Achieving GDPR Compliance: A Guide for Businesses
Pritesh Vora
Sep 30, 2024GDPR compliance is crucial for any organization operating within the EU, as violations can lead to significant legal and financial consequences.
A recent example of this is Austria’s decision to ban Google Analytics from European websites. Specifically, Article 44 of the GDPR states that data is not allowed to be transferred beyond the EU or the EEA unless the recipient nation is able to prove it has strong and sufficient data protection. And in the case of Google Analytics, US surveillance agencies can, if needed, access any data on demand from Google. This is further enforced by the invalidation of the EU-US Privacy Shield.
As the European Union continues to enforce its stringent GDPR standards, organizations are becoming more and more aware of the advantages of getting compliant with data regulations. This not only ensures the most meticulous procedures when data collection and processing is involved but ensures that cloud-hosted companies are able to safeguard themselves in an age that has lately been characterized by rampant security incidents.
If you’re navigating the complexities of GDPR, we hope this guide provides you with sure footing and a straightforward explanation of the GDPR standard. Let’s get started.
TL;DR:
GDPR compliance ensures that the privacy rights of individuals in the Eu are maintained and organizations have a regulated process to collect, process and transfer data. |
Cloud-computing companies must be GDPR-compliant if they have an EU customer base, even if they are not located within the European Union. |
Non-compliance with GDPR leads to harsh fines of up to 4% of annual global turnover (~ €20 million), damaged company reputation, and liability to bear compensation claims. Even the top cloud services companies cannot escape the strict rules of the GDPR. |
What is General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a digital privacy legislation that regulates how companies collect, process and protects the personal information of European Union (EU) residents. The law also governs personal data transfer outside the EU.
GDPR compliance strengthens privacy rights by giving users (called data subjects) control over how their personal data is gathered, shared, and used. They are entitled to (a) have their personal data protected, (b) used in a lawful and fair manner, (c) corrected if they ask for information to be altered, and (d) made available if they ask for a copy.
The regulation came into effect on May 25, 2018, and replaced the Data Protection Directive 95/46/ec.
GDPR guidelines were drafted with an eye on three main goals:
- Establish a baseline set of standards for cloud-hosted companies that handle EU citizens’ data
- Replace the 28 separate EU member state privacy laws and the 1995 Data Protection Directive with a unified privacy law
- Update privacy laws to align with technological advancements in personal data processing and movement
The official GDPR regulation comprises 99 articles in 11 chapters and 173 recitals. The GDPR text spans 88 pages and includes rules, scenarios, compliance requirements, and enforcement techniques.
Check out this video on GDPR principles:
Why is GDPR Important?
GDPR has a significant impact on cloud-hosted companies with respect to security control mechanisms and implementation of operations.
Some of the key GDPR importance are:
- Getting the consent of users for data processing
- Anonymizing gathered data to protect privacy
- Providing notifications for data breaches within 72 hours
- Safely carrying out the transfer of data across borders
- Requiring specific companies to appoint a data protection officer to oversee GDPR compliance
Bonus: We have a sample GDPR data processing template to help you decide. Check it out below:
Download Your GDPR Data Processing Template
Any cloud-hosted company that markets its services or products to EU citizens is subject to GDPR compliance requirements, even if it is located outside the European Union.
Non-compliance to GDPR guidelines will require cloud-hosted companies to pay stiff fines apart from suffering a tarnished reputation. Penalties may be up to 2% or 4% of total global annual turnover or €10 million – €20 million.
Get GDPR compliant to avoid penalties
What Is Classified as Personal Data Under GDPR?
Under GDPR, personal data refers to information that can identify you or relate to you, either on its own or in combination with other available information.
- Business information like company names and email addresses operated by multiple people is not considered personal data. E.g. support@company.com
- Business email addresses and phone numbers owned and operated by a single person are considered personal data. E.g. juliawallace@company.com
Personal data may include the following:
- Name
- Residential address
- Contact information
- Race
- Identification numbers (bank account, passport)
- Access cards
- IP address, cookie data, RFID tags
- Location data/geotagging
- Audio-visual/audio recordings
- Health records
- Social media posts
- Religious and political opinions
Pseudonymous data is also considered personal data if it is relatively easy to identify the person using it.
Some useful concepts to help navigate GDPR are:
- If a cloud-hosted company is collecting or using your personal data, you are a data subject. The company holding the data is the data controller.
- The data controller can give permission to another person or company to process your personal data on its behalf. This person or company is called a data processor.
- Handling your personal data, including storing it is known as processing.
Also, some of the relevant articles of GDPR for cloud-hosted companies are:
- Article 5 – Principles around handling and processing of personal data
- Article 6 – Lays the foundation for personal data processing
- Articles 12-22 – Talks about the rights of data subjects
- Articles 25 and 32 – Guidelines on how to implement measures to protect personal data
Under GDPR, companies need to establish one of these six lawful bases to be allowed to process data: consent, legal obligation, contract, public task, vital interests, and legitimate interest.
Cloud-hosted and B2B companies typically rely on consent and legitimate interest.
- They can gain verifiable consent through, say, a sign-up form. Users can withdraw consent at any time and companies must stop processing when consent is withdrawn.
- If they’re relying on legitimate interest for B2B marketing, they must stop processing when a user objects.
What Is a “Breach” Under GDPR?
Under GDPR, a personal data breach is defined as a breach of security that results in its accidental or illegal destruction, modification, or loss. It may also cause unauthorized disclosure of or access to personal data. The breach is likely to pose a risk to a person’s rights and freedoms.
Some of the biggest data breaches that led to the drafting of the GDPR :
- Equifax
In 2017, Equifax, a credit reporting service, suffered a major data breach that affected 143 million US customers and 694,000 UK customers. The customers’ names, passwords, birth dates, social security numbers, and partial credit card details were compromised.
The UK Information Commissioner’s Office fined the company the maximum possible amount under the pre-GDPR Data Protection Act, which is £500,000.
- Facebook/Cambridge Analytica
A British data science firm, Cambridge Analytica, scraped the Facebook profiles of more than 50 million users without their consent. The data was used to inform Trump’s 2016 presidential campaign.
Data was acquired through a personality quiz app called “this is my digital life”, which requested access to the Facebook profiles of the people taking the quiz.
Facebook was also fined £500,000 for the breach.
These real-world data breach examples reveal how a breach can have far-reaching consequences. The GDPR and similar data protection legislation aim to protect people from such violations of privacy.
Check out the list of GDPR software that can help you avoid data breaches.
Which Companies Are Affected by the GDPR?
Any company or business that stores or processes personal data of EU citizens must be in compliance with GDPR.
92% of US companies consider GDPR a top priority for data protection regulation.
Ask yourself these questions to know if the GDPR applies to your company:
- Does the company market to customers in the European Union?
- Does the company have employees that work in the European Union?
- Or does the company have a current customer base in the European Union?
Companies that accept payments in Euros also fall under GDPR.
Specific criteria for companies required to be GDPR-compliant are:
- A presence in an EU country
- Processing or storing the personal data of EU citizens, even if it isn’t located in the European Union
- More than 250 employees
- Less than 250 employees but performing data processing that affects the rights and freedoms of data subjects or involves certain types of sensitive personal data
EU-based companies in cloud services, telecommunications, insurance, and e-gaming automatically fall under the GDPR.
Some of the ways in which B2B and cloud-hosted companies can comply with the GDPR:
- Keep valid, up-to-date records of all data processing activities, including internal records.
- Update the content and language of your privacy policy to be relevant, easy to access, and easy to read and understand.
- Review or identify the legal basis for processing personal data.
- Review systems to ensure that GDPR user rights are covered.
- Maintain valid records of consent and handle consent in a GDPR-compliant way.
- Use the principle of data minimization: the more types of data are processed, the greater the risk.
Who Will Be in Charge of Compliance In Your Company?
The GDPR compliance establishes the need for several positions to oversee compliance in cloud-hosted companies: data controller, data processor, and data protection officer (DPO).
- The data controller is the entity responsible for determining the purpose and lawful basis for the processing of personal data. The controller also ensures that outside contractors are GDPR-compliant.
- The data processor is the individual responsible for processing personal data on behalf of the data controller. Data processor collaborates with the data controller.
- The data p