In 2017, 83000 data protection officers (DPOs) were dedicated to data protection. Now there are over half a million! The 700% rise in the demand for DPOs has been majorly attributed to GDPR implementation requirements. Can you imagine?
GDPR is said to be one of the most rigorous data protection laws to exist with an in-depth criteria. We remember one of our clients, Noosa, stating: “We once hired an external consultant who gave us an idea about the implementation but it was very, very high level.”
The Principles, the rights of individuals, breach notification mandates, documentation and more; there’s a lot to catch up under GDPR.So in this blog we aim to demystify the requirements in an easy-to-grasp language. Keep reading for a quick and painless understanding of the GDPR essentials and learn how Sprinto can help you through the process.
What are GDPR requirements?
GDPR requirements are established guidelines that organizations must abide by in order to comply with European General Data Protection Regulation (GDPR) data laws.
GDPR is a privacy and security law passed by the European Union (EU) that dictates the collection and usage of personal data by companies in and outside the EU including the U.S.
Who needs to comply with GDPR requirements?
GDPR requirements apply to any company or entity whose core activities include the collection or processing of personal data of EU citizens, regardless of its location, needs to comply with GDPR requirements. In this regard, it applies to:
- Controllers who identify the purpose of data collection and take decisions on means to collect it.
- Data processors who process the personal data of individuals.
Also find out: GDPR compliance checklist for US companies
10 key GDPR requirements
Before seeking any legal advice and chalking out plans for GDPR implementation, it is crucial to grasp the requirements. This sets the foundation for compliance initiatives and eliminates the possibility of fall throughs.
Here are the 10 key GDPR requirements you must know:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
- Rights of the data subject
- Data breach notification
- International data transfers
Lawfulness, fairness, and transparency
The requirements related to the lawful, fair, and transparent collection of data are set forth in Article 5 of GDPR. According to this article, there should be a legal basis for data collection and clear communication on how the data is being used.
The data can only be legally processed in the following cases:
- When consent is freely given
- For performance of a contract
- For legal obligations say, tax reporting
- For legitimate interests like fraud detection
- With vital interest like processing personal medical information in case of emergency
- For performance of public tasks such as issuing a government document
Check out: Guide to GDPR data mapping
Article 5(1)(b) of GDPR outlines what comes under the scope of purpose limitation. According to this requirement, the collection of data must be for a purpose which is lawful, specific, and documented. It requires clarity on the intent of data collection. Any additional processing must align with the specified purpose, failing which the data must be purged.
As laid down in Article 5(1)(c), data minimisation focuses on gathering data at the bare minimum that allows for the function or process to be carried out. This helps in avoiding excessive collection and prevents misuse. The article stipulates that collection and processing of data must be:
- Limited: Any personal information which is unnecessary for the specified purpose must not be collected
- Adequate: There should be sufficient data to meet the intended purpose
- Relevant: The data collected must fit the intended purpose
Find out: what is GDPR cookie consent
Article 5(1)(d) talks about accuracy of data which means that personal data collected must be a reliable and consistent source of truth. It must be error-free and true to the best of the data collector’s knowledge. It is important to note that the data must be up-to-date in order to assure accuracy.
In case of any inaccuracy, the following must be carried out:
- Data rectification: This can include correcting, updating, or adding any missing data
- Data erasure: If the data is inaccurate and the purpose of collection is no longer relevant, the data must be erased
The storage limitation requirement, i.e., Article 5(1)(e) presses the importance of having ‘data retention’ policies in place. Data collectors must decide explicit timeframes for retaining personal information. It also stipulates that the data must be deleted or anonymized after the given timeframe. There must be periodic reviews that monitor the practice of storage limitation.
Integrity and confidentiality
Article 5(1)(f) focuses on protecting the integrity and confidentiality of data. Integrity refers to dependability of the collected data. In order to ensure integrity, organizations must initiate measures that prevent compromise by way of alteration, tampering, destruction or unauthorized access.
Confidentiality states that only authorized people should have access to sensitive or personally identifiable information. It is required under GDPR law to employ technical and organizational methods to protect personal data from being exploited. These can be in the form of data encryption, access controls, employee training, regular monitoring etc.
Check out: GDPR compliance guide
Accountability, under the GDPR, requires organizations to take ownership for data protection of individuals and exhibit their commitment to compliance. Article 5(1))(g) mandates data controllers or data protection officers hold collective responsibility over this aspect.
This means that there should be proper maintenance of records, reports of breaches, and implementation of data protection measures.
GDPR also advocates the use of Data Protection impact Assessment (DPIA) to proactively identify risks and initiate mitigation measures. When data processing is done on an extensive scale, there can be high risks of privacy infringements. DPIAs in such scenarios help assess risks and determine the proportionality of measures needed to mitigate damage.
Rights of the data subject
To ensure data privacy of EU citizens, GDPR affords them the following rights:
- Right to information: Individuals have the right to know about how and when their personal data is being processed.
- Right to access: Data subjects can request a copy of their data that is being processed. They can also request information on the purpose of processing and the period for which the data will be held.
- Right to object: EU citizens can disapprove the processing of their personal data for purposes they do not deem fit.
- Right to erasure: Data subjects can request that their data must be erased in cases where the data is no longer needed or consent is withdrawn. However, holding data for any legal obligation or public task is exempted.
- Right to rectification: Individuals can request correction of incorrect or inaccurate data.
- Right to restrict processing: Individuals can restrict the processing of their personal data for purposes they do not approve. In such cases the restrictions in data processing must be complied with.
- Rights related to data portability: If the data subjects choose, they can transmit the data to third-party data controllers. They can demand a copy of their personal data for these purposes.
- Right to automated decision making: In cases where there’s automated decision making while data processing, it is essential that individuals are informed about it. They have the right to demand intervention or object to the processing of data.
Data breach notification
The GDPR has clearly laid down timelines for prompt notifications in case of data breaches. Data controllers or data protection officers as the accountable authority should notify DPAs (Data protection authority) in the relevant EU state about the breach as soon as they come to know about it and not later than 72 hours of the incident. DPAs can then initiate investigations and demand corrective measures.
In case of high risks, data subjects should also be informed about the breach without delays.
International data transfers
Any transfer of data outside the European Union is an international data transfer and is subject to certain requirements. The European Union will issue an ‘adequacy decision’ for the country that receives the data after evaluating the strength of its data protection laws and safeguards. Contractual clauses or Binding Corporate Rules (BCRs) might be issued in cases where adequacy decisions do not apply.
Simplify GDPR compliance with Sprinto
GDPR requirements are quite demanding and comprehensive. Ambiguity and mistranslations eat a lot of time for companies.
But non-fulfilment leads to limited market access and missed business opportunities. Probably, that’s why 27% of businesses have spent more than half a million dollars to become GDPR compliant. The amount didn’t have to be that big though. Automation of GDPR compliance with tools like Sprinto is the most efficient way to do it. Way less time-consuming and bank breaking.
Sprinto’s ready to use privacy policies, comprehensive training modules, integrated risk assessments, and automated data collection make GDPR compliance easy and effortless. Every step is managed end-to-end and standardized measures make the processes a lot less time-consuming. Learn how Noosa.io became GDPR-ready in just 14 sessions with us.
Ready to talk? Reach out to our experts here.
What are the fines and penalties in case of GDPR non-compliance?
Depending upon the severity of data breach, GDPR has divided penalties and fines into two tiers.
Tier 1: Up to €20 million or 4% of worldwide annual turnover whichever is higher. Tier 1 breaches are related to basic principle violations like lawfulness, transparency etc.
Tier2: Up to €10 million or 2% of worldwide annual turnover whichever is higher. Tier 2 breaches relate to certain specific circumstances like certifications, data processor’s obligations etc.
What kind of information does the GDPR apply to?
Any information that is personally identifiable comes under the scope of GDPR. This can be basic personal information like name, email, phone etc., financial information, online identifiers like IP address, employee records or any such other sensitive data.