Skip to content

How to Comply With GDPR

What Is GDPR?

GDPR stands for the General Data Protection Regulation. This regulation requires businesses to protect the privacy and personal data of European Union citizens regarding transactions that occur within EU member states.

The regulation took effect in May of 2018, the most significant compliance regulation in many years, as a replacement of outdated data protection directives. It remains consistent across all EU member countries, so there is only one standard to meet.

GDPR does set a standard that is quite high, however, and requires the compliance of all qualifying businesses. Non-compliance results in steep consequences, so properly preparing for GDPR is critical

Who Does GDPR Affect?

GDPR affects any company that stores or processes personal information about EU citizens within EU states, even if the business is not within the EU. Since this applies to many companies, it’s important to know how to implement GDPR compliance.
To further clarify which companies are required to comply with GDPR, qualifiers include:
While these qualifiers could pertain to many business types, industries that are especially impacted include those pertaining to technology, online retail, software, financial services, and online services/SaaS.
Though it’s understandable for businesses to feel inconvenienced by GDPR, it does have an important purpose, which is to protect privacy. Previous data regulations set in 1995, the last formal instance prior to GDPR, did not account for the rise of the internet. As more information becomes digitized, the risk of information theft increases.
GDPR protects:

Schrems II Lawsuit

In July of 2020, the European Court of Justice ruled that customers of US cloud service providers must now verify the data protection laws of the recipient country, document its risk assessment, and confer with its customers. The case was born out of Maximilian Schrems’s claim that the Irish Data Protection Commissioner should invalidate the Standard Contracting Clauses (SCC) for Facebook’s use of transferring personal data to its US headquarters. That data, he argued, could be accessed by US intelligence agencies in transit to and when stored in the US, which he stated was in violation of GDPR and EU law. This ruling that customers of US cloud service providers must now themselves verify data privacy was one of the biggest and most anticipated cases in data protection.
Data transfer has become a core process for global companies in a modern, digital world. The prevention of data transfer between the EU and other countries could halt the flow of data hampering business.
Remote work and the adoption of cloud services adds another layer of complexity. If an EU company wants to store customer data on servers based in a non-EU country, data transfer to the servers will have to undergo an individual risk assessment to ensure compliance with GDPR. With security and data protection already being a key priority when using public cloud platforms, the additional complexities emanating from Schrems II offers a tough challenge.

Definitions & Responsibilities You Should Know

Knowing how to comply with GDPR begins in part with knowing its particular definitions and responsibilities. GDPR includes terms and requirements companies must effectively understand, with the following being of the utmost importance.

GDPR Data Processor & Data Controller

A data processor is any entity that processes personal data. A data controller is the entity that decides the purpose and means of data processing. To comply with GDPR, controllers must use processors that implement appropriate technical and organizational measures and take into account the nature, scope, context, and purpose of the processing.

Data Protection Officer

A Data Protection Officer must be appointed within companies that involve regular and systematic monitoring of data subjects on a large scale. This officer must have expert knowledge of data protection law and practices.

Data Protection Impact Assessment

For companies that handle particularly sensitive personal data, a Data Protection Impact Assessment (DPIA) must be carried out to determine the impact of processing activities on people whom the data belongs to.

Right to Access, Rectification, & Erasure

According to Article 15 of GDPR, companies must provide to their data subjects (those they collect personal data from) access to the data they hold about them. Data subjects can request rectification or completion of data if it’s inaccurate or incomplete, as well as deletion of their personal data, otherwise known as “the right to be forgotten”.

Pseudonymization

GDPR requires the anonymization of personally identifiable information (PII). This includes the tokenization of data to obscure information that could be used to identify subjects. GDPR recognizes that pseudonymization is not without limitations, and therefore still considers this data to be personal.

Risks of Non-Compliance

Consider if your personal information has ever been stolen, such as your credit card information after you used an online retail site. Do you blame the hacker, or the retailer that collected your information without the security in place to protect it? Many consumers fall into the latter camp, but the consequences of not preparing for GDPR compliance go far beyond public opinion of your business.

Fines & Penalties

According to Article 83 of the GDPR, companies that are not in compliance are subject to fines of up to 4% of worldwide annual revenue, or €20 million (whichever is greater), for non-compliance, and 2% or €10 million (whichever is greater) for lesser infringements.
The EU does have a formal GDPR complaint process, though the amount of reported infringements make it virtually impossible for regulators to investigate and address each one in any sort of timely manner, if at all. Regardless, not complying with GDPR would be highly unwise for any qualifying company, not only to avoid associated penalties but to operate with integrity when collecting and holding data subjects’ personal information.

Action Plan: How to Comply With GDPR

There are five primary steps a business must take to comply with GDPR. 

1. Access – First, companies must access all data sources, regardless of technology type. Companies must investigate and thoroughly audit what personal data is stored and used across their data landscape. GDPR requires that companies prove they know where personal data is and isn’t and not just rely on perception.
2. Identify – Next, companies must inspect their data sources to identify what personal data can be found within each. This may require the parsing of data fields to extract and categorize data elements.
3. Govern – Privacy rules must be established, documented, and shared across all lines of business. Roles and definitions must be established in a governance model. Business terms can then be linked to physical data sources, and companies can establish data lineage from point of creation to point of consumption for advanced control.
4. Protect – To comply with GDPR, three data protection techniques are acceptable: encryption, pseudonymization, and anonymization. The appropriate technique must be applied based on the user’s rights and the usage context.
5. Audit – Lastly, companies must be able to provide reports that clearly show regulators that (1) they know what personal data they have and where it’s located, (2) they properly manage the process for getting consent from data subjects, (3) they can prove how personal data is used, who uses it, and for what purpose, and (4) they maintain proper practices to manage issues such as data breach notifications, the right to be forgotten, etc.

Okera solves technical GDPR requirements ad-hoc, providing federated access, unified authorization, and audit logging. This simplifies the management of vast amounts of data and streamlines the necessary architecture to allow users and applications to deal with a single point of access.