Achieving GDPR Compliance: A Guide for Businesses

GDPR compliance is vital for organizations operating within the EU. Non-compliance can lead to severe legal and financial consequences, as seen in Austria’s recent ban on Google Analytics. Specifically, Article 44 of the GDPR states that data is not allowed to be transferred beyond the EU or the EEA unless the recipient nation is able to prove it has strong and sufficient data protection. In the case of Google Analytics, US surveillance agencies can, if needed, access any data on demand from Google. This is further enforced by the invalidation of the EU-US Privacy Shield.

As the European Union continues to enforce its stringent GDPR standards, organizations are becoming more and more aware of the advantages of getting compliant with data regulations. This not only ensures the most meticulous procedures when data collection and processing is involved but also ensures that cloud-hosted companies are able to safeguard themselves in an age that has lately been characterized by rampant security incidents.

If you’re navigating the complexities of GDPR, we hope this guide provides you with sure footing and a straightforward explanation of the GDPR standard. Let’s get started.

What is General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a digital privacy legislation that regulates how companies collect, process and protects the personal information of European Union (EU) residents. The law also governs personal data transfer outside the EU.

GDPR compliance strengthens privacy rights by giving users (called data subjects) control over how their personal data is gathered, shared, and used. They are entitled to (a) have their personal data protected, (b) used in a lawful and fair manner, (c) corrected if they ask for information to be altered, and (d) made available if they ask for a copy.

The regulation came into effect on May 25, 2018, and replaced the Data Protection Directive 95/46/ec.

GDPR guidelines were drafted with an eye on three main goals

1. Establish a baseline set of standards for cloud-hosted companies that handle EU citizens’ data 
2. Replace the 28 separate EU member state privacy laws and the 1995 Data Protection Directive with a unified privacy law
3. Update privacy laws to align with technological advancements in personal data processing and movement 

The official GDPR regulation comprises 99 articles in 11 chapters and 173 recitals. The GDPR text spans 88 pages and includes rules, scenarios, compliance requirements, and enforcement techniques.

Check out this video on GDPR principles:

Why is GDPR compliance Important?

GDPR compliance is critical, especially for cloud-hosted companies that process or store EU citizens’ data. Failing to meet these requirements can lead to penalties of up to €20 million or 4% of global turnover. Beyond financial risks, non-compliance tarnishes brand reputation and opens the door to costly compensation claims.

Examples:

• Austria’s ban on Google Analytics for non-compliance.
• Fines on British Airways (€20M) and Marriott Hotels (€18.4M) for data breaches.

What Is Classified as Personal Data Under GDPR?

Under GDPR, personal data refers to information that can identify you or relate to you, either on its own or in combination with other available information. 

• Business information like company names and email addresses operated by multiple people is not considered personal data. E.g. support@company.com

• Business email addresses and phone numbers owned and operated by a single person are considered personal data. E.g. juliawallace@company.com

Personal data includes the following

1. Name
2. Residential address
3. Contact information
4. Race
5. Identification numbers (bank account, passport)
6. Access cards
7. IP address, cookie data, RFID tags
8. Location data/geotagging
9. Audio-visual/audio recordings
10. Health records
11. Social media posts
12. Religious and political opinions

Pseudonymous data is also considered personal data if it is relatively easy to identify the person using it. 

Concepts to help navigate GDPR

• If a cloud-hosted company is collecting or using your personal data, you are a data subject. The company holding the data is the data controller.

• The data controller can give permission to another person or company to process your personal data on its behalf. This person or company is called a data processor.

• Handling your personal data, including storing it is known as processing.

Also, some of the relevant articles of GDPR for cloud-hosted companies are:

• Article 5 – Principles around handling and processing of personal data
• Article 6 – Lays the foundation for personal data processing
• Articles 12-22 – Talks about the rights of data subjects
• Articles 25 and 32 – Guidelines on how to implement measures to protect personal data 

Under GDPR, companies need to establish one of these six lawful bases to be allowed to process data: consent, legal obligation, contract, public task, vital interests, and legitimate interest. 

Cloud-hosted and B2B companies typically rely on consent and legitimate interest

• They can gain verifiable consent through, say, a sign-up form. Users can withdraw consent at any time and companies must stop processing when consent is withdrawn.

• If they’re relying on legitimate interest for B2B marketing, they must stop processing when a user objects.

What Is a “Breach” Under GDPR?

Under GDPR, a personal data breach is defined as a breach of security that results in its accidental or illegal destruction, modification, or loss. It may also cause unauthorized disclosure of or access to personal data. The breach is likely to pose a risk to a person’s rights and freedoms.

Two of the biggest data breaches that led to the drafting of the GDPR:

1. Equifax 

In 2017, Equifax, a credit reporting service, suffered a major data breach that affected 143 million US customers and 694,000 UK customers. The customers’ names, passwords, birth dates, social security numbers, and partial credit card details were compromised.

The UK Information Commissioner’s Office fined the company the maximum possible amount under the pre-GDPR Data Protection Act, which is £500,000.

2. Facebook/Cambridge Analytica

A British data science firm, Cambridge Analytica, scraped the Facebook profiles of more than 50 million users without their consent. The data was used to inform Trump’s 2016 presidential campaign.

Data was acquired through a personality quiz app called “this is my digital life”, which requested access to the Facebook profiles of the people taking the quiz. 

Facebook was also fined £500,000 for the breach.

These real-world data breach examples reveal how a breach can have far-reaching consequences. The GDPR and similar data protection legislation aim to protect people from such violations of privacy. 

Check out the list of GDPR software that can help you avoid data breaches.

Which Companies Are Affected by the GDPR?

Any company or business that stores or processes personal data of EU citizens must be in compliance with GDPR. 

92% of US companies consider GDPR a top priority for data protection regulation.

Ask yourself these questions to know if the GDPR applies to your company

1. Does the company market to customers in the European Union?
2. Does the company have employees that work in the European Union?
3. Or does the company have a current customer base in the European Union?

Companies that accept payments in Euros also fall under GDPR.

Specific criteria for companies required to be GDPR-compliant are

1. A presence in an EU country 
2. Processing or storing the personal data of EU citizens, even if it isn’t located in the European Union
3. More than 250 employees
4. Less than 250 employees but performing data processing that affects the rights and freedoms of data subjects or involves certain types of sensitive personal data

EU-based companies in cloud services, telecommunications, insurance, and e-gaming automatically fall under the GDPR.

Some of the ways in which B2B and cloud-hosted companies can comply with the GDPR

1. Keep valid, up-to-date records of all data processing activities, including internal records.
2. Update the content and language of your privacy policy to be relevant, easy to access, and easy to read and understand. 
3. Review or identify the legal basis for processing personal data.
4. Review systems to ensure that GDPR user rights are covered.
5. Maintain valid records of consent and handle consent in a GDPR-compliant way.
6. Use the principle of data minimization: the more types of data are processed, the greater the risk.

Who Will Be in Charge of Compliance In Your Company?

The GDPR compliance establishes the need for several positions to oversee compliance in cloud-hosted companies: data controller, data processor, and data protection officer (DPO).

1. The data controller is the entity responsible for determining the purpose and lawful basis for the processing of personal data. The controller also ensures that outside contractors are GDPR-compliant.
2. The data processor is the individual responsible for processing personal data on behalf of the data controller. Data processor collaborates with the data controller.
3. The data protection officer is appointed by the data controller and data processor as per GDPR guidelines to oversee data protection and monitor GDPR compliance. This includes training staff and raising awareness. Cloud-computing companies should provide initial and refresher training about GDPR guidelines. They should also have a mechanism in place to record these training sessions. 

The GDPR requires a company to appoint a DPO if:

1. It is a public authority or entity
2. Its core activities need large-scale, systematic, and regular monitoring of data subjects e.g. tracking of online behavior
3. Its core activities consist of large-scale processing of special categories of personal data or data related to criminal convictions and offenses.

Articles 37, 38, and 39 of the GDPR talk about the designation, position, and tasks of the data protection officer respectively. 

What Happens if Your Company Fails to Comply With the GDPR?

The ramifications are severe if you fail to comply with GDPR guidelines:

1. Financial penalties

Companies that violate the rules of the GDPR and suffer data breaches are levied harsh fines. The maximum amount is 4% of a company’s annual global turnover or €20 million. 

Under the Data Protection Act, the maximum fine for failing to stop a data breach was far less: £500,000.

The Information Commissioner’s Office (ICO) considers the following points when deciding whether to levy a fine:

• Severity and length of the data breach
• The type of personal data compromised in the breach
• Whether the data breach was negligent or intentional
• Whether the company has suffered a previous data breach
• Or whether the data breach impacted the rights and freedoms of the affected individuals 

Some examples of data breaches that have attracted huge fines are:

• British Airways was handed a fine of €20 million for “unacceptable” failure to protect its customers. It is the largest fine levied by the ICO so far. The major 2018 breach led to the theft of booking information of more than 400,000 people. 

• Marriott Hotels was fined £18.4 million for a data breach that affected over 339 million guests. The first part of the breach occurred in 2014 and affected the Starwood Hotels group, which was acquired by Marriott two years later. However, until 2018, the hacker had access to all affected systems that included names, email addresses, phone numbers, passport numbers, VIP status data, arrival and departure information, and loyalty program numbers.

• Google was fined $57 million by France’s data protection authority, CNIL, for not complying with GDPR guidelines in the way it handled ad personalization. It didn’t take specific or unambiguous user consent to process data for ad personalization. Users did not understand the “plurality of services” in which their personal data is used and processed. 

GDPR regulations apply to even the top Internet companies of the world. Smaller businesses may not attract the same magnitude of fines but they are held to the same high standards. 

2. Tarnished reputation

You may be able to pay fines, but can you repair the damage to the company’s reputation just as easily? Companies should raise awareness and conduct regular training to educate their staff about GDPR compliance.

3. Compensation for damages

Under GDPR, individuals have the right to claim compensation for material or non-material damages due to violation of the guidelines. Major breaches could result in a large volume of compensation claims.

How to become GDPR compliant?

To become GDPR compliant, you must adhere to the principles of GDPR. This involved implementing a combination of administrative, physical, and technical measures.

Here are the 7 steps to get GDPR compliance:

1. Understand data and requirements

Start by conducting a data audit to understand the personal data you collect. If you sell goods or services in the EU or UK, or if people from these regions visit your website and opt in to any marketing campaigns, it’s essential to know how the data is processed, stored, and transmitted. Classify the data based on its sensitivity and determine its flow through systems, networks, and databases.

The analysis also includes gathering information on the retention period of the data and ensuring that the basis for processing is legal.

2. Appoint a Data Protection Officer

GDPR requires certain organizations to appoint a Data Protection Officer to oversee GDPR compliance. You must appoint a DPO if:

• You are a public authority or body processing data
• Your core activities include large-scale processing of personal data
• You are engaged in systematic monitoring of data subject rights at a large scale.

The DPO can be an internal employee with expertise in data protection laws or an external service provider.

3. Implement privacy policies and technical measures

Update or draft privacy policies where you emphasize privacy by design where you collect minimum necessary data and protect it throughout its lifecycle. Cover details such as the basis of processing, the data collection method, data disposal and how data subject rights are exercised.

Implement technical measures to protect data such as encryption, data masking, access controls and internal audits.

4. Communicate your commitment to data privacy

Communicate to your customers about the data collection practices and be transparent. For this, you can update your privacy policies with clear and concise language, use cookie-consent forms, establish double opt-in for email sign ups, offer opt-out mechanisms and publish an FAQ section for data collection and privacy practices.

5. Review contracts

If you further share the personal data with third-parties and vendor, you must ensure that they too comply with the GDPR requirements. 

These activities must be governed by a data processing agreement with clearly defined responsibilities and any liability clauses.

6. Create a data breach notification procedure

Establish a procedure to identify and report data breaches. In case of a breach, the organization must release a data breach notification not later than 72 hours of becoming aware about the breach. If a large number of people are impacted, they must also be notified with details such as the impact and the corrective measures taken.

7. Consider certification

While GDPR certification is not mandatory, most businesses opt for it to demonstrate their commitment to data protection and claim better deals. You can work with external consultants and tools like Sprinto to proceed for the certification.

GDPR compliance cost (Average cost: $20500 to $102500)

The cost of becoming GDPR compliant can range from $20500 to $102500 depending on the size of the organization and your choice of consultant and tool.

The compliance costs include:

• Implementation costs: $5000-$30000 per year with months of efforts
• Security tools: $5000-$20000
• Continuous monitoring: $5000-$30000
• Security training: $500-$12500
• Legal consultancy: $5000-$15000

However, with tools like Sprinto, the costs can be significantly lower. Moreover, you do not pay any additional cost for implementation, training, monitoring, or consultancy.

Get GDPR compliant with Sprinto

You must have gained a thorough understanding of the core principles of GDPR by now. It is clear why GDPR compliance is vital for your cloud-hosted company.

Avoid heavy financial penalties and damage to company’s reputation by becoming GDPR compliant.

Get your GDPR compliance today with Sprinto by automating and streamlining the audit process. 

FAQ: GDPR Compliance

1. What does GDPR compliant mean?

Being GDPR compliant requires that you integrate data protection into your processing activities and business practices from the design stage to the entire data processing lifecycle. This is called “data protection by design and by default.”

It protects the personal data and privacy of EU members for transactions that occur inside the EU member states. It also regulates the commercial movement of personal data outside the European Union. 

2. What is GDPR compliance?

GDPR compliance is a certification that signifies the adherence to the GDPR framework of establishes guidelines that concern the gathering and processing of personal data from EU citizens. The Regulation applies regardless of where the company is located as long as it markets its services and goods to EU customers. GDPR compliance requires that companies that collect data from people in the EU countries follow the strict rules laid out by it.