All public authorities must appoint DPOs as well.
The DPO is responsible for ensuring the organization remains GDPR compliant. Key duties include coordinating with data protection authorities, advising the organization on GDPR requirements and overseeing DPIAs.
The DPO must be an independent officer who reports directly to the highest level of management. The organization cannot retaliate against the DPO for performing their duties.
Organizations must report most personal data breaches to the relevant supervisory authority within 72 hours. If the breach poses a risk to data subjects, the organization must also notify the subjects. Organizations must notify subjects directly unless direct communication would be unreasonable, in which case a public notice is acceptable.
Processors that suffer a breach must notify the relevant controllers without undue delay.
Any company outside the EEA that regularly processes EEA residents’ data or processes particularly sensitive data must appoint a representative within the EEA. The representative coordinates with government authorities on behalf of the company and acts as the point of contact for GDPR compliance matters.
The GDPR sets rules for how organizations share personal data with other companies within and outside the EEA.
A controller can share personal data with processors and other third parties, but these relationships must be governed by formal data processing agreements. These agreements must outline the rights and responsibilities of all parties with respect to the GDPR.
Third-party processors can only process data according to the controller’s directions. They cannot use a controller’s data for their own purposes. A processor must obtain approval from the controller before sharing data with a sub-processor.
A controller can only share data with a third party located outside the EEA if the data transfer meets at least one of the following criteria:
GDPR compliance is an ongoing process, and an organization’s requirements can change as it collects new data and engages in new kinds of processing activities.
Data security and compliance solutions like IBM Security® Guardium® can help streamline the process of reaching—and maintaining—GDPR compliance. Guardium can automatically discover GDPR-regulated data, enforce compliance rules for that data, monitor data usage and empower organizations to respond to threats to data security.
Learn how to navigate the challenges and tap into the resilience of generative AI in cybersecurity.
Understand the latest threats and strengthen your cloud defenses with the IBM X-Force Cloud Threat Landscape Report.
Find out how data security helps protect digital information from unauthorized access, corruption or theft throughout its entire lifecycle.
A cyberattack is an intentional effort to steal, expose, alter, disable or destroy data, applications or other assets through unauthorized access.
Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM X-Force Threat Intelligence Index.
Stay up to date with the latest trends and news about security.